News

Electronic Medical Records (EMR) serve as the core of healthcare informatization and have become deeply integrated into the entire medical service process. They are not only a medium for documenting clinical practices but also a vital resource for ensuring medical quality and safety, enhancing service efficiency, and advancing medical research and education. However, with its widespread adoption, issues concerning the legal attributes, ownership relationships, usage boundaries, and security protection of EMR information have become increasingly prominent, presenting complex challenges for healthcare institutions, medical personnel, patients, and various information users alike.

Recently, the National Health Commission and the National Administration of Traditional Chinese Medicine jointly issued the “Notice on Further Strengthening the Management of Electronic Medical Record Information Use in Medical Institutions” (hereinafter referred to as the “Notice”). This critical regulatory document was introduced precisely against this backdrop. Rather than establishing an entirely new legal framework, the Notice systematically elaborates, emphasizes, and implements key aspects of “usage management” within the lifecycle of electronic medical records. This is done within the existing legal framework established by laws and regulations such as the Basic Medical and Health Care and Health Promotion Law, the Physician Law, the Personal Information Protection Law, the Data Security Law, the Cybersecurity Law, the Civil Code, and the Application Management Specifications for Electronic Medical Records (Trial). Its core purpose is to maximize the value of electronic medical record data while safeguarding patient rights and safety, standardize usage protocols, balance stakeholder interests, and establish a robust regulatory foundation for the healthy development of digital healthcare.

I. Legal Context and Practical Significance of the Notice

(1) Legal Basis: Institutional Refinement Aligned with Higher-Level Laws

The issuance of the Notice on Further Strengthening the Management of Electronic Medical Record Information in Medical Institutions (hereinafter referred to as the “Notice”) is not an isolated administrative normative document. Rather, it represents the refinement and implementation of existing provisions within China's legal framework concerning personal information protection and medical data security. From a legal perspective, it directly incorporates the core requirements of laws and regulations such as the Civil Code of the People's Republic of China (hereinafter referred to as the “Civil Code”), the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the “Personal Information Protection Law”), the Data Security Law of the People's Republic of China (hereinafter referred to as the “Data Security Law”), and the Regulations on the Management of Medical Records in Medical Institutions, forming a closed-loop system of “guidance by higher-level laws and principles — specific regulation by subordinate laws.”

Article 1225 of the Civil Code explicitly stipulates: "Medical institutions and their medical personnel shall fill out and properly preserve medical records such as admission records, medical orders, test reports, surgical and anesthesia records, pathological materials, and nursing records in accordance with regulations. When patients request to review or copy the medical records specified in the preceding paragraph, medical institutions shall provide them in a timely manner." This establishes the obligation to preserve medical records and the patient's right to access and copy them. As the digital form of medical records, electronic medical records naturally fall under the regulatory scope of this provision. The Personal Information Protection Law classifies “medical and health information” as sensitive personal information, requiring separate consent from individuals for its processing and mandating stricter security safeguards. The authorization requirements for collecting and using electronic medical record information outlined in the Notice directly address this provision. Furthermore, the Data Security Law emphasizes data classification and graded protection. The Notice's provisions on graded management and risk assessment for electronic medical records align with the “data security protection obligations” outlined in that law.

(2) Practical Need: Addressing Legal Challenges in Electronic Medical Record Management

With the rapid advancement of medical informatization, electronic medical records have become the core medium for clinical activities in healthcare institutions. However, legal issues in their use and management have become increasingly prominent, necessitating regulation through a dedicated notice. In practice, three major legal challenges currently exist in the use and management of electronic medical records: First, non-standard authorization practices. Some medical institutions fail to clearly inform patients about the scope and purpose of electronic medical record usage, or use such records for non-clinical activities like research and teaching without obtaining separate patient consent. This may violate the Personal Information Protection Law's provisions on handling sensitive personal information. Second, inadequate security safeguards. Due to system vulnerabilities and employee operational errors, incidents of electronic medical record leakage and tampering occur frequently. This not only infringes upon patients' privacy rights and personal information interests but may also trigger medical disputes, potentially leading to administrative or criminal liability. Third, unclear rights and obligations: Patients lack clear pathways to exercise their rights to access, copy, correct, or delete electronic medical records. Healthcare institutions lack specific guidance on fulfilling information protection obligations and responding to patient claims, resulting in an imbalance of rights and responsibilities between both parties.

