Code of Practice for Management Executives, Administrative and Technical staff using eHRSS

2.1Registration as Healthcare Providers in eHRSS and promulgation of eHRSS
2.2Handling Registration of Healthcare Recipient
2.3Obtain Healthcare Recipient’s consent for eHR access
2.4Healthcare Providers to manage any authorised person's user account
2.5Manage Healthcare Providers’ own clinical records
2.6Ensure general system security
2.7Make data sharing to eHRSS secured
2.8Handling Data Access Request and Data Correction Request
  1. Registration as Healthcare Providers in eHRSS and promulgation of eHRSS

    1. Healthcare providers meeting the registration requirements set out in eHRSSO may apply to the eHRC for registration in eHRSS.
    2. Healthcare providers should maintain an updated registration record, including their business registration, contact persons, details of participating hospital(s) or clinic(s) and service locations…etc. They should inform eHRC timely for changes in business nature and clinical services and provide all necessary supporting information for verification.
    3. Healthcare providers should withdraw from eHRSS if they no longer fulfil the registration requirements e.g. change of nature of services or termination of business.
    4. Healthcare providers should observe the conditions of registration of healthcare providers in eHRSS set by the eHRC (See Annex 4.8).
    5. Healthcare providers should be aware that their registration may be suspended or cancelled by eHRC due to breaching of any specified requirement set out by eHRC. Any such suspension or cancellation in registration may affect access and use of their healthcare recipients’ records in eHRSS.
    6. Healthcare providers should follow recommendations by eHR Office for promulgation of eHRSS.
    7. Healthcare providers should be aware that the eHR Office may from time to time update the information of prescribed healthcare providers1 through various platforms for public awareness.

    8. 1. Information may include name, service location of healthcare provider and scope of data being shared to eHRSS


  2. Handling Registration of Healthcare Recipient

    1. Healthcare providers should observe the requirements set out by the eHRC for registering healthcare recipients in eHRSS (See Annex 4.8).
    2. Healthcare providers should ensure accurate capture and verification of healthcare recipients information during registration.
    3. Healthcare providers should submit a copy and retain appropriate original supporting documents of the healthcare recipients for verification.
    4. Healthcare providers should observe the conditions (See Annex 4.2) which would allow a Substitute Decision Maker (SDM) to act for healthcare recipients who are incapable of giving consent in registration and related matters.
    5. Healthcare providers should ensure their administrative staff handle healthcare recipients’ and/or SDM’s Hong Kong Identity Card with care and in accordance with the guideline issued by the PCPD for handling healthcare recipients registration and consent matters.
    6. Healthcare providers should take reasonable steps to ensure healthcare recipients and their SDMs understand and agree with the purpose of using their personal data for:
      1. Giving consent to join eHRSS;
      2. Giving sharing consent to healthcare providers; and
      3. Updating registration information (e.g. healthcare recipient withdrawing from eHRSS or revoking consent to a healthcare provider) and related matters.
    7. Healthcare providers should update registration information of their healthcare recipients and their SDMs if necessary and timely inform eHR Office (e.g. healthcare recipient’s Names, Sex, Date of Birth, Hong Kong Identity Card number or other Travel Document Numbers).

