Promulgated by: General Office of the National Health Commission; General Office of the National Administration of Traditional Chinese Medicine; General Office of the National Disease Control and Prevention Administration. Document No.: 国卫办医政函〔2025〕262号. Issued and effective: 23 June 2025.
国卫办医政函〔2025〕262号
各省、自治区、直辖市及新疆生产建设兵团卫生健康委、中医药局、疾控局:
按照《中华人民共和国基本医疗卫生与健康促进法》《中华人民共和国医师法》《医疗机构管理条例》及其实施细则等法律法规和部门规章规定,进一步落实医疗质量安全核心制度、医疗机构病历管理规定、电子病历系统功能和应用管理规范、医疗卫生机构网络安全管理办法等有关要求,现就进一步加强医疗机构电子病历信息使用管理工作通知如下:
一、加强医疗机构内部管理
**(一)明确电子病历范围。**电子病历是病历的一种记录形式,指医务人员在医疗活动过程中,使用信息系统生成的文字、符号、图表、图形、数字、影像等数字化信息,并能实现存储、管理、传输和重现的医疗记录,包括门(急)诊病历和住院病历。
**(二)压实医疗机构主体责任。**医疗机构对本单位电子病历信息使用管理承担主体责任,要依法依规严格保护患者隐私,不得以非医疗、教学、研究目的泄露患者的病历信息。医疗机构应明确电子病历信息使用管理的牵头部门,确定各相关部门和人员的职责分工,统筹协调医务、科教、信息等相关部门落实管理责任,指导临床业务部门落实使用主体责任。医疗机构要强化纪检部门的监督职能,加强对电子病历信息使用权限滥用、信息泄露等行为的监管。要将电子病历信息规范使用管理情况纳入行政管理人员和医务人员绩效评价,出现违规操作、泄露信息等不良事件,要依法依规追究相应部门和个人责任。
**(三)健全医疗机构管理制度。**医疗机构应当完善电子病历信息系统分级管理制度,规范电子病历的建立、记录、修改、保存、传输等各环节工作流程,以及使用、管理的权限范围。建立电子病历信息使用长效监管机制,预防并及时处置不合理调阅、使用、转发电子病历信息等情形,确保电子病历信息使用合法合规、安全可控。建立应急处置制度,建立健全电子病历信息泄露场景的处置流程。
**(四)落实分级管理要求。**医疗机构应当根据电子病历信息的重要程度、敏感级别、使用场景等具体情况,严格实施分级分类访问控制与权限管理。遵循最小可用原则,按照岗位职责、角色任务、使用需求等,明确临床诊疗、教学、管理等相关人员分级访问权限和时限,严禁未经授权查阅、复制、传播或篡改病历信息。发生就医诊疗相关舆情时,要立即封存涉及人员的相关信息,无关人员不得访问浏览记录转发。
二、规范电子病历信息使用
**(一)规范相关人员使用权限和行为。**医疗机构应当为电子病历系统操作人员提供专有的身份标识和识别手段,并设置相应权限。明确操作人员对本人身份标识的使用负责,不得违规收集、使用、传输、透露、买卖患者病历信息或通过网络渠道传播。医疗机构从业人员均应妥善保管个人身份识别介质,依权限规范使用电子病历信息,并由医疗机构根据工作岗位和工作内容定期更新调整其使用权限和时限。参与见习实习和培养培训的学生、进修医生等短期工作人员,需接受医疗机构组织的相关培训,依权限在教学学习活动中规范使用电子病历信息,其使用权限和时限不得超过培训进修学习范围和时长。医疗机构应当与提供信息系统维护和数据分析服务等业务的外部服务商签订严格的保密协议和授权协议,明确其访问电子病历系统的范围、目的和期限,并在服务过程中接受医疗机构监督,确保数据安全。
**(二)保障全流程可追溯。**医疗机构要确保电子病历系统历次操作痕迹、操作时间和操作人员等信息可查询、可追溯。支持通过数字水印等技术手段,确保使用过程留痕。医疗机构共享电子病历信息时,应有严格的授权机制和审批流程,确保信息的安全性和防篡改性。医疗机构接收外单位提供的电子病历信息时,应对信息来源的合法性、完整性、安全性进行验证,并参照内部管理要求建立详细的接收、存储、使用记录,实现数据流向可追溯。
**(三)确保数据安全。**医疗机构要按照《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国电子签名法》等法律法规规定,强化数据安全管理。建立电子病历信息安全防护体系,充分利用信息化手段监测电子病历信息使用情况。定期开展安全评估,对异常访问或未经授权的操作及时发出警报并通知上级管理人员,有效防范潜在安全风险。
三、强化卫生健康行政部门监管
地方各级卫生健康行政部门(含中医药、疾控部门,下同)要加强对医疗机构规范使用电子病历信息的指导和监管,定期监测评估。各省级卫生健康行政部门要将医疗机构规范使用电子病历信息情况作为医院评审、医院巡查、智慧医院建设等相关工作重要评估依据。各办医主体单位组织推进落实。
国家卫生健康委办公厅
国家中医药局综合司
国家疾控局综合司
2025年6月23日
Notice on Further Strengthening the Administration of the Use of Electronic Medical Record Information by Medical Institutions
Document No. 国卫办医政函〔2025〕262号
To the health commissions, traditional Chinese medicine authorities, and disease control authorities of all provinces, autonomous regions, municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps:
In accordance with the Law of the People’s Republic of China on Basic Medical and Health Care and Health Promotion, the Law of the People’s Republic of China on Physicians, the Regulations on the Administration of Medical Institutions and their implementing rules, and other laws, administrative regulations, and departmental rules, and in order to further implement requirements set out in the core systems for medical quality and safety, the Provisions on the Administration of Medical Records by Medical Institutions, the Specifications for the Functions and Application Management of Electronic Medical Record Systems, and the Measures for the Administration of Network Security of Medical and Health Institutions, the following notice is hereby issued regarding further strengthening the administration of the use of electronic medical record information by medical institutions:
I. Strengthening Internal Administration by Medical Institutions
(i) Clarifying the scope of electronic medical records. An electronic medical record (EMR) is one form of medical record. It refers to the digitised information — including text, symbols, charts, graphics, numerical data, and images — generated by medical personnel using information systems in the course of medical activities, and which can be stored, managed, transmitted, and reproduced. EMRs include both outpatient (emergency) medical records and inpatient medical records.
