Accessing a patient's electronic health record for non-medical purposes – DPP 3 – use of personal data
The Complaint
The Complainant gave consent to a doctor (Doctor) to upload his health record to the Electronic Health Record Sharing System (Sharing System) and access the said data. After the first and only visit, the Complainant made a complaint against the Doctor to the Medical Council of Hong Kong (Medical Council). While the Medical Council was handling the Complainant's case, the Complainant received a text message from the Electronic Health Record Office, informing him that the Doctor had accessed his electronic health record in the Sharing System. The Complainant was dissatisfied that the Doctor had accessed his health record for purposes not related to treatment and thus lodged a complaint against the Doctor with the PCPD.
Outcome
DPP 3 of the PDPO provides that without the prescribed consent of the data subject, his personal data may only be used (including disclosure or transfer) for the purpose for which the data was originally collected or for purposes directly related to that purpose. The PCPD was of the view that the Doctor was in contravention of DPP 3 by accessing the Complainant's electronic health record in the Sharing System for a purpose other than providing treatment to the Complainant and without obtaining separate consent from the Complainant.
Upon the PCPD's intervention, the Doctor undertook to access electronic health records in the Sharing System only for the purpose of providing treatment to patients and on a "need-to-know" basis.
Regarding the incident, the PCPD issued a warning to the Doctor, requesting him to ensure that the non-compliance in this case would not be repeated. In addition, the PCPD referred the case to the Electronic Health Record Office, which manages the Sharing System, for follow-up actions.
Lesson learnt
Healthcare providers should exercise prudence and professional judgment before assessing patients’ data in the Sharing System. Inappropriate use of the patients’ data in the Sharing System not only contravenes DPP3 of the PDPO, but may also violate the Code of Practice for using the Sharing System.
(Uploaded in March 2022)