DH and HA follow up on suspected case of unauthorised access to patients' medical records by doctor undergoing specialty training while conducting clinical research
******************************************************************************************
The DH previously received an enquiry from a member of the public regarding access to electronic health records (eHRs) and launched an investigation. The DH found that, in March this year, a doctor undergoing specialty training accessed the medical records of patients not under the doctor's direct care without authorisation through the clinical information management system of the Social Hygiene Clinics and eHealth system, involving a total of 47 patients.
The doctor in question has been deployed to the DH's Social Hygiene Service since 2023, where the doctor undergoes regular training on a weekly basis, participates in clinical service and provides medical consultations to patients.
According to individual specialty College's requirements, doctors under specialty training are required to participate in research projects as part of their specialty training. It is understood that the doctor in question was conducting a clinical research project that had been approved by the HA's Institutional Review Board. The scope of the approval was limited to patients' records from public hospitals and did not cover the DH's patient records. The doctor accessed the relevant records without obtaining separate authorisation from the DH.
In response to the incident, the DH has immediately suspended the doctor's training and referred to the Police for follow up. The DH has also reported the case to the Office of the Privacy Commissioner for Personal Data, the Commissioner for Electronic Health Record and the HA, which employed the doctor. The DH is currently notifying the affected individuals.
According to the DH's internal guidelines, healthcare personnel must protect patient privacy and comply with the relevant laws and regulations when accessing patients' medical records. When accessing eHealth data, they must also comply with the Electronic Health System Ordinance (Cap. 625) and the relevant code of practice. Healthcare personnel must obtain prior consent from the patients and adhere to the principles of "Need to Know" and "Patient Under Care" before accessing patients' medical records through any of the DH's clinical information management systems or eHealth system. At the system level, all activities on access to eHRs stored in the eHealth system are logged for later audit and prevention of abuse.
The HA earlier received the DH's notification and learned that the DH had reported the incident to law enforcement and regulatory authorities. The HA will fully co-operate with the investigation.
"The HA believes that although this is an isolated incident related to clinical research, the procedure was inappropriate. The HA will take this matter seriously and strengthen staff training on the precautions they should take when using patient data for clinical research," an HA spokesman said.
Both the DH and the HA reiterated that they attach great importance to protecting patient privacy. There are established mechanisms to regulate staff conduct and discipline.
Ends/Tuesday, April 21, 2026
Issued at HKT 19:40
Issued at HKT 19:40
NNNN