The issuance of the Notice specifically addresses these pain points. It further clarifies the rights and obligations of medical institutions, patients, and other relevant parties in the use and management of electronic medical records from a legal perspective. It refines operational standards, provides a basis for resolving legal disputes in practice, delineates boundaries for compliant operations of medical institutions, and reduces legal risks.

II. Legal Interpretation of Key Provisions in the Notice

(1) Defining the Scope of Electronic Medical Record Information: Establishing the “Subject Boundaries” of Legal Regulation

The Notice first defines the scope of electronic medical record information, specifying that it includes “all information related to patient diagnosis and treatment activities generated and recorded by medical institutions through electronic medical record systems, including outpatient (emergency) medical records, inpatient medical records, examination and test reports, medical orders, surgical records, nursing records, etc.” From a legal perspective, the core significance of this definition lies in establishing the “object boundaries” of legal regulation—only information falling within this scope is subject to the provisions of the Notice and relevant laws and regulations concerning the use and management of electronic medical record information. This, in turn, determines the scope of protection obligations for medical institutions and the scope of rights claims for patients.

It is important to note that the Notice distinguishes electronic medical record information from “general medical data,” emphasizing that electronic medical record information is directly linked to an individual patient's diagnostic and treatment activities. It possesses a stronger degree of personal attachment and sensitivity, and therefore its protection standards should be higher than those for general medical data. For instance, while medical institutions may appropriately relax authorization requirements when using anonymized medical data not directly linked to patient identities, electronic medical record information—even after de-identification—must still be protected as sensitive personal information if patient identification remains feasible through reasonable means. This aligns with Article 28 of the Personal Information Protection Law, which stipulates that “personal information remains personal information even after de-identification processing.”

Furthermore, the Notice clarifies that electronic medical record information encompasses “information at all stages including generation, recording, storage, transmission, and use.” This means healthcare institutions' compliance obligations extend beyond the generation and storage phases to encompass the entire lifecycle, including transmission and utilization. For instance, when medical institutions transmit electronic medical record information to third-party partners (such as telemedicine platforms or third-party testing institutions), they must ensure transmission security and require these third parties to fulfill equivalent protection obligations. Otherwise, the medical institution bears joint liability. This is explicitly reflected in Article 42 of the Personal Information Protection Law concerning “entrusting the processing of personal information”: — The entrusted party shall process personal information in accordance with the entrusting party's requirements, shall not arbitrarily subcontract the processing, and shall fulfill security obligations equivalent to those of the entrusting party. The entrusting party bears supervisory responsibility for the entrusted party's processing activities.

(2) Authorization Rules for Collection and Use of Electronic Medical Record Information: Adherence to the “Lawful, Justifiable, and Necessary” Principle

The Notice explicitly requires medical institutions to “obtain consent from patients or their guardians in accordance with the principles of legality, legitimacy, and necessity” when collecting and using electronic medical record information. It further details specific authorization requirements. This directly implements Article 5 of the Personal Information Protection Law, which states that “processing of personal information shall follow the principles of legality, legitimacy, necessity, and good faith,” and constitutes a core provision for preventing infringement risks by medical institutions.

1. Form Requirements for Authorization: “Separate Consent” and “Written/Electronic Confirmation”

The Notice emphasizes that for the use of electronic medical record information (especially for non-clinical purposes such as research, teaching, or commercial collaboration), medical institutions must obtain the patient's “separate consent,” which should be confirmed in “written or electronic form.” Legally, the “separate consent” requirement stems from Article 29 of the Personal Information Protection Law, which mandates “obtaining an individual's separate consent for processing sensitive personal information.” Its core purpose is to prevent medical institutions from coercing consent through “bundled authorization” (e.g., linking electronic medical record usage permission to medical services, with treatment denied without authorization), thereby safeguarding patients' autonomy in decision-making.