  3. Obtain Healthcare Recipient’s consent for eHR access

    1. Healthcare providers should obtain explicit, informed consent from healthcare recipient or his/her SDM (if applicable) for:
      1. healthcare recipient registration in eHRSS and
      2. sharing of healthcare recipient’s health information through eHRSS
    2. Healthcare providers should take the following actions to ensure healthcare recipient’s or his/her SDM’s consent (if applicable) is valid and well-informed by:
      1. Providing sufficient, relevant and comprehensible information (e.g. Participant Information Notice, pamphlets, posters…etc.)
      2. Obtaining consent from SDM for healthcare recipients who are incapable of giving consent (See Annex 4.2); and
      3. Confirming with the healthcare recipient or their SDM that their consent is voluntary.
    3. Healthcare providers should be aware of the general principles of handling consent by healthcare recipients:
      1. A healthcare recipient can give consent to register for or withdraw from eHRSS, and to give or revoke sharing consent unless he/she is a minor under age 16 or if he/she is an adult and there is evidence that he/she is incapable of giving consent.
      2. For minors and healthcare recipient who are incapable of giving consent, consent should be given by their SDMs.
    4. Healthcare providers should verify the identities of the HCR and AP, who handles registration and consent matters on behalf of the HCR.
    5. Healthcare providers should verify the identity of the SDM and confirm with the SDM that he or she has read and understood the Participant Information Notice, in particular the Important Notes for SDM Handling Registration Matters On Behalf of an HCR.
    6. Healthcare providers should be acquainted with the types of persons eligible to act as a SDM for a particular class of healthcare recipient as stipulated by eHRSSO (See Annex 4.2), who may give a substitute consent for that class of healthcare recipient to register or withdraw from eHRSS and to give sharing consent to healthcare provider(s).
    7. Healthcare providers should always request the healthcare recipient’s own expressed preference. If the healthcare recipient clearly express his/her intent, the healthcare providers should carefully assess whether his/her case indeed require any SDM.
    8. Healthcare providers should be aware that where there is no other eligible SDM available and the healthcare providers consider that it is in the best interest for the healthcare recipients, the healthcare providers can choose to give consent for registration and sharing in eHRSS (Healthcare providers should appoint designated person under their charges to assume the role and perform the tasks serving as the SDM of the healthcare recipients).
    9. Healthcare providers should be aware that there are two types of Sharing Consent: “Indefinite Sharing Consent” & “One-year Sharing Consent”.
    10. Healthcare providers should be aware that “Indefinite Sharing Consent’ is in effect until it is revoked or the registration of the healthcare recipient is withdrawn or cancelled.
    11. Healthcare providers should be aware that “One-Year Sharing Consent” to healthcare providers is valid for one year unless it is revoked or the registration of the healthcare recipient is withdrawn or cancelled.
    12. Healthcare providers should not share health information of healthcare recipients who have withdrawn from registration or revoked their sharing consent through eHRSS.
    13. It is advisable that healthcare providers should inform healthcare recipients, as far as practicable, before accessing their eHR and be aware that healthcare recipients will receive a notification from eHRSS for access to their eHR in the form chosen by the healthcare recipients including but not limited to the following:
      1. Electronic message [e.g. Short Message Service (SMS)];
      2. Postal mail; and
      3. e-mail
    14. Healthcare providers should provide healthcare recipients with access to their organisations’ privacy policy document(s) and information about the kinds of data from their health record system that will be shared and the purposes of sharing to eHRSS.

  4. Healthcare Providers to manage any authorised person's user account

    1. Healthcare providers should be responsible for creating and maintaining user accounts for any authorised users2 in eHRSS including checking and updating their healthcare professionals’ registration status for validation in a timely manner.
    2. Healthcare providers should seek agreement from the authorised users, if necessary, for creation of their user accounts in eHRSS and verification of their professional registration status for access to eHRSS.
    3. Healthcare providers should close the accounts of departed person in eHRSS in timely manner after their last day of service.
    4. Healthcare providers should issue appropriate authentication means (e.g. security token), according to the guidelines issued by the eHR Office to their healthcare professionals to access eHRSS (See Annex 4.8).
    5. Healthcare providers should ensure only authorized healthcare professionals with the need-to-know can assess eHR of particular healthcare recipients for providing healthcare to them.
    6. Healthcare providers should take reasonable and practical steps to ensure that their authorised users respect and have adequate awareness and knowledge of personal privacy, information confidentiality and system security3.
    7. Healthcare providers should ensure that their authorised users are aware that using healthcare recipients’ information from eHRSS for direct marketing is forbidden.
    8. Healthcare providers should take reasonable and practicable steps to ensure their healthcare professionals properly use security controls and devices (e.g. log-in password and security tokens).
    9. Healthcare providers should appoint appropriate administrative and technical staff, as contact person(s) to communicate with the eHR Office for matters related to eHRSS operation.
    10. Healthcare providers should supervise and monitor staff carrying out administrative and technical duties, including but not limited to:
      1. Registering and managing registration information of healthcare providers in eHRSS;
      2. Registering and managing registration information of healthcare recipients in eHRSS;
      3. Registering and managing registration information of healthcare professionals in eHRSS;
      4. Performing regular reporting, exceptional reporting and cooperating with eHR Office in audit on eHRSS operations

    11. 2. Authorised user may include any person authorised by respective healthcare provider, who has clinical, administrative or technical duties and uses or supports operation of eHRSS

      3. Reasonable and practical steps may include setting out confidentiality as an obligation under the terms of employment and human resource management policy and providing regular staff training and reminders and notice to staff


  5. Manage Healthcare Providers’ own clinical records

    1. Healthcare providers should maintain clear and updated clinical records for their healthcare recipients. eHR should not be taken as a replacement of a healthcare providers’ own health records.
    2. Healthcare providers should ensure the data in their medical record system is accurate for sharing.
    3. Healthcare providers should share the health information of their healthcare recipients who have given consent for sharing of their health records in eHRSS if the information is readily and electronically available and within sharable scope (See Annex 4.5) after each episode of care as soon as possible.
    4. Healthcare providers should be aware that any data obtained from eHRSS shall be become part of their health records and they should define and follow their own data retention policy in accordance with PD(P)O (Cap 486).
    5. Healthcare providers should ensure proper filing and record keeping of any printed or obtained health records of healthcare recipients from eHRSS according to healthcare provider’s own record management policies and prevent them from unauthorised access.

