Electronic Health Record Sharing System Ordinance

The Electronic Health Record Sharing System (eHRSS) Ordinance (Chapter 625) (eHRSSO) is in place to support the establishment of eHRSS and provide legal base for governing the collection, sharing, use and safekeeping of data shared through the eHRSS. The Ordinance came into operation on 2 December 2015Note.

Note: Except for Section 3(3)(e), Section 3(5)(g), Section 3(5)(h), Division 4 of Part 2, Section 29, Divisions 2 and 3 of Part 3, Section 46, Section 49(1)(g), Division 2 of Part 6, and Section 58(c).

Related ordinances

Frequently asked questions

  • Have other places in the world put in place similar legislation for electronic health record (eHR) as in Hong Kong?
    1. eHR launched around the world in general are under protection of privacy acts.
    2. Some countries include relevant amendments in their health-related acts (e.g. Health and Social Care Act 2012 in United Kingdom).
    3. Some countries put in place specific health information acts (e.g. Health Information Act 2001 in Alberta, Canada) and put in relevant amendments in its privacy act (e.g. Personal Information Act in British Columbia, Canada).
    4. Some countries put in place eHR specific legislation for its system (e.g. Personally Controlled Electronic Health Record System in Australia, i.e. the PCEHR Act 2012).
  • Are the operation and uses of data in the Electronic Health Record Sharing System (eHealth) subject to Personal Data (Privacy) Ordinance (Cap. 486) (PDPO)? What are the differences between the regulations under PDPO and eHRSSO?
    1. PDPO is applicable for personal data contained in eHealth.
    2. Definition of "minor" is a person below 16 years of age in eHRSSO, whereas it is under 18 years of age under PDPO.
    3. Regarding the execution of duties for Data Correction Request (DCR) under PDPO, eHRSSO sets out that the Commissioner for the Electronic Health Record (eHRC) can make and annex a note when the healthcare provider who provides eHealth the data that is under data correction request by the requestor is unable to comply with requirements under PDPO.
  • What are the levels of penalties for offences under eHRSSO?
    1. Knowingly obtain unauthorised access to, damage or modify data or information contained in an eHR
      1. Unauthorised access to data in eHR; penalty HK$100,000
      2. Damage or modification of data in eHR; imprisonment for 2 years
      3. Unauthorised access to, modification or impairment to accessibility, reliability, security or processing of data in eHR with criminal or dishonest intent; imprisonment for 5 years
    2. Knowingly impairs operation of eHealth; imprisonment for 10 years
    3. Evade a data access request or data correction request by altering, falsifying or destroying the data or information contained in an eHR; penalty HK$100,000
    4. Knowingly makes an untrue statement to enable the person to give a joining consent or sharing consent; penalty HK$100,000
    5. Knowingly contravenes a condition for research or statistic; penalty HK$100,000
    6. Uses another person's data or information contained in an eHR or a copy for direct marketing
      1. Directing marketing - uses; penalty HK$500,000 and imprisonment for 3 years
      2. Directing marketing - provides; penalty HK$500,000 and imprisonment for 3 years (not for gain); penalty HK$1,000,000 and imprisonment for 5 years (for gain)