To the health commissions, traditional Chinese medicine bureaus, and disease control bureaus of all provinces, autonomous regions, municipalities directly under the central government, and Xinjiang Production and Construction Corps:
In accordance with the Basic Medical and Health Promotion Law of the People's Republic of China, the Physician Law of the People's Republic of China, the Regulations on the Administration of Medical Institutions and their implementation rules, and other relevant laws, regulations, and departmental rules, further implement the core system of medical quality and safety, the regulations on the management of medical institution history, the management standards for the functions and applications of electronic medical record systems, and the management measures for network security of medical and health institutions. The following notice is hereby issued to further strengthen the management of the use of electronic medical record information in medical institutions:
1、 Strengthen internal management of medical institutions
(1) Clarify the scope of electronic medical records. Electronic medical record (EMR) is a form of medical record that refers to the digital information generated by information systems, such as text, symbols, charts, graphics, numbers, and images, used by medical personnel during medical activities. It can be stored, managed, transmitted, and reproduced, including outpatient (emergency) medical records and inpatient medical records.
(2) Consolidate the main responsibility of medical institutions. Medical institutions bear the main responsibility for the use and management of electronic medical record information in their own units, and must strictly protect patient privacy in accordance with laws and regulations. They shall not disclose patient medical record information for non-medical, teaching, or research purposes. Medical institutions should clarify the leading department for the management of electronic medical record information usage, determine the division of responsibilities among relevant departments and personnel, coordinate the implementation of management responsibilities by medical, scientific and educational, information and other relevant departments, and guide clinical business departments to implement the main responsibility for usage. Medical institutions should strengthen the supervisory function of disciplinary inspection departments and enhance the supervision of behaviors such as abuse of electronic medical record information usage rights and information leakage. The standardized use and management of electronic medical record information should be included in the performance evaluation of administrative and medical personnel. In case of adverse events such as illegal operations and information leakage, corresponding departments and individuals should be held accountable in accordance with laws and regulations.
(3) Establish a sound management system for medical institutions. Medical institutions should improve the hierarchical management system of electronic medical record information systems, standardize the workflow of various links such as the establishment, recording, modification, storage, and transmission of electronic medical records, as well as the scope of authority for use and management. Establish a long-term regulatory mechanism for the use of electronic medical record information, prevent and promptly handle situations such as unreasonable access, use, and forwarding of electronic medical record information, and ensure that the use of electronic medical record information is legal, compliant, safe, and controllable. Establish an emergency response system and establish a sound process for handling electronic medical record information leakage scenarios.
(4) Implement the requirements of hierarchical management. Medical institutions should strictly implement graded and classified access control and permission management based on the importance, sensitivity level, and usage scenarios of electronic medical record information. Following the principle of minimum availability, according to job responsibilities, role tasks, usage needs, etc., clarify the hierarchical access permissions and time limits for clinical diagnosis and treatment, teaching, management and other related personnel, and strictly prohibit unauthorized access, copying, dissemination or tampering with medical record information. When there is a public opinion related to medical treatment and diagnosis, the relevant information of the involved personnel should be immediately sealed, and unrelated personnel are not allowed to access browsing records and forward them.
2�����、 Standardize the use of electronic medical record information
(1) Standardize the usage permissions and behaviors of relevant personnel. Medical institutions should provide proprietary identification and recognition methods for electronic medical record system operators, and set corresponding permissions. Clearly define that the operator is responsible for the use of their personal identification, and shall not collect, use, transmit, disclose, buy or sell patient medical record information in violation of regulations or disseminate it through online channels. Medical institution employees should properly keep their personal identification media, use electronic medical record information in accordance with permission standards, and have their usage permissions and time limits regularly updated and adjusted by medical institutions based on their job positions and job responsibilities. Short term staff such as students participating in internships and training programs, as well as attending doctors, are required to receive relevant training organized by medical institutions and use electronic medical record information in teaching and learning activities in a standardized manner according to their permissions. Their usage permissions and time limits shall not exceed the scope and duration of the training and training. Medical institutions should sign strict confidentiality and authorization agreements with external service providers who provide information system maintenance and data analysis services, clarify the scope, purpose, and duration of their access to electronic medical record systems, and accept supervision from medical institutions during the service process to ensure data security.
(2) Ensure traceability throughout the entire process. Medical institutions should ensure that the operation traces, operation time, and operator information of the electronic medical record system can be queried and traced. Support the use of digital watermarking and other technological means to ensure traceability during the usage process. When medical institutions share electronic medical record information, they should have strict authorization mechanisms and approval processes to ensure the security and tamper resistance of the information. When medical institutions receive electronic medical record information provided by external units, they should verify the legitimacy, integrity, and security of the information source, and establish detailed records of reception, storage, and use in accordance with internal management requirements to achieve traceability of data flow.
(3) Ensure data security. Medical institutions should strengthen data security management in accordance with laws and regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Electronic Signature Law of the People's Republic of China. Establish an electronic medical record information security protection system and fully utilize information technology to monitor the use of electronic medical record information. Regularly conduct security assessments, promptly issue alerts for abnormal access or unauthorized operations, and notify higher-level management personnel to effectively prevent potential security risks.
3、 Strengthen the supervision of health administrative departments
Local health administrative departments at all levels (including traditional Chinese medicine and disease control departments, the same below) should strengthen guidance and supervision on the standardized use of electronic medical record information by medical institutions, and conduct regular monitoring and evaluation. Provincial health administrative departments should use the standardized use of electronic medical record information by medical institutions as an important evaluation basis for hospital evaluation, hospital inspections, and the construction of smart hospitals. Each medical institution shall organize and promote implementation.
Office of the National Health Commission
Comprehensive Department of the State Administration of Traditional Chinese Medicine
Comprehensive Department of the National Center for Disease Control and Prevention
June 23, 2025
