A proposed system to allow public and private doctors to share information on their patients has loopholes that pose a threat to personal privacy.
That's the view of Privacy Commissioner Allan Chiang Yam-wang, who also warns the loopholes "jeopardise" his enforcement powers.
The Electronic Health Record sharing system is expected to be rolled out by the end of the year, following scrutiny of the associated bill by Legco. But Chiang warned that in the bill's present form, the system lacked measures to protect patients' privacy, such as a "need-to-know" clause or a "safe deposit box" to store highly sensitive health data such as patients' mental conditions. Both measures were needed to prevent unnecessary sharing of medical data, he said.
He also criticised an immunity clause which exempted the system's chief - the Electronic Health Record Commissioner - from needing to inspect doctors' records to ensure they were complying with the law.
"I find it odd and incomprehensible that the commissioner is given this special immunity, which tends to undermine the regulatory power of the privacy commission as well as the safeguard for patients' privacy."
He said that with this immunity, even if the commissioner failed to perform his duties in respect to data protection, he could refuse to follow orders from the privacy commission to tighten up monitoring.
A spokesperson for the Food and Health Bureau defended the proposed system, saying that health care providers had different medical record systems which catered to different clinical needs, so it was right that the commissioner refrain from making direct regulatory checks.
The spokesperson said a "need to know" clause was not necessary since the principle would be incorporated in a code of practice.
But Chiang's suggestions were welcomed by patients' rights advocates.
"[His] suggestions - like establishing a safe deposit box for sensitive medical information - are in line with what we hope for," said Tim Pang Hung-cheong, a patients' rights advocate with the Society for Community Organisation.
"Some illnesses like HIV or psychological illnesses cause stigmatisation or even discrimination towards these patients, so a safety box would protect that."
However, Pang said he recognised the need to balance protecting patients' privacy with disclosing enough health data for medical practitioners to make well-informed decisions.
"We need to have professional input on whether withholding some information may affect health care and medication prescription," he said.
A "need to know" clause could help guard against "excessive sharing", he added.