In practice, medical institutions must ensure the formal validity of “separate consent”: First, clarity of content—authorization documents must explicitly inform patients of the scope of electronic medical record usage (e.g., for a specific research project or teaching activities within a defined timeframe), purpose, duration, and third-party recipients (if applicable). Vague phrasing (e.g., “for relevant operations of the medical institution”) is prohibited. Second, authenticity of consent: Consent must not be obtained through fraud, coercion, or similar means. Consent must not be made a prerequisite for providing medical services (unless the use of electronic medical records is essential to the treatment activity, such as accessing past records to confirm a diagnosis). Third, formal compliance: Whether written or electronic authorization, complete records must be retained. Electronic authorization must verify the patient's identity (e.g., through facial recognition or mobile verification codes) and log the authorization process for subsequent verification.

2. Exceptions to Authorization: “Statutory Exemption” and “Reasonable Restrictions”

The Notice also clarifies exceptions to authorization, stating that “medical institutions may use electronic medical record information without obtaining patient consent when necessary to safeguard public interests, fulfill statutory duties, or provide emergency treatment.” This provision does not constitute a departure from the “separate consent” principle but represents a “statutory exemption” balancing public interest against individual rights. It aligns with Article 13 of the Personal Information Protection Law, which outlines statutory scenarios where “processing personal information does not require obtaining the individual's consent.” Specific scenarios include:

(1) Safeguarding public interest: For instance, during public health emergencies (such as epidemic prevention and control), medical institutions must submit patients' electronic medical records to health administrative departments for epidemiological investigations, outbreak tracing, and related tasks;

(2) Performing statutory duties: When judicial authorities lawfully request patients' electronic medical records from medical institutions for case handling, the institutions must cooperate (subject to verification of the legality of judicial documents, such as letters of introduction or subpoenas); (3) Emergency Treatment: When a patient is unconscious and unable to express consent, medical institutions may access their past electronic medical records (e.g., allergy history, underlying conditions) to formulate treatment plans aimed at saving the patient's life.

It should be noted that even in these exceptional circumstances, medical institutions must adhere to the principle of “strict necessity.” This means using only the electronic medical record information strictly necessary to achieve the purpose, without exceeding the required scope. Additionally, they must promptly supplement records of the usage afterward (e.g., documenting the time, reason, scope, and approver). If the patient regains consciousness or their guardian arrives, the relevant circumstances must be promptly disclosed.

(3) Security Obligations for Electronic Medical Records: The “Core Responsibility” of Medical Institutions

The Notice devotes considerable space to clarifying medical institutions' security obligations for electronic medical records, including “establishing robust security management systems, implementing technical safeguards, strengthening personnel management, and conducting risk assessments.” From a legal perspective, these obligations are not merely administrative requirements but constitute the “statutory duties” of medical institutions. Failure to fulfill or fully fulfill these duties will result in corresponding legal liabilities (including administrative, civil, and even criminal liabilities).

1. Security Management System: “Prioritizing Systems” to Prevent Compliance Risks

The Notice requires medical institutions to “establish an electronic medical record information security management accountability system, clearly defining the responsibilities of the principal responsible person, the responsible deputy, and relevant departments,” and to formulate “security management systems for all stages of electronic medical record information collection, storage, transmission, use, and destruction.” From a legal perspective, a sound security management system is both a prerequisite for medical institutions to fulfill their security obligations and a key basis for determining whether negligence exists — — If a medical institution fails to establish relevant systems or neglects to implement them, leading to the leakage or tampering of electronic medical records, it may bear civil liability for damages under the “presumption of fault” even without intent (Article 1165(2) of the Civil Code stipulates: “Where the law presumes that the actor is at fault and the actor cannot prove that he or she is not at fault, the actor shall bear tort liability”).

