News

(IV) Patient Rights Regarding Electronic Medical Records: Defining the “Path for Asserting Rights”

The Notice not only stipulates the obligations of medical institutions but also clarifies the rights patients hold over their electronic medical records, including “access, copying, correction, and deletion.” This elaborates on patient rights outlined in the Civil Code and the Personal Information Protection Law, providing a concrete pathway for patients to assert their rights.

1. Right to Access and Copy: Core Manifestation of “Right to Know”

The Notice requires medical institutions to “facilitate patients' access to and copying of electronic medical records without refusal or delay,” specifying that “patients may self-query and print records via the electronic medical record system or request paper copies from the institution, which must be provided within stipulated timeframes.” From a legal perspective, the right to access and copy constitutes the core manifestation of patients' “right to know” and forms the foundation for safeguarding their interests. By accessing and copying electronic medical records, patients can understand their treatment processes, identify potential medical errors by institutions, and gather evidence for subsequent medical dispute resolution (e.g., negotiation, mediation, litigation).

It is important to note that when fulfilling these obligations, medical institutions must adhere to the following requirements: First, time limits. According to the Regulations on Medical Record Management in Medical Institutions, institutions must provide access and copying services within 15 working days of receiving a patient's request. If an extension is necessary due to special circumstances (e.g., electronic medical records not yet archived), the institution must explain the reasons to the patient and agree on a new deadline. Second, format requirements: Patients may choose electronic formats (e.g., PDF files, USB drive copies) or paper copies. Copies provided by medical institutions must bear the institution's official seal to ensure authenticity and validity. Third, regarding fees: Medical institutions may only charge necessary material costs (e.g., paper, USB drives) and must not impose excessive service fees. Doing so may constitute “unauthorized charges” and result in penalties from administrative regulatory authorities.

2. Right to Correction and Deletion: Safeguarding “Information Accuracy”

The Notice explicitly states: “Patients who believe electronic medical records contain errors or omissions have the right to request corrections from the medical institution. For electronic medical records unrelated to diagnosis and treatment activities or collected unlawfully, patients have the right to request deletion.” Medical institutions “shall promptly verify upon receiving such requests. If errors are confirmed or deletion is warranted, corrections or deletions must be completed within the stipulated timeframe, with notification provided to the patient.” This provision aligns with Articles 46 (Right to Correction) and 47 (Right to Deletion) of the Personal Information Protection Law, providing a legal basis for patients to safeguard the accuracy and legitimacy of their electronic medical records.

From a legal practice perspective, patients exercising their rights to correction or deletion must meet the following conditions: First, the applicant must be the patient themselves or their legal guardian (if the patient lacks or has limited civil capacity). Second, the request must be substantiated. For correction requests, evidence must be provided to demonstrate inaccuracies in the electronic medical record information (e.g., diagnostic certificates from other medical institutions proving errors in the current electronic medical record diagnosis). For deletion requests, it must be proven that the information is unrelated to medical treatment activities or was collected unlawfully (e.g., personal privacy information collected by medical institutions that is irrelevant to the patient). Third, procedural compliance: Patients must submit written or electronic requests to the medical institution, detailing the requested action, rationale, and basis. The institution must verify the request within 10 working days of receipt and notify the patient of the verification results and proposed action. If the institution refuses correction or deletion, it must provide justification. Patients dissatisfied with the outcome may file a complaint with the health administration department or initiate legal proceedings.

3. Rights Remedies: “Diversified Pathways” to Safeguard Rights Realization

The Notice also clarifies the avenues for redress when patient rights are infringed, including “filing complaints with medical institutions, reporting to health administrative departments, applying for mediation, or initiating litigation,” thereby establishing a diversified rights remedy system. From a legal perspective, different remedy pathways possess distinct characteristics and applicable scenarios, allowing patients to choose based on their individual circumstances:

(1) Complaining to the Medical Institution: This is the most direct and convenient remedy. Patients may submit a complaint to the medical institution's medical affairs office or complaint management department, requesting the institution to resolve the issue (e.g., correcting electronic medical record information, compensating for losses). The medical institution must handle and respond within the stipulated timeframe (typically 7-15 working days).