(ii) Consolidating the primary responsibility of medical institutions. A medical institution bears primary responsibility for the administration of the use of EMR information within its own unit. It shall strictly protect patient privacy in accordance with laws and regulations, and shall not disclose a patient’s medical record information for purposes other than medical care, teaching, or research. A medical institution shall designate a lead department for the administration of EMR information use, determine the division of responsibilities among all relevant departments and personnel, and coordinate the medical affairs, scientific education, and information departments to carry out their management responsibilities, while directing clinical business departments to fulfil their primary responsibility as users. Medical institutions shall strengthen the supervisory functions of their discipline-inspection departments and enhance oversight of conduct such as abuse of EMR information access permissions and information leaks. EMR information compliance performance shall be incorporated into the performance evaluations of administrative personnel and medical personnel; where adverse events such as unauthorized operations or information leaks occur, the responsible departments and individuals shall be held accountable in accordance with laws and regulations.
(iii) Improving management systems within medical institutions. Medical institutions shall improve their graded management systems for EMR information systems, standardize the workflows for each stage of the creation, recording, modification, preservation, and transmission of electronic medical records, and define the scope of access and management permissions. They shall establish a long-term supervisory mechanism for EMR information use to prevent and promptly address situations involving unreasonable retrieval, use, or forwarding of EMR information, so as to ensure that EMR information use is lawful, compliant, secure, and controllable. Emergency-handling systems shall be established, and procedures for managing EMR information leak scenarios shall be developed and improved.
(iv) Implementing graded management requirements. Medical institutions shall rigorously implement graded and classified access controls and permission management based on the importance, sensitivity level, and use scenarios of the EMR information in question. Adhering to the principle of minimum necessary use, and in accordance with job duties, role-based tasks, and usage requirements, medical institutions shall define graded access permissions and time limits for personnel involved in clinical diagnosis and treatment, teaching, and administration. Unauthorized retrieval, copying, dissemination, or tampering with medical record information is strictly prohibited. When a public-controversy media event arises involving patient treatment, the relevant information of the individuals concerned shall be immediately sealed, and unrelated personnel shall not be permitted to access, browse, or forward the records.
II. Standardizing the Use of Electronic Medical Record Information
(i) Standardizing access permissions and conduct of relevant personnel. Medical institutions shall provide EMR system operators with dedicated identity credentials and identification means, and shall assign corresponding access permissions. It shall be made clear that operators are personally responsible for the use of their own identity credentials, and that they shall not unlawfully collect, use, transmit, disclose, buy, or sell patient medical record information, or disseminate it through online channels. All personnel employed by medical institutions shall properly safeguard their personal identity verification media, and shall use EMR information within their authorized permissions; medical institutions shall periodically update and adjust access permissions and time limits in accordance with job positions and job content. Students, resident physicians, and other short-term workers who participate in observerships, internships, and training programmes must complete the relevant training organized by the medical institution, and shall use EMR information within their authorized permissions in the course of teaching and learning activities; their access permissions and time limits shall not exceed the scope and duration of their training or rotation. Medical institutions shall enter into strict confidentiality agreements and authorization agreements with external service providers that supply information-system maintenance, data analysis, and other services, specifying the scope, purpose, and duration of their access to the EMR system; such providers shall be subject to supervision by the medical institution throughout the course of providing services, so as to ensure data security.
(ii) Ensuring full-process traceability. Medical institutions shall ensure that all operation records, operation timestamps, and operator information in the EMR system are queryable and traceable. The use of technical means such as digital watermarks shall be supported to ensure that a record of use is retained throughout the process. When medical institutions share EMR information, there shall be a rigorous authorization mechanism and approval workflow to ensure the security and tamper-resistance of the information. When medical institutions receive EMR information provided by external units, they shall verify the legality, completeness, and security of the information source, and shall establish detailed records of receipt, storage, and use by reference to internal management requirements, so as to achieve traceability of data flows.
(iii) Ensuring data security. Medical institutions shall strengthen data security management in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Electronic Signature Law of the People’s Republic of China, and other laws and regulations. They shall establish an information-security protection system for EMR information, and shall make full use of information-technology means to monitor the use of EMR information. Regular security assessments shall be conducted; alerts shall be issued promptly and senior management shall be notified in the event of anomalous access or unauthorized operations, so as to effectively guard against potential security risks.
III. Strengthening Supervision by Health Administrative Authorities
Local health administrative authorities at all levels (including traditional Chinese medicine and disease control departments; same below) shall strengthen guidance and oversight of medical institutions’ compliant use of EMR information, and shall conduct regular monitoring and evaluations. Provincial-level health administrative authorities shall treat a medical institution’s compliant use of EMR information as an important evaluation criterion in hospital accreditation reviews, hospital inspection tours, smart-hospital construction, and other related work. The entities responsible for operating medical institutions shall organize the implementation and advancement of these requirements.
General Office of the National Health Commission
General Office of the National Administration of Traditional Chinese Medicine
General Office of the National Disease Control and Prevention Administration
23 June 2025