The Hospital Authority will implement the Taskforce on Patient Data Security & Privacy's 26 recommendations within two years to improve the protection of patient data.

The authority appointed the taskforce in May following cases of lost electronic devices containing patient data.

Releasing its review report today taskforce chairman Stephen Lau said the authority has room for improvement in structure, culture and technology.

Upgrade proposals

Although hospitals and the hospital clusters have separate groups protecting patient data, their work is either overlapping or unclear. The authority headquarters also lacks a main office to deal with the matter.

"The authority should set up an office for planning, co-ordinating and following up patient data security," Mr Lau said, adding this will help enhance the monitoring of individual hospitals' work and the procedures concerning privacy protection.

On changing corporate culture Mr Lau suggested the authority reinforce staff awareness of safeguarding patients' personal data. He said regarding lost electronic devices as incidents of lost property, instead of important patient data, was insensitive.

He also proposed the implementation of automatic encryption of patient records in various stages, including data processing, transportation and within the authority's main system.

"The authority should formulate policy to minimise staff retrieval and downloading of patient records to reduce risks," Mr Lau said, adding the authority should keep abreast of technology advances to ensure its monitoring and audit systems are effective.

Measures taken

Welcoming the recommendations the authority's Chief Medical Informatics Officer Dr NT Cheung said a multi-pronged approach has been adopted to enhance patient data security and privacy systems.

He cited some actions that have been taken, including educating staff members, strengthening control systems, implementing automatic data encryption, reducing the use of identity card numbers for data handling, and reviewing the need for data downloading by staff.

The authority will form an action plan in implementing the taskforce's proposals within 18 months. Click here for the taskforce report.

There have been 10 reported cases of data loss via electronic devices involving six hospitals. None have involved personal data leakage and seven involved theft.