Electronic Health Record Sharing System (Amendment) Ordinance 2025

Supports the Enhancements and Sustainable Development of eHealth

The Electronic Health Record Sharing System (Amendment) Ordinance 2025 (the Amendment Ordinance) will come into effect on 1 December 2025. The following key amendments are available for reference.

• 1. Building a comprehensive personal electronic health record (eHR) for citizens

  Expand

  Streamlined Consent Mechanism

  Once citizens agree to join eHealth, their healthcare providers (HCPs) will be able to deposit health data into their personal eHealth accounts.

  Citizens will continue to retain full control over their personal data and can grant individual HCPs access to their eHealth records at their own will. (Citizens can manage their "Sharing Consent" at any time through the eHealth App.)

  

  Safeguard Citizens' Rights to Obtain Important Electronic Health Records

  Empower the Secretary for Health to require specified HCPs to deposit important specified health data into the personal eHealth accounts of citizens registered with eHealth.

  In principle, we will accord priority to eHRs that are essential in supporting diagnosis, preventing medical errors, and avoiding contradictory or duplicated medical treatments, for example:

  

  Allergies and Adverse Drug Reactions

  

  Prescription

  

  Laboratory and Radiology Reports

  

  Immunisation Records

• 2. Support the Development of Primary Healthcare and Service Process Management

  Expand

  Expand the scope of healthcare professionals (HCProfs) who can access health data on eHealth

  The 13 types of statutorily registered healthcare professionals currently are:

  

  Pharmacist

  

  Dentist

  

  Dental Hygienist

  

  Doctor

  

  Midwife

  

  Nurse

  

  Medical Laboratory Technologist

  

  Occupational Therapist

  

  Optometrist

  

  Radiographer

  

  Physiotherapist

  

  Chiropractor

  

  Chinese Medicine Practitioner

  

  Expand to healthcare professionals under the Department of Health's "Accredited Registers Scheme for Healthcare Professions"

  

  Speech Therapist

  

  Audiologist

  

  Dietitian

  

  Educational Psychologist

  

  Clinical Psychologist

  Expand to other specified HCProfs provide healthcare in healthcare facilities controlled or managed by the Government and the Hospital Authority (e.g. District Health Centres under the Primary Healthcare Commission).

  

  

  With citizens' consents, these HCProfs may access their health data on eHealth when providing healthcare for them.

  

  Facilitate citizens' access and use of electronic medical documents

  Providing a clear legal framework for governing electronic medical documents issued or authenticated through eHealth. Designate eHealth as the only platform for issuing certain medical documents under appropriate circumstances, in order to facilitate the centralised management and support the usage of these documents.

• 3. Supporting citizens in using healthcare services across the boundary

  Expand

  Under the condition of sufficient protection of data privacy and system security as well as due compliance with specified requirements and conditions, recognise individual HCPs and public health record systems outside Hong Kong.

  If citizens uses services at a recognised HCP outside Hong Kong, he/she can choose to authorise the HCP to access their eHealth records securely and deposit the health records of the services received into their personal eHealth account.

  HCPs outside Hong Kong can only access and deposit citizens' eHealth records when a citizen registered with eHealth provides explicit consent when using its services. Under no other circumstances will eHealth records be transmitted across the boundary.

  
• 4. Streamline the Legal Provisions for Accessing and Using eHealth Data

  Expand

  Include refining the legal provisions specify that citizens and specified categories of related persons (e.g., parents of minors and authorised caregivers) may provide to and obtain from eHealth the records of the citizen, thereby empowering citizens' self-management of health records.

