Digital health apps and telemedicine in Hong Kong

There is no currently no specific ordinance/regulation that applies to digital health apps.

To date, no digital health app has been classified as a medical device in Hong Kong. 

Whether a digital health app may be considered a medical device depends on its intended use and function among other factors.

The Medical Device Division of the Hong Kong Department of Health defines a medical device as “any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the specific medical purpose(s) of:

1. diagnosis, prevention, monitoring, treatment or alleviation of disease; or
2. diagnosis, monitoring, treatment, alleviation of or compensation for an injury; or
3. investigation, replacement, modification, or support of the anatomy or of a physiological process; or
4. supporting or sustaining life; or
5. control of conception (including contraception); or
6. disinfection of medical devices; or
7. providing information for medical purposes by means of in vitro examination of specimens derived from the human body;

and which does not achieve its primary intended action in or on the human body by pharmacological, immunological, or metabolic means, but which may be assisted in its intended function by such means.”

No – as mentioned above, it is currently not a regulated product under any ordinance or regulation.

The Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") is a comprehensive set of laws that is technology-neutral and provides a set of Data Protection Principles (“DPPs”) outlining how data users should collect, handle and use personal data.

Depending on the nature and characteristics of the app, it may also be regulated by other legislation such as the Pharmacy and Poisons Ordinance (Cap. 138) or the Telecommunications Ordinance (Cap. 106).

For completeness, the Electronic Health Record Sharing System Ordinance (Cap. 625) is also relevant.  This ordinance provides legal basis for the collection, sharing, use and safekeeping of patients' health data under the Electronic Health Record Sharing System, which is a platform for healthcare providers in both the public and private sectors.  Healthcare providers that have obtained the consent of the patient can access and share the patient’s health record in the aforementioned system for healthcare-related purposes.

It does not matter in either scenario.

The PDPO applies regardless of whether users are residents using the digital health app/software within and/or outside of their jurisdiction, as long as the activities fall within the scope stated in question 2 above.

The PDPO is applicable to both the private and the public sectors.  As such, B2B and B2C digital health apps/software must comply with the PDPO.  This applies equally in relation to the Pharmacy and Poisons Ordinance and Electronic Health Record Sharing System Ordinance.

No.  None of these features will give rise to any additional consent requirements or regulatory approvals beyond those under the general regulatory regime of the PDPO. 

No.

The Ethical Guidelines on Practice of Telemedicine provide that a doctor who substitutes telemedicine for traditional modes of delivery of medical care remain fully responsible for meeting all legal and ethical requirements and must exercise due diligence when practising telemedicine. The standards of care that protect patients during face-to-face medical consultations apply equally to telemedicine.

Failure to comply with applicable data privacy laws and regulations may expose an operator of a software digital health app (if it is a data user in the context) to criminal penalties as well as civil liability for damages to concerned or affected data subjects.  Criminal penalties include imprisonment and/or fines. 

Although a contravention of the DPPs does not constitute an offence in itself, the Privacy Commissioner for Personal Data, Hong Kong may serve an enforcement notice on a data user for contravention of the DPPs.  A data user who contravenes an enforcement notice commits an offence and is liable on first conviction to a fine of up to HK$50,000, a daily penalty of HK$1,000 and imprisonment for a maximum of two years.  On a second or subsequent conviction, a fine of up to HK$100,000, a daily penalty of HK$2,000 and imprisonment for up to two years.

The Legislative Council of the Hong Kong Special Administrative Region has previously discussed the introduction of a regulatory framework and guidelines on the applications of technology in the healthcare sector, but no anticipated time frame has been put forward.

On a related note, the Health Bureau is considering various initiatives and proposals including the possibility of mandating the use of the Electronic Health Record Sharing System by both the public and private sectors with a view to strengthening the protection for healthcare service users, ensuring healthcare quality and raising standards, enhancing coordination and continuity in the healthcare process.  It is envisaged that public health initiatives can be more readily promoted, coordinated and monitored under one centralised IT platform.  That said, there is no concrete legislative plan in this regard to date.

Medical practitioners are regulated by the Medical Council of Hong Kong (“Medical Council”), which is responsible for the registration and disciplinary regulation of medical practitioners in Hong Kong in accordance with the Medical Registration Ordinance (Cap. 161).

There is currently no legislation or regulation governing telemedicine.  However, the Medical Council has issued Ethical Guidelines on the Practice of Telemedicine (“Guidelines”) which are generally applicable to telemedicine services.  In this regard, the Medical Council has also issued Questions and Answers to the Guidelines in relation to practical aspects of such services.  The Code of Professional Conduct issued by the Medical Council must also be observed.

Please see our answer to question 9 above.

The Guidelines provide general guidance and recommendations on the use of telemedicine and contravention of these may render medical practitioners liable to disciplinary proceedings.  Although the Guidelines do not set mandatory pre-requisites in relation to when telemedicine can be used, it sets out various general principles which medical practitioners should follow.

Medical practitioners and stakeholders should note that the Guidelines are not exhaustive, are subject to periodic review and/or revisions.

No, the standards of care that protect patients during face-to-face medical consultations apply equally to telemedicine.

Generally, no.

However, before prescribing any medicine to a patient for the first time, the Guidelines recommend that the medical practitioner should first conduct an in-person consultation with the patient.

Further, medical practitioners must consider various factors before prescribing any type of medicine.  The considerations include, but are not limited to:

1. Whether the medical practitioner has adequate knowledge of the patient’s health and is satisfied that the medicine serves the patient’s needs;
2. The limitations of the medium through which the doctor communicates with the patient;
3. The need for physical examination or other assessments; and
4. Whether he has access to the patient’s medical records.

N/A

No, the PDPO applies generally.  Please see the answers to questions 2 and 3 above.

The Legislative Council has previously discussed the introduction of a regulatory framework and guidelines on the applications of technology in the healthcare sector, but no anticipated time frame has been put forward.

Please also see our answer to question 7 above.