Share
The Electronic Health Record Sharing System (eHealth System) Ordinance (Cap. 625) was introduced in 2015 to support the establishment of the eHealth System, which is an information infrastructure for keeping, sharing and using health data of registered patients. To refine the existing legal framework of the eHealth System and support its continuous development, a new ordinance called the Electronic Health Record Sharing System (Amendment) Ordinance 2025 (Amendment Ordinance) was passed and became effective on 1 December 2025. The Amendment Ordinance seeks to transform the eHealth System into a comprehensive healthcare information infrastructure that integrates multiple functions of healthcare data sharing, service support and care journey management.
Building a comprehensive and complete Electronic Health Record (eHR) profile
Streamlining the consent mechanism for “depositing” health data to personal eHealth account
The Amendment Ordinance provides a legal framework for the construction of a comprehensive personal eHR for patients.
Previously, patients needed to first give their “joining consent” to register with the eHealth System with individual healthcare providers and then provide them with their “sharing consent” before these providers could obtain and provide sharable data in the patients’ personal ehealth accounts. For cases under the Hospital Authority and the Department of Health, the “sharing consent” is taken to be given once the patient gave a “joining consent” to participate in the eHealth System.
Under the Amendment Ordinance, after patients have given their “joining consent”, public and private healthcare providers will be able to deposit eHRs to patients’ account under the eHealth System. Nevertheless, they still need to receive a “sharing consent” in order to access the patients’ sharable data, so patients will maintain control over who can access their records.
Where a patient had given their “joining consent” prior to commencement of the Amendment Ordinance and then subsequently gives “sharing consent” after commencement of the Amendment Ordinance, the “joining consent” is to be treated as effective from the date on which the “sharing consent” is given. Notwithstanding the consent requirements, patients’ access to healthcare services will not be hindered even if they do not provide their consent to the use of eHealth System. Patients may revoke their “sharing consent” provided to the prescribed healthcare providers in the form and manner specified by the Commissioner for eHR.
Compulsory submission of certain health data
To facilitate patients to obtain their eHR, enhance service efficiency and reduce healthcare costs, the Secretary for Health is empowered to require specified healthcare providers to deposit certain specified health data into patients’ personal eHealth accounts. The specified health data, specified healthcare providers and the period for providing specified health data will be prescribed in the form of subsidiary legislation through amendments to the proposed new Schedule 3 of the Amendment Ordinance. In drawing up the specified health data, the Administration will in principle prioritise health data that is essential in supporting diagnosis, preventing medical errors and avoiding contradictory or duplicated treatments.
That said, the requirement for specified healthcare providers to provide specified health data into the eHealth System will not apply if a patient has not joined eHealth System, or if a registered patient has explicitly requested the healthcare provider not to provide the data to eHealth System.
An enforcement notice will be served on the healthcare provider if the Commissioner for eHR is of the opinion that a specified healthcare provider has failed to provide the specified health data in the prescribed form and manner within the specified period. Non-compliance of the enforcement notice will attract criminal liability under the Amendment Ordinance, unless the healthcare providers being charged with an offence can establish that they have received a notice in the prescribed form from the patients stating that they do not consent to the provision of the specified health data to the eHealth System. Alternatively, the healthcare providers have to establish that they have exercised all due diligence to prevent the commission of the offence. Detailed guidance is expected to be provided by the Administration to healthcare providers through the Code of Practice developed by the Commissioner for eHR and other appropriate channels to facilitate their understanding of and compliance with the requirements. It is estimated that the exercise of the relevant powers by the Secretary for Health may only be considered in around 2027 when relevant technical support has been in place.
Supporting primary healthcare development and service process management
More healthcare professionals gaining access to health data
Previously, only 13 types of statutorily registered healthcare professionals could access patients’ health data on the eHealth System - doctors, nurses, dentists, dental hygienists, Chinese medicine practitioners, chiropractors, physiotherapists, occupational therapists, optometrists, radiographers, pharmacists, midwives, and medical laboratory technologists.
Under the Amendment Ordinance, access is now also granted to healthcare professionals registered under the Department of Health’s Accredited Registers Scheme for Healthcare Professions. This includes speech therapists, audiologists, dietitians, educational psychologists and clinical psychologists. In addition, some other specified healthcare professionals from healthcare facilities controlled or managed by the Government and the Hospital Authority - such as the Chinese Medicine Hospital of Hong Kong - are also able to gain access, with a patient’s consent when providing healthcare services.
While the Amended Ordinance has increased the range of healthcare professionals that can be granted access to their patients’ health data, access continues to be on a need-to-know basis - that is, in accordance with the clinical needs or functions of different healthcare providers.
Facilitate patients' access and use of electronic medical documents
The Amendment Ordinance provides a legal basis for electronic medical documents processed by eHealth System, including medical certificates, prescriptions and healthcare referrals, recognising the validity of certain electronic medical documents and facilitating use of the required documents at different stages of patients’ care. It also provides that certain electronic medical documents may only be valid if they are issued through eHealth System. Such requirement could enhance the regulation of electronic medical documents to be processed and allow confirmation of authenticity and validity of the documents at any time and any place, and prevent forgery and alteration of documents. At present, the specified medical documents to be regulated are not provided under the Amendment Ordinance. Subsidiary legislation will be made after consideration of the regulatory needs and practical issues regarding operations of relevant electronic medical documents.
Data access and deposit outside Hong Kong
Prior to the introduction of the Amendment Ordinance, patients needed to have their eHRs in the eHealth application on their mobile phones for consulting healthcare providers outside Hong Kong. Now the Commissioner for eHR is empowered to recognise individual healthcare providers and public health record systems outside Hong Kong, which will enable patients to use their eHRs across the boundary more conveniently and securely. Similarly, access to health data is based on a need-to-know basis, and recognised healthcare providers outside Hong Kong can only access and deposit patients’ eHRs when patients explicitly consent to such when using these recognised healthcare providers’ services, and not in any other circumstances. Healthcare providers outside Hong Kong must comply with specified system requirements and conditions imposed by the Commissioner for eHR, so that data privacy and system security can be safeguarded.
Comment
With the introduction of the Amendment Ordinance, patients will maintain full control over their health data, while having the flexibility to allow more healthcare providers to access to their records as needed. Given that the Amendment Ordinance is now effective, healthcare providers are reminded to adopt the latest eHealth forms, Participant Information Notice, and the Personal Data Collection Statement to ensure that updated documents are adopted for the purpose of using the eHealth System. It will also be important for healthcare providers to consider future subsidiary legislation and an updated Code of Practice which is anticipated to follow to provide relevant specifications regarding use and keeping of patients’ health data. In addition, healthcare providers must always bear in mind the obligation to preserve patients’ privacy and caution must be exercised to comply with the requirements under the Personal Data (Privacy) Ordinance in the use of eHealth System.
Healthcare
Hong Kong