(2) Reporting to health administrative authorities: If the institution refuses to fulfill obligations (e.g., denying patient access to or copying of electronic medical records) or engages in unlawful use of such records, patients may report to local health commissions or relevant administrative bodies. These authorities will investigate the institution according to law. If violations are confirmed, the institution will be ordered to rectify and face administrative penalties (e.g., warnings, fines, revocation of practice licenses);

(3) Apply for mediation: Patients may seek mediation through the People's Mediation Committee for Medical Disputes, where the mediation body will facilitate an agreement between both parties.

III. Core Operational Guidelines for Legal Practice

(I) Core Operational Guidelines for Healthcare Institutions

As specialized medical lawyers, we recommend healthcare institutions immediately implement the following actions to translate compliance requirements into practical operations:

1. Hospitals must conduct compliance gap assessments immediately:

Designated hospital personnel should comprehensively review existing electronic medical record systems against the Notice and Personal Information Protection Law, examining vulnerabilities in permission settings, informed consent processes, external data provision workflows, and log audit functions.

2. Hospitals should immediately undertake specialized revision and enhancement of informed consent documents:

Hospitals should redesign tiered, scenario-based authorization consent forms. Separate information processing essential for diagnosis and treatment from other purposes (research, management, third-party provision) to enable patients to select each purpose individually.

Embed mandatory pop-up notifications within information system interfaces to ensure valid consent is obtained before critical operations.

3. Hospitals should immediately establish a comprehensive management system framework:

Hospitals should establish core management systems including the “Electronic Medical Record Information Usage Management Measures,” “Data Classification and Grading Management System,” and “Data Security Incident Emergency Response Plan.”

Hospitals should establish or refine internal application-approval workflows. For non-clinical internal bulk data usage, implement multi-tiered controls involving departmental application, review by the ethics committee (or legal/information department), and approval by the responsible supervisor.

4. Hospitals should strengthen technical support and safeguards

Hospitals should enhance collaboration with IT vendors to improve system security capabilities, ensuring technical measures such as access control, data encryption, audit trails, and anonymization are fully implemented. Deploy database audit systems to monitor and alert in real time for abnormal data access activities (e.g., off-hours access, bulk downloads).

5. Hospitals should conduct regular training and assessments for all personnel

Mandatory data security and privacy protection training must be provided to all medical staff, administrative personnel, interns, and outsourced workers. Case studies should emphasize the legal consequences of violations. Training and assessment records must be archived.

6. Hospitals should prepare for emergency response

Hospitals should establish clear data breach response teams and procedures to ensure rapid damage control during security incidents, fulfill notification obligations (to regulatory authorities and affected patients), and cooperate with investigations.

(II) Core Operational Guidelines for Patient Legal Practices

Patients should fully recognize the importance of electronic medical records, carefully review authorization documents, and actively exercise their rights to informed consent, access, copying, correction, withdrawal of consent, and deletion (under statutory conditions). It is particularly important to remind patients to value their right to request timely corrections to medical records.

If patients discover misuse of their information, they may file complaints with health administration departments or seek legal remedies.

(III) Core Operational Guidelines for Third Parties (Including but Not Limited to Pharmaceutical Companies, Research Institutions, and Other Data Recipients)

In the era of big data, third parties (including but not limited to pharmaceutical companies, research institutions, and other data recipients) must recognize the critical importance of data source compliance when utilizing received data. When collaborating with healthcare institutions, they should verify the integrity of the authorization chain, execute rigorous data processing agreements, and establish their own compliant data usage and protection systems.

