"New and improved" data protection regime? Hong Kong government launches public consultation on e-health record sharing

On 12 December 2011, the Hong Kong Food and Health Bureau launched a two-month public consultation on the Legal, Privacy and Security Framework for a territory-wide patient-orientated Electronic Health Record (eHR) Sharing System as part of a proposed reform of the Hong Kong healthcare system.  Michelle Chan, Tim Mak and Clarice Yue provide an overview of the key proposals.

What is eHR sharing?

An eHR is a record in electronic format containing health-related data of an individual. It is anticipated that the eHR Sharing System will provide an essential infrastructure for access and sharing of patients' health data by authorised healthcare providers in both the public and private sectors. The goal is to facilitate seamless interfacing between different healthcare providers, enable more efficient treatment and diagnosis and reduce duplicative diagnostic tests and data gathering.

The Legal, Privacy and Security Framework (the Framework)

Whilst the proposed eHR Sharing System provides functional benefits, it also raises privacy concerns. To address these, and recognising that the nature of patients' health data and their sharing by healthcare providers would require more specific and further safeguards on privacy and security, the Government plans to legislate specifically a framework for the eHR Sharing System to complement and supplement the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), where there are currently general safeguards for personal data privacy applicable across all sectors.

Key Principles of the Framework

The following key principles are proposed to be adopted in the Framework:

1. Information to be provided to patients: Healthcare providers shall provide an information notice to each patient setting out the scope, purpose and use of eHR, the rights of patients, privacy and security safeguards, and must not share any patient's health data to anyone without the patient's consent (see below).
2. Patient's consent: Participation in eHR sharing shall be strictly voluntary and must be based on express and informed consent. In relation to such consent: 
   • A patient giving consent must give either: (i) a time-limited one-year rolling consent which will lapse after one year from the date when the healthcare provider last provided care to the patient; or (ii) an open-ended consent that will continue to remain valid until expressly revoked by the patient.
   • For minors below the age of 16 and mentally incapacitated persons, consent shall be given by substitute decision makers (SDMs), e.g. persons with parental responsibilities over the subject minors and other immediate family members of patients.
   • If a patient is referred by provider A to provider B for healthcare, provider A may specify the part of eHR where provider B will have access to.
   • Only under exceptional circumstances and in strict compliance with the PDPO, such as in an emergency, may access to the eHR of a patient be allowed without his/her prior consent.
   • A patient may withdraw from eHR sharing and revoke his/her consent at any time. In such circumstances, the data will be "frozen" from access and archived for a specified period (see Retention of eHR data below).
3. Access to and Use of eHR Data: Only those health data falling within the pre-defined scope for eHR sharing will be accessible by other healthcare providers under the eHR Sharing System for the primary purpose of enhancing the continuity of care for patients. As a specific exemption to be prescribed under the future eHR legislation, it is proposed that eHR data may be used for public health research and disease surveillance as a secondary purpose, subject to different levels of approval by the relevant authorities depending on whether patient-identifiable eHR data is used. 
4. Retention of eHR Data: As a general rule, eHR data of patients shall be kept within the eHR Sharing System for as long as they continue to participate in eHR sharing. For patients whose consent has lapsed or has been revoked, their data on the eHR Sharing System shall be "frozen" for three years, during which only the subject patient or eligible persons may access the relevant data; and for patients who have passed away, ten years, during which only the administrator / executor or persons authorised by the Court may access the relevant data. Immediately after the "frozen period", the eHR data shall be de-identified and retained in the system for potential secondary usage only.
5. Data Access and Correction by Patients: In line with the provisions of the PDPO, patients as data subjects may request for data access at a fee to be prescribed and may also request correction of his/her eHR data. However it is proposed that a more stringent standard should be applied in the future eHR legislation, in that the request must be made by the subject patients themselves (or SDMs of mentally handicapped persons) but not any other third parties even if authorised by the patients. 
6. Identification, Authentication, Access Control and Security: A series of security measures will be put in place to accurately identify and authenticate both patients and providers. All uploading, accessing and changing of health data on the eHR Sharing System by individual healthcare providers shall be properly logged. High-security encryption shall be applied to all relevant data in the eHR Sharing System and system alerts shall be provided to a patient in relation to any eHR Sharing System activities related to him/her.
7. Criminal Sanctions: The Government proposes to introduce a new criminal sanction specifically against unauthorised access to the eHR Sharing System with a malicious intent. The level of criminal sanction will be determined with reference to existing sanctions against similar actions under other provisions such as section 27A of the Telecommunications Ordinance (Cap. 106) and section 161 of the Crimes Ordinance (Cap. 200). 

Apart from Hong Kong, many countries, such as Canada, Australia, Singapore, Sweden and Denmark are pursuing similar eHR projects. The Framework has specifically been formulated having regard to the experience of legislation on health information in Canada, Australia and the United Kingdom. If the proposed Framework for the eHR Sharing System is adopted, this will be the first industry specific legislation on protection of personal data in Hong Kong.