What are the purposes of the Code of Practice for Using Electronic Health Record for Healthcare (COP)?

  1. To provide practical, technical and operational recommendations
  2. To recommend measures to safeguard security and privacy of the Electronic Health Record Sharing System (eHealth)
  3. To illustrate the principles and good practice for using eHealth

Frequently asked questions

  • Who should read the COP?

    The following staff of healthcare providers (HCPs) who wishes to participate in eHealth or use electronic health record (eHR) should read the COP:

    1. Management executives
    2. Administrative staff
    3. Technical staff
    4. Healthcare professionals (HCProfs)

    Management executives in HCPs shall understand the roles and responsibilities of healthcare providers at organisational level in participating eHealth and making sure their staff and any authorised users (including administrative, technical and professional) comply with various sections in the COP.

    The COP also provides HCProf the best practice in accessing and sharing of their patients' clinical records in eHealth.

  • What is the nature of the COP?

    The COP issued by the Commissioner for the eHR (eHRC) is not a subsidiary legislation and it is administrative in nature.

    It helps eHealth participants (including HCPs, authorised users and researchers) to understand the requirements regarding the operation of the system and provides practical guidance and examples of best practice for using the system in secure and proper manner. Similar Code of Practices have been issued in other countries such as the United Kingdom, Australia and Canada.

    Compliance is encouraged and other reasonable ways of practice (other than those laid down in the COP) in line with the principles are also acceptable.

  • What are the differences in the level of compliance between Electronic Health Record Sharing System Ordinance (Cap. 625) (eHRSSO) and the COP?
    1. Compliance to eHRSSO is a legal obligation.
    2. The COP is a professional, ethical and administrative best practice.
    3. The provision of the COP intends to facilitate interpretation and compliance with eHRSSO. All existing related ordinances and regulations shall remain applicable.
  • What is the consequence of non-compliance with the COP?
    1. The COP is administrative in nature and is not legal binding. Non-compliance does not constitute an offence under eHRSSO by itself.
    2. Depending on the fact and action committed in relation to such non-compliance with the COP, eHRC is empowered to carry out any disciplinary actions including suspension and cancellation of registration of a HCP in eHealth.
    3. A person may be at risk if he / she violates general requirements, e.g. not following certain computer security recommendations, and the person may be requested to take appropriate action and rectification.
  • What are the differences between the COP issued by eHRC, the Code of Professional Conduct issued by the Medical Council of Hong Kong and the Code of Practice issued by the Privacy Commissioner?
    1. The COP issued by eHRC:
      1. The COP issued by eHRC under eHRSSO would not be a subsidiary legislation and would be purely administrative in nature.
      2. It would help eHealth participants (including HCPs, healthcare staff, and technical staff) to understand better the requirements for regulations and provide practical guidance and best practice for using the System in secure and proper manner.
      3. As set out in eHRSSO, if eHRC reasonably suspects a breach of the COP, he may suspend / cancel the registration of the HCP. Mere breach of the COP in itself is not an offence.
    2. Medical Council's Code of Professional Conduct:
      1. The Code of Professional Conduct issued by the Medical Council serves as a guide for ethics and professional conduct for doctors.
      2. It is not a legal document but can serve as a reference for Medical Council in inquiry.
      3. Breach of the Code of Professional Conduct itself may not constitute an offence but would subject the doctor concerned to the Council's inquiry, which could potentially lead to the professional registration of the HCProfs being cancelled by the Council.
    3. Code of Practice issued by Privacy Commissioner:
      1. As set out in Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), a Code of Practice may be published for providing guidance in respect of any PDPO requirement.
      2. As stipulated in section 13 of PDPO, a breach of a Code of Practice by a data user will give rise to a presumption against the data user in any legal proceedings under PDPO.
      3. If a Code of Practice provision which is relevant and necessary to a breach of a PDPO provision and this PDPO provision is not otherwise complied with in another means, then the PDPO breach may be taken as proven.