  6. Ensure general system security

    1. Healthcare providers should implement and monitor proper use of security measures in eHRSS set out by the eHR Office from time to time:
      1. Keep and access enabled computers (i.e. with appropriate certification software) only in secured physical locations (e.g. access within secured workplace, clinic or office) and avoid access to eHRSS in public areas such as internet cafe or public library;
      2. Keep and maintain security in wired and wireless network for computers connecting to eHRSS
      3. Keep computer system and software updated with latest security patches applied;
      4. Use only licensed / legal computer software and with latest security patches applied and avoid using peer-to-peer software (e.g. Foxy or Bit Torrent…etc.);
      5. Install appropriate anti-virus and anti-spyware software;
      6. Ensure authorised users logoff eHRSS and local Electronic Medical Record (eMR) systems after use;
      7. Enable automatic screen-lock or screen-saver with password protection on computer workstation and set up of a reasonable idle time;
      8. Ensure authorised users should observe password policies (e.g. use of strong password with regular updates, avoid writing down or sharing of password; change eHRSS assigned password immediately after successful login for the first time);
      9. Record and manage access rights assigned to each authorized users according to their roles in delivering healthcare to the patients and;
      10. Assign individual account for each user and ensure them use properly any means of security log-on measures or devices (e.g. log-in password and security token) and protect them against unauthorised use (e.g. sharing with others).
      11. Provide security and privacy awareness training to authorised users to ensure their proper use of eHRSS in accordance with appropriate security and privacy requirements.
    2. Healthcare providers should cooperate with eHR Office for auditing or investigations in relation to the operation of eHRSS if necessary.
    3. Healthcare providers should maintain relevant system audit logs about access to eHRSS through their eMR systems, if applicable (See Annex 4.8).
    4. Healthcare providers should perform regular monitoring and audit on system behaviour for identification of abnormality, intrusion and potential system fault or user misbehaviour, if applicable.
    5. Healthcare providers should report as soon as possible to eHR Office any suspected security incidents, privacy incidents and suspected security weakness related to assess and use of eHRSS.

  7. Make data sharing to eHRSS secured4

    1. Healthcare providers should endeavour to comply with standards, policies and requirements on security and data sharing issued by eHRC (See Annex 4.8).
    2. Healthcare providers should perform self-assessment and tests with eHR Office for data readiness and interoperability before sharing information to eHRSS (See Annex 4.8).
    3. Healthcare providers should perform system connection testing with the eHR Office for data sharing according to security requirements and other specifications (See Annex 4.8).
    4. Healthcare providers should provide amended and updated records in their eMR to eHRSS if previous records have been shared to eHRSS.
    5. Healthcare providers should perform periodic Security Risk Assessment and Audit (SRAA) of their own eMR systems, if applicable, or perform appropriate security assessment and fix any identified security loop holes according to the requirements specified by the eHR Office for system connection (See Annex 4.8). Any identified security risks or non-conformance with the security requirements should be rectified in a timely manner.

    6. 4. This section applies for sharing of data from local electronic medical record system to eHRSS


  8. Handling Data Access Request and Data Correction Request

    1. Healthcare providers should advise healthcare recipients to approach eHR Office for Data Access Request for personal data contained in eHRSS.
    2. Healthcare providers should handle Data Correction Request in accordance with the relevant provisions in PD(P)O (Cap 486) and eHRSSO.
    3. Healthcare providers should be aware that Data Correction Request for demographic data (e.g. Name, Identity Number, Date of Birth or Sex) in eHRSS can be handled by both eHR Office or a prescribed healthcare provider
    4. Healthcare providers should be aware that Data Correction Request for the healthcare recipients’ health data in eHRSS should be reviewed by the healthcare providers who have contributed and shared that health information to eHRSS according to established workflow for handling of such requests by the eHR Office (See Annex 4.8).
    5. Healthcare providers should update and provide corrected health records to eHRSS as soon as possible once an error of their healthcare recipient’s health record is noted and rectified.
    6. Healthcare providers should exercise careful judgement to handle the data correction request and to inform the healthcare recipients and eHR Office the result of such requests and the reason of refusal if the request is refused.
    7. Healthcare providers should make a note and attach a note to the healthcare recipient’s record and provide to eHRSS if the Data Correction Request is refused and the data to which it relates is an expression of opinion according to the PD(P)O (Cap 486).