Privacy at risk over plan to share patients' data

A proposed system to allow public and private doctors to share information on their patients has loopholes that pose a threat to personal privacy.

That's the view of Privacy Commissioner Allan Chiang Yam-wang, who also warns the loopholes "jeopardise" his enforcement powers.

The Electronic Health Record sharing system is expected to be rolled out by the end of the year, following scrutiny of the associated bill by Legco. But Chiang warned that in the bill's present form, the system lacked measures to protect patients' privacy, such as a "need-to-know" clause or a "safe deposit box" to store highly sensitive health data such as patients' mental conditions. Both measures were needed to prevent unnecessary sharing of medical data, he said.

He also criticised an immunity clause which exempted the system's chief - the Electronic Health Record Commissioner - from needing to inspect doctors' records to ensure they were complying with the law.

"I find it odd and incomprehensible that the commissioner is given this special immunity, which tends to undermine the regulatory power of the privacy commission as well as the safeguard for patients' privacy."

He said that with this immunity, even if the commissioner failed to perform his duties in respect to data protection, he could refuse to follow orders from the privacy commission to tighten up monitoring.

A spokesperson for the Food and Health Bureau defended the proposed system, saying that health care providers had different medical record systems which catered to different clinical needs, so it was right that the commissioner refrain from making direct regulatory checks.