Case Studies
Lax security in maintaining medical records
Dr. K was a partner of a large private medical centre. Medical records of the centre were computerised to enhance storage efficiency and retrieval of patients’information. Every employee had access to the records since no password was required.
Robert, a private detective, was entrusted by his client Mrs. CHAN to keep surveillance on her husband who was suspected to have an affair with another woman. Discovering that Mr. CHAN’s mistress had paid frequent visits to Dr. K recently, Robert tried to seek assistance from the clinic assistant Eva to access relevant medical records. Robert agreed to offer Eva $10,000 as a reward for her help. Subsequently, Eva passed Robert a copy of the medical record of the mistress who had been confirmed pregnant. Eva accepted the money from Robert in return.
Case Analysis
Both Robert and Eva might have breached Section 9 of the Prevention of Bribery Ordinance for offering and accepting bribes. It was unlikely that Eva’s employer would permit her to accept an advantage (i.e. $10,000) for disclosing patients’ information to a third party. In addition, Eva might have committed an offence of accessing the computer with criminal or dishonest intent, contrary to Section 161 of the Crimes Ordinance.
Since Dr. K and his partners failed to adopt security measures to protect patients’ information, they might have liabilities under the Personal Data (Privacy) Ordinance which requires appropriate security measures to protect clients’ personal data.
Section 1.1.3, 1.1.4 and 1.1.5 of the Code of Professional Conduct issued by the Medical Council of Hong Kong (Oct 2022) also requires doctors to take every step to strengthen the control system to protect patients’ information from misuse.