Imminent implementation of the Hong Kong Electronic Health Record Sharing System

Development of the System

The vision of a territory-wide eHR sharing infrastructure was first put forward in a consultation document published by the Government in March 2008. Currently, the clinic management system maintained by the Hospital Authority is the only large scale integrated eHR system in Hong Kong. Upon the upcoming implementation of the EHRS System, healthcare providers in both the public and private sectors may access eHR for healthcare purposes through an electronic platform.

The Ordinance

The key features of the Ordinance include:

• The EHRS System will be operated, maintained and regulated by the Commissioner for the Electronic Health Record (the eHR Commissioner). In order to participate in the eHRS System, patients and healthcare providers may, on a voluntary basis, apply for registration with the eHR Commissioner.
• Healthcare provider is defined as any person providing an activity performed by a healthcare professional to an individual for assessment, maintenance, diagnosis or treatment of illness or disability. Examples of a healthcare professional include a registered medical practitioner, dentist, pharmacist, nurse, physiotherapist, chiropractor and Chinese medicine practitioner.
• A patient must be aged 16 or above in order to register with the eHRS System and provide consent to share any eHR. For any patient under 16 (or is aged 16 or above but incapable of giving consent), the patient's parent (or guardian) may act on the patient's behalf for the purposes of registration and giving of consent.
• When applying for registration with the eHRS System, a patient is required to give consent to the eHR Commissioner to share the patient's eHR in the System with any registered healthcare provider for both healthcare and referral purposes (Joining Consent). However, upon the patient's registration, the System will not automatically allow sharing of any patient's eHR by a healthcare provider unless the patient has given a separate consent to such healthcare provider to provide the patient's eHR to and obtain it from the eHRS System (Sharing Consent).
• It should be noted that the patient is deemed to have given a Sharing Consent to the Department of Health and the Hospital Authority when providing the Joining Consent upon registration.
• A patient may at any time withdraw its registration with the eHRS System or revoke a Sharing Consent given to any healthcare provider (except for any Sharing Consent given to the Department of Health and the Hospital Authority).
• Only sharable data in any eHR can be shared in the eHRS System. Sharable data includes both health data and personal particulars of the patient. Whilst there are no specific categories of sharable data provided in the Ordinance, the eHR Commissioner's website set out examples including name, date of birth, ID number, adverse reactions, diagnosis, birth and immunisation records, laboratory and radiology results, and referral between healthcare providers.
• The eHR Commissioner has the power to (i) issue code of practice on compliance with the Ordinance; and (ii) in the event that a healthcare provider contravenes any provision of the Ordinance or code of practice, suspend or revoke the registration of a healthcare provider, or require the production of records and documents by a healthcare provider.
• A healthcare provider provided with a Sharing Consent is required to take reasonable steps to restrict access to a patient's eHR to healthcare professionals performing services for the patient and to restrict such access to relevant health data of the patient.

Our observations

• Whilst there are obligations under the Ordinance on healthcare providers to safeguard the access to health data through the eHRS System, eHR also constitutes personal data under the Personal Data (Privacy) Ordinance (PDPO). Accordingly, the use of eHR by healthcare providers is regulated by the PDPO and healthcare providers would be required to comply with the relevant data protection obligations under the PDPO. For instance, healthcare providers should ensure that the process of acquiring or providing eHR through the eHRS System complies with the obligation to protect against unauthorised or accidental access and processing by any third party.
• The Privacy Commissioner for Personal Data has indicated that it will publish information leaflets on data privacy issues arising from the use of the eHRS System. Such publication will be a useful guidance for healthcare providers to comply with the applicable PDPO obligations.
• Apart from the relevant statutory obligations, healthcare providers should not overlook any common law duty of confidentiality in connection with the handling of eHR through the eHRS System. In particular, health data or personal information contained in any eHR should not be disclosed without any prior consent of the patient, unless permitted under the Ordinance.