PCPD Publishes Information Leaflet on the Use of Data in eHealth System by Healthcare Professionals To Enhance the Protection of Patients’ Privacy

PCPD Publishes Information Leaflet
on the Use of Data in eHealth System by Healthcare Professionals
To Enhance the Protection of Patients' Privacy

In light of the expansion of the Electronic Health System (eHealth System) to enable broader sharing of patients' health data, and to ensure that patients' personal data privacy is adequately protected, the Office of the Privacy Commissioner for Personal Data (PCPD) today published an information leaflet titled "Points to Note for Healthcare Providers and Healthcare Professionals" (Information Leaflet). The Information Leaflet aims to assist healthcare providers (healthcare providing organisations) and healthcare professionals (such as doctors and nurses) to better understand and comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO) when handling patients' personal data through the eHealth System. These include the relevant provisions of the PDPO relating to the collection and use of personal data, data accuracy and data security.

The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, "With the prevalent use of the eHealth System, it is increasingly important for patients' health records to be handled properly through the electronic health platform concerned. Patients' health records stored in the eHealth System constitute personal data. Healthcare providers and healthcare professionals must comply with the relevant requirements of the PDPO and exercise due care in handling patients' health records so as to safeguard patients' personal data privacy."

The Information Leaflet provides practical guidance on matters that healthcare providers and healthcare professionals should note, as well as recommended good practices when they use the eHealth System in handling patients' personal data. These include:

• Prior to patients' participation in the eHealth System: ensuring that their staff will remind patients, before giving joining consent and/or sharing consent, to read carefully the relevant "Personal Information Collection Statement", "Privacy Policy Statement", and "Participant Information Notice";
• Access to and use of electronic health records: should take reasonable steps to ensure that only relevant healthcare professionals can access patients' health records in the eHealth System, and should not use patients' personal data for new purposes, for example, for uploading patients' health records to social media without their consents;
• Accuracy of personal data: ensuring that the electronic health records they provide to the eHealth System are accurate;
• Security of personal data: adopting all practicable steps to protect the security of personal data in the eHealth System and to reduce the risk of data breach and, if there is a data breach of the eHealth System, notify both the Commissioner for the Electronic Health Record and the Privacy Commissioner as soon as possible;
• Direct marketing: using electronic health records in the eHealth System for direct marketing is a criminal offence under the Electronic Health System Ordinance. Additionally, if healthcare providers intend to use the personal data in their local systems for direct marketing, they must comply with the requirements under the relevant provisions of the PDPO. Otherwise they will likewise be committing a criminal offence;
• Transparency: should formulate and periodically review their personal data privacy policies; and
• Data access requests or data correction requests: handling data access and correction requests in accordance with the PDPO, and providing relevant training and guidelines.

The Information Leaflet also includes an action list to assist healthcare providers in reviewing whether adequate measures have been adopted to safeguard personal data privacy.

Download the "Personal Data (Privacy) Ordinance and the Electronic Health System: Points to Note for Healthcare Providers and Healthcare Professionals":
https://www.pcpd.org.hk//english/resources_centre/publications/files/eHRSS_Points_to_Notes_ENG.pdf

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, reminds healthcare providers and healthcare professionals that they must comply with the relevant requirements of the PDPO when they handle patients' health records.


The PCPD published an information leaflet titled "Personal Data (Privacy) Ordinance and Electronic Health System: Points to Note for Healthcare Providers and Healthcare Professionals".