Table 2.
Authorities who need to provide approval for EMR extraction and use of data for research purpose | • Ethics boards within the hospitals. • National and local health authorities e.g. Division of Medical Affairs and Division of Research: necessary if retrieving data from various provinces, or retrieving national data of various kinds such as public health, immunisation or epidemiology of emergency events. • Site where the data was collected: director of the hospital, hospital data centre. • Individual patients: In Hong Kong Special Administrative Region (HKSAR) consent needed for access to EHR. Not conclusive if required in mainland China. • In HKSAR: the Office of the Privacy Commissioner for Personal Data, an independent statutory body, oversees enforcement of the Personal Data Privacy Ordinance (PDPO). Although not applicable for anonymised data, users should comply with requirements under the PDPO personal data handling. Suspected breaches will be investigated. |
Process to obtain approval | • Submission of Case Report Form (to ascertain potential harm to patients) and research proposal. • However, there is no clear legal framework about data use rights. • Process for Hong Kong: 1. Application to the Secretary for Food and Health; 2. The Secretary for Food and Health may refer application to the Electronic Health Record Research Board; 3. The Board must consider several factors including ethical issues and public interest; 4. Applications for non-identifiable data are made to the Commissioner for Electronic Health Records (eHRC). |
Approximate time needed to obtain all approvals | Less than 3 months. |
Ease of obtaining approval | Relatively easy, as there are procedures in place and the process is quick. The director of the hospital plays a key role in the approval process. Hurdles: • Organisation of the administration (no specific rules and regulations for data extraction). • Potential technical problems at some sites due to own systems in hospitals, and concerns of data leakage in China. • Law prohibiting transfer of non-anonymised EMR data outside HKSAR (section 33 of the PDPO), but not in force yet. • Anonymised patient data can be used for research and preparing statistics relevant to public health or public safety if conditions for approval by the future Commissioner for the EHR under Division 3 of the eHRSS Bill are fulfilled. |
Regional differences | Regional differences exist, e.g. Hong Kong has own authority dedicated to data protection. |