In practice, medical institutions' security management systems must encompass the following core elements: First, access control management, which clearly defines access permissions for electronic medical records based on job roles (e.g., physicians may only access records of patients they treat, while nurses may only access nursing-related records), implements the “principle of least privilege,” and conducts regular reviews of access settings to promptly revoke permissions for departed personnel; Second, operation log management, which records all personnel access and modifications to electronic medical records (including operator, time, and content). Log retention periods must not be shorter than the electronic medical record retention period (per the Regulations on Medical Record Management in Medical Institutions, outpatient/emergency records must be retained for at least 15 years from the patient's last visit, and inpatient records for at least 30 years from discharge). Third, establish an emergency response mechanism. Develop contingency plans for electronic medical record breaches or tampering, defining clear response procedures (e.g., immediately halting unauthorized operations, identifying risk points, notifying affected patients, reporting to regulatory authorities) to prevent escalation of damage.

2. Technical Safeguards: “Technology-Empowered” Security Defenses

The Notice requires medical institutions to “implement technical measures such as encryption, access control, data backup, and disaster recovery to ensure the integrity, confidentiality, and availability of electronic medical record information.” From a legal perspective, technical safeguards are crucial for enforcing security management systems and serve as the “technical defense line” for medical institutions against electronic medical record security risks. If technical measures are inadequate and lead to the leakage or tampering of electronic medical record information, the medical institution will bear corresponding liability.

Specifically, medical institutions must implement the following technical measures: First, encryption technology to secure the storage and transmission of electronic medical records (e.g., using symmetric or asymmetric encryption), ensuring that even if information is stolen, it cannot be illegally decrypted. Second, access control technology employing identity authentication (e.g., username/password, USB keys, facial recognition) and permission verification to prevent unauthorized access to electronic medical records. Third, data backup and disaster recovery technology: Electronic medical records must be regularly backed up (including local and off-site backups), and a disaster recovery system must be established to ensure that electronic medical records are not lost and can be restored in the event of system failures, natural disasters, or other incidents. Fourth, tamper-proofing technology employs blockchain, timestamps, and similar techniques to maintain a complete audit trail of electronic medical record creation and modification. This ensures data integrity and prevents unauthorized alterations (particularly critical as electronic medical records serve as key evidence in medical disputes; their integrity directly impacts evidentiary validity, and any tampering could lead to healthcare institutions losing litigation).

3. Personnel Management: “Personnel-Position Alignment” to Mitigate Internal Risks

The Notice emphasizes that medical institutions must “enhance training and management of medical staff and other relevant personnel to improve their awareness of electronic medical record information security and operational standards,” and “establish personnel assessment and accountability mechanisms, handling violations of electronic medical record information security management regulations in accordance with laws and regulations.” In practice, risks of electronic medical record leakage or tampering stem not only from external attacks but also from internal personnel violations (e.g., medical staff lending accounts to others, unauthorized copying of electronic medical records for non-clinical activities). Thus, personnel management is a critical component of security obligations.

From a legal perspective, healthcare institutions' management obligations toward internal personnel include: First, training obligations—regularly organizing medical staff to study the Notice and relevant laws and regulations, explaining operational standards and legal risks in electronic medical record information security management to ensure they understand their responsibilities. Second, supervision obligations—monitoring medical staff's operational behavior through methods such as reviewing operation logs and conducting random spot checks to promptly identify and correct non-compliant operations. Third, accountability obligations: imposing measures such as warnings, fines, or reassignment based on the severity of violations. If such actions result in electronic medical record leaks or tampering causing patient losses, the institution may seek compensation from the responsible personnel after fulfilling its liability (Civil Code Article 1191(1): "Where an employee causes harm to others while performing work duties, the employer shall bear tort liability. After bearing tort liability, the employer may seek recourse from employees who acted with intent or gross negligence.")