The following highly relevant article appeared a week or two ago
"New and improved" data protection regime? Hong Kong government launches public consultation on e-health record sharing
- Herbert Smith LLP
- Michelle Chan, Tim Mak and Clarice Yue
- Hong Kong
- January 9 2012
On 12 December 2011, the Hong Kong Food and Health Bureau launched a two-month public consultation on the Legal, Privacy and Security Framework for a territory-wide patient-orientated Electronic Health Record (eHR) Sharing System as part of a proposed reform of the Hong Kong healthcare system.
What is eHR sharing?
An eHR is a record in electronic format containing health-related data of an individual. It is anticipated that the eHR Sharing System will provide an essential infrastructure for access and sharing of patients' health data by authorised healthcare providers in both the public and private sectors. The goal is to facilitate seamless interfacing between different healthcare providers, enable more efficient treatment and diagnosis and reduce duplicative diagnostic tests and data gathering.
The Legal, Privacy and Security Framework (the Framework)
Whilst the proposed eHR Sharing System provides functional benefits, it also raises privacy concerns. To address these, and recognising that the nature of patients' health data and their sharing by healthcare providers would require more specific and further safeguards on privacy and security, the Government plans to legislate specifically a framework for the eHR Sharing System to complement and supplement the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), where there are currently general safeguards for personal data privacy applicable across all sectors.
Key Principles of the Framework
The following key principles are proposed to be adopted in the Framework:
- Information to be provided to patients: Healthcare providers shall provide an information notice to each patient setting out the scope, purpose and use of eHR, the rights of patients, privacy and security safeguards, and must not share any patient's health data to anyone without the patient's consent (see below).
- Patient's consent: Participation in eHR sharing shall be strictly voluntary and must be based on express and informed consent. In relation to such consent:
- A patient giving consent must give either: (i) a time-limited one-year rolling consent which will lapse after one year from the date when the healthcare provider last provided care to the patient; or (ii) an open-ended consent that will continue to remain valid until expressly revoked by the patient.
- For minors below the age of 16 and mentally incapacitated persons, consent shall be given by substitute decision makers (SDMs), e.g. persons with parental responsibilities over the subject minors and other immediate family members of patients.
- If a patient is referred by provider A to provider B for healthcare, provider A may specify the part of eHR where provider B will have access to.
- Only under exceptional circumstances and in strict compliance with the PDPO, such as in an emergency, may access to the eHR of a patient be allowed without his/her prior consent.
- A patient may withdraw from eHR sharing and revoke his/her consent at any time. In such circumstances, the data will be "frozen" from access and archived for a specified period (see Retention of eHR data below).
- Access to and Use of eHR Data: Only those health data falling within the pre-defined scope for eHR sharing will be accessible by other healthcare providers under the eHR Sharing System for the primary purpose of enhancing the continuity of care for patients. As a specific exemption to be prescribed under the future eHR legislation, it is proposed that eHR data may be used for public health research and disease surveillance as a secondary purpose, subject to different levels of approval by the relevant authorities depending on whether patient-identifiable eHR data is used.
- Retention of eHR Data: As a general rule, eHR data of patients shall be kept within the eHR Sharing System for as long as they continue to participate in eHR sharing. For patients whose consent has lapsed or has been revoked, their data on the eHR Sharing System shall be "frozen" for three years, during which only the subject patient or eligible persons may access the relevant data; and for patients who have passed away, ten years, during which only the administrator / executor or persons authorised by the Court may access the relevant data. Immediately after the "frozen period", the eHR data shall be de-identified and retained in the system for potential secondary usage only.
- Data Access and Correction by Patients:
- Identification, Authentication, Access Control and Security:
- Criminal Sanctions
More here:
There is a fully detailed web site explaining the consultation to be found here
There is an Executive Summary (.pdf) of 19 pages which makes the plans pretty clear.
The access and ID controls are to be based on the National ID smartcard system which is already operational.
Reading the documents this is a ‘patient-orientated’ record system which is voluntary to join but is not patient controlled in the sense meant in Australia.
It is worth having a look at the documents as they clearly have given the whole thing a very considerable amount of thought and are moving in a measured and careful pace.
David.