Protecting Security and Privacy of Personal Data in the eHRSS

Training on eHR and Onsite Registration Campaign at HA/DH Clinics

Security and privacy protection is of utmost importance for the Electronic Health Record Sharing System (eHRSS) as health records in the system contain valuable medical information as well as sensitive personal data.

The Government has placed great emphasis on the need for security and privacy controls in the eHRSS. Users, including healthcare providers (HCPs) and healthcare professionals (HCProfs), have to follow requirements of different aspects to safeguard security and data privacy.

Legal Aspect and Good Practice

Personal Data (Privacy) Ordinance (Cap. 486)

The ordinance provides overall protection to personal data and is applicable to health records in the eHRSS. Handling of health records in relation to the system is subject to the requirements of the provisions of the ordinance, including the six Data Protection Principles regarding data collection, accuracy and retention, data use, data security, openness, and data access and correction.

The eHRSS development programme continues into the second stage

eHRSSO includes offences specific to the operation of eHR sharing to help safeguard the privacy and security of the system

Electronic Health Record Sharing System Ordinance (Cap. 625)

The ordinance was specially formulated to help safeguard the privacy and security of the eHRSS and its data. It stipulates requirements for using the eHRSS, and gives robust protection for the privacy and confidentiality of patient information by providing a legal basis for collecting, sharing, using and safe keeping of data in the system. Compliance with the ordinance is required for using the eHRSS.

Key provisions cover:

-	Registration of HCPs and patients;
-	Sharing and use of data and information contained in the eHRSS;
-	Safeguards and protection of the system and electronic health records (eHR); and
-	Offences (e.g. on unauthorised access and system impairment).

Code of Practice for Using Electronic Health Record for Healthcare (COP)

The COP is an administrative document issued by the Commissioner for the Electronic Health Record to provide good practice and recommendations for users and participants of the eHRSS (in particular HCProfs, executives, administrative and technical staff of HCPs), and to help them better understand the operation of and the requirements for using the eHRSS.

Main items of the COP include:

-	Rules and regulations on internal access procedures and control;
-	Requirement for HCPs to comply with the security standard;
-	Proper certification, audit and monitoring mechanisms to ensure compliance with the security requirements; and
-	Requirement for remedial actions in case of non-compliance with the COP.

Technical Requirements

For the protection of security and privacy of health records, HCPs can only connect to the eHRSS to view record through identifiable sources:

	Fixed IP address; or
	Encapsulated Linkage Security Application (ELSA): an eHR communication module and software developed for the protection of the connection between workstations and the eHRSS. It acts as a firewall to control access to health records in the eHRSS.

Operational Requirements

Sharing consent from patients

Registered HCPs need to obtain sharing consent from patients under their care before they can access and share the patients’ health records to the eHRSS. Patients can give sharing consent to HCPs by the following means:

-	inserting Hong Kong Identity Card into a government-approved card reader;
-	using a eHRSS generated one-time password; or
-	signing a consent form

during visits to their HCPs.

In giving sharing consent to HCPs, patients can choose to:

-	give indefinite sharing consent (the consent will remain valid until expressly revoked by the patient); or
-	give one-year sharing consent (the consent will expire after one year or lapse if expressly revoked by the patient). The sharing consent can be renewed for another one-year term as long as the sharing consent is in effect.

Patients can revoke any sharing consent given to an HCP (excluding Department of Health and Hospital Authority) at any time.

Principles on doctor-patient relationship for the safekeeping of health records

-	“Need-to-Know” HCPs and HCProfs should access and share data only relevant to their professional service as well as necessary and beneficial for the continuity of healthcare.
-	“Patient-under-Care” HCPs and HCProfs can only access health records of patients under their care and with patients’ consent.