  

• Patient

  Expand
  • Guardianship of Minors Ordinance (Cap. 13)
  • Immigration Ordinance (Cap. 115)
  • Mental Health Ordinance (Cap. 136)
  • Births and Deaths Registration Ordinance (Cap. 174)
  • Registration of Persons Ordinance (Cap. 177)

• Healthcare provider

  Expand
  • Hospital Authority Ordinance (Cap. 113)
  • Societies Ordinance (Cap. 151)
  • Medical Clinics Ordinance (Cap. 343)
  • Residential Care Homes (Elderly Persons) Ordinance (Cap. 459)
  • Residential Care Homes (Persons with Disabilities) Ordinance (Cap. 613)
  • Companies Ordinance (Cap. 622)
  • Private Healthcare Facilities Ordinance (Cap. 633)

• Healthcare professionals

  Expand
  • Pharmacy and Poisons Ordinance (Cap. 138)
  • Dentists Registration Ordinance (Cap. 156)
  • Ancillary Dental Workers (Dental Hygienists) Regulations (Cap. 156 sub. leg. B)
  • Medical Registration Ordinance (Cap. 161)
  • Midwives Registration Ordinance (Cap. 162)
  • Nurses Registration Ordinance (Cap. 164)
  • Medical Laboratory Technologists (Registration and Disciplinary Procedure) Regulations (Cap. 359 sub. leg. A)
  • Occupational Therapists (Registration and Disciplinary Procedure) Regulations (Cap. 359 sub. leg. B)
  • Optometrists (Registration and Disciplinary Procedure) Regulation (Cap. 359 sub. leg. F)
  • Radiographers (Registration and Disciplinary Procedure) Regulation (Cap. 359 sub. leg. H)
  • Physiotherapists (Registration and Disciplinary Procedure) Regulation (Cap. 359 sub. leg. J)
  • Chiropractors Registration Ordinance (Cap. 428)
  • Chinese Medicine Ordinance (Cap. 549)

• Others

  Expand
  • Personal Data (Privacy) Ordinance (Cap. 486)
  • Prevention and Control of Disease Ordinance (Cap. 599)

• Have other places in the world put in place similar legislation for electronic health record (eHR) as in Hong Kong?

  Expand
  1. eHR launched around the world in general are under protection of privacy acts.
  2. Some countries include relevant amendments in their health-related acts (e.g. Health and Social Care Act 2012 in United Kingdom).
  3. Some countries put in place specific health information acts (e.g. Health Information Act 2001 in Alberta, Canada) and put in relevant amendments in its privacy act (e.g. Personal Information Act in British Columbia, Canada).
  4. Some countries put in place eHR specific legislation for its system (e.g. Personally Controlled Electronic Health Record System in Australia, i.e. the PCEHR Act 2012).
• Are the operation and uses of data in the Electronic Health Record Sharing System (eHealth) subject to Personal Data (Privacy) Ordinance (Cap. 486) (PDPO)? What are the differences between the regulations under PDPO and eHRSSO?

  Expand
  1. PDPO is applicable for personal data contained in eHealth.
  2. Definition of "minor" is a person below 16 years of age in eHRSSO, whereas it is under 18 years of age under PDPO.
  3. Regarding the execution of duties for Data Correction Request (DCR) under PDPO, eHRSSO sets out that the Commissioner for the Electronic Health Record (eHRC) can make and annex a note when the healthcare provider who provides eHealth the data that is under data correction request by the requestor is unable to comply with requirements under PDPO.
• What are the levels of penalties for offences under eHRSSO?

  Expand
  1. Knowingly obtain unauthorised access to, damage or modify data or information contained in an eHR
     1. Unauthorised access to data in eHR; penalty HK$100,000
     2. Damage or modification of data in eHR; imprisonment for 2 years
     3. Unauthorised access to, modification or impairment to accessibility, reliability, security or processing of data in eHR with criminal or dishonest intent; imprisonment for 5 years
  2. Knowingly impairs operation of eHealth; imprisonment for 10 years
  3. Evade a data access request or data correction request by altering, falsifying or destroying the data or information contained in an eHR; penalty HK$100,000
  4. Knowingly makes an untrue statement to enable the person to give a joining consent or sharing consent; penalty HK$100,000
  5. Knowingly contravenes a condition for research or statistic; penalty HK$100,000
  6. Uses another person's data or information contained in an eHR or a copy for direct marketing
     1. Directing marketing - uses; penalty HK$500,000 and imprisonment for 3 years
     2. Directing marketing - provides; penalty HK$500,000 and imprisonment for 3 years (not for gain); penalty HK$1,000,000 and imprisonment for 5 years (for gain)