Role-based access control

It is a built-in differentiated access control to regulate the access of authorised healthcare professionals, with features as follows:

  • A privacy protection mechanism based on a healthcare professional's (HCProf's) role in an organisation.
  • Different authorised HCProfs have different levels of access to data and functions.
  • Pre-defined differentiated access rights are set in accordance with the clinical needs or functions of different HCProfs.
  • Access the parts of the electronic health record (eHR) only relevant to their professional service under the "need-to-know" principle.
  • All access activities will be logged properly and are subject to audit and inspection.
Role-based access control

Access to eHR under restricted control

HCProfs may request to access patient's eHRs which are under restricted control if necessary. They are required to provide reason(s), explain to patient and obtain his/ her additional consent* before accessing the record. Patient can use Hong Kong smart identity card or one-time password sent by the system to authorise the access*. All accesses will be logged and are subject to audit and inspection.

*Applicable to HCProfs in the community only, system will send an additional notification to the patient after access

Access right of healthcare professionals

  • Pharmacist
    Expand
    Pharmacist

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Immunisation records
    • Laboratory reports
    • Healthcare referrals

    Restricted control:

    • Birth records
    • Radiology reports
    • Other investigation reports
  • Dentist
    Expand
    Dentist

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Birth records
    • Immunisation records
    • Laboratory reports
    • Radiology reports
    • Other investigation reports
    • Healthcare referrals
  • Doctor
    Expand
    Doctor

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Birth records
    • Immunisation records
    • Laboratory reports
    • Radiology reports
    • Other investigation reports
    • Healthcare referrals
  • Midwife
    Expand
    Midwife

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Birth records
    • Immunisation records
    • Laboratory reports
    • Radiology reports
    • Other investigation reports
    • Healthcare referrals
  • Nurse
    Expand
    Nurse

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Birth records
    • Immunisation records
    • Laboratory reports
    • Radiology reports
    • Other investigation reports
    • Healthcare referrals
  • Medical laboratory technologist
    Expand
    Medical Laboratory Technologist

    Ordinary control:

    • Personal identification and demographic data
    • Laboratory reports
    • Healthcare referrals

    Restricted control:

    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Birth records
    • Immunisation records
    • Radiology reports
  • Occupational therapist
    Expand
    Occupational Therapist

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Radiology reports
    • Healthcare referrals

    Restricted control:

    • Birth records
    • Laboratory reports
    • Other investigation reports
  • Part I optometrist
    Expand
    Part I Optometrist

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Laboratory reports
    • Healthcare referrals

    Restricted control:

    • Birth records
    • Immunisation records
    • Radiology reports
    • Other investigation reports
  • Radiographer
    Expand
    Radiographer

    Ordinary control:

    • Personal identification and demographic data
    • Radiology reports
    • Healthcare referrals

    Restricted control:

    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Immunisation records
    • Laboratory reports
    • Other investigation reports
  • Physiotherapist
    Expand
    Physiotherapist

    Ordinary control:

    • Personal identification and demographic data
    • Allergies and adverse drug reactions
    • Diagnosis
    • Procedures
    • Medication
    • Encounters / appointments
    • Clinical note / summary
    • Radiology reports
    • Healthcare referrals

    Restricted control:

    • Birth records
    • Laboratory reports
    • Other investigation reports

 

Frequently asked questions

  • Is there any access control? Who can access patient's information and what patient's information can be accessed?
    Expand

    Healthcare providers can only access the health data of patients under their care and with the patients' consent. Data in eHealth should be accessed with the clinical needs and according to different role of authorised users. In general, only healthcare professionals are allowed to access health data of patients in eHealth. Administrative users are not allowed to view health records of patients and can only have limited access rights to personal particulars of patients for registration matters.

  • How are access rights in eHealth granted to healthcare professional working in clinic / hospital / institution?
    Expand
    1. Healthcare professionals who need to access to patients' health data in eHealth shall open user accounts in eHealth via the healthcare providers they work for and maintain active professional registration status in respective boards and councils.
    2. Access rights are assigned by respective healthcare providers to individual authorised user.
    3. Access by any healthcare professional shall follow the principle of need-to-know according to their roles in providing healthcare to the patients.
  • What is the difference between eHRs that are under "ordinary control" and "restricted control"? What are the access rights of different groups of healthcare professionals?
    Expand

    eHRs which are under "ordinary control" refer to types of data that are accessible by the respective group of healthcare professionals without additional access restrictions, whereas those under "restricted control" are subject to certain additional access controls (e.g. patient's additional consent). Accesses to eHRs by different groups of healthcare professionals are categorised and defined in accordance with their clinical needs and functions in an organisation.

    Please refer to the eHealth webpage for more information about the access rights of different groups of healthcare professionals.

  • My child is under 16. What should I do if the healthcare professional needs to access his / her eHRs that are under restricted control?
    Expand

    If you are the SDM of the child, the healthcare professional is required to provide and explain the reason(s) of access to you, and obtain your additional consent1 before accessing the child's records. You can provide the one-time password sent by the system to authorise the access1. An additional notification about the access1 will also be sent via the selected communication means.

    1 Applicable to access by healthcare professionals in the community only
  • Why would healthcare professionals HCProfs access my eHRs that are under restricted control? Will I be notified if they have accessed these records?
    Expand

    Healthcare professionals providing healthcare to you may request to access your eHRs which are under restricted control on a "need-to-know" basis in order to obtain the additional information necessary to provide appropriate healthcare services to you. Healthcare professionals are required to provide and explain the reason(s) of access to you, and obtain your additional consent1 before accessing these records. You can authorise the access by using your Hong Kong smart identity card or the one-time password sent by the system to you1. You will also receive an additional notification about the access1 via your selected communication means. All accesses will be logged and are subject to audit and inspection.

    1 Applicable to accesses by healthcare professionals in the community only