IV. Conclusion

The issuance of the Notice marks the entry of electronic medical record usage into a new phase characterized by “stringent oversight, detailed regulations, and strict accountability.” For healthcare institutions, it serves as both a constraint and a protective shield. Hospitals that proactively plan and comply in advance will not only mitigate significant legal risks but also earn patient trust, securing a competitive edge in the future landscape of data-driven healthcare. Conversely, those who disregard compliance will inevitably face unprecedented legal and reputational risks.

Legal counsel advises that medical institutions should promptly internalize these legal requirements into their governance capabilities, elevating data security and privacy protection to a strategic priority to achieve sustainable, healthy development. (End)

Appendix: Relevant Legal Provisions 1. Notice on Further Strengthening the Management of Electronic Medical Record Information Use in Medical Institutions: Issued jointly by the National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Center for Disease Control and Prevention on June 23, 2025. This notice clarifies the scope of electronic medical records, reinforces the primary responsibility of medical institutions, and requires them to protect patient privacy in accordance with the law, prohibiting the disclosure of medical record information for non-medical, teaching, or research purposes. Medical institutions must designate a lead management department, refine responsibilities and divisions of labor, incorporate compliance with regulations into performance evaluations, and face legal accountability for violations. Regarding management systems, institutions must improve tiered management, standardize workflows at all stages, establish long-term supervision and emergency response mechanisms, strictly implement tiered and categorized access controls, and set personnel permissions and time limits based on the principle of least privilege. For information usage, they must regulate personnel permissions and conduct, ensure full traceability throughout the process, and guarantee data security. Health administration departments will strengthen oversight through regular monitoring and evaluation, with provincial-level departments using compliance as a key criterion in hospital accreditation and related assessments.

2. Basic Medical and Health Care and Health Promotion Law of the People's Republic of China: Article 32 stipulates that citizens receiving medical services have the legal right to informed consent regarding their condition and treatment plans. It further emphasizes that medical institutions and their personnel must maintain confidentiality regarding patient privacy and personal information, laying the foundation for protecting patient rights in electronic medical record management. 3. Physician Law of the People's Republic of China: Article 23 explicitly mandates physicians' duty to care for and respect patients while safeguarding their privacy during practice. Physicians must strictly adhere to these provisions when accessing and utilizing electronic medical record information to ensure patient data security.

4. Cybersecurity Law of the People's Republic of China: Establishes cybersecurity requirements for electronic medical record systems in healthcare institutions. Medical institutions must implement technical measures and other necessary safeguards to ensure the secure and stable operation of electronic medical record information systems, effectively preventing cyberattacks, network intrusions, and other activities that threaten cybersecurity. 5. Data Security Law of the People's Republic of China: Mandates that healthcare institutions establish and improve data security management systems, implement data security protection responsibilities, classify and grade electronic medical record data, adopt corresponding security protection measures, and ensure data security. 6. Electronic Signature Law of the People's Republic of China: Provides legal basis for electronic signatures in electronic medical records. Reliable electronic signatures possess equivalent legal validity to handwritten signatures or seals, helping ensure the authenticity and integrity of electronic medical records. This plays a crucial role in the transmission and storage of electronic medical records. 7. Regulations on Medical Record Management in Medical Institutions: Establishes provisions for the creation, custody, and use of medical records (including electronic medical records). Requires medical institutions to strictly manage medical records, prohibiting any alteration, forgery, concealment, destruction, seizure, or theft of medical records to ensure the standardized use and security of medical record information. 8. Functional Specifications for Electronic Medical Record Systems (Trial): Defines essential functionalities for electronic medical record systems, such as record creation, storage, transmission, and retrieval. This provides technical standards for medical institutions to build and improve their electronic medical record systems, enhancing the standardization and effectiveness of electronic medical record information management. 9. Cybersecurity Management Measures for Healthcare Institutions: From a cybersecurity management perspective, this regulation standardizes cybersecurity responsibilities, protective measures, and emergency response protocols for healthcare institutions. Medical institutions must comply with these measures during the use and management of electronic medical record information to ensure network security and prevent data breaches.