Promulgated by: National Health and Family Planning Commission. Document No.: Guo Wei Gui Hua Fa [2014] No. 24 (国卫规划发〔2014〕24号). Issued on May 5, 2014. Effective from the date of issuance.
第一条 为规范人口健康信息的管理工作,促进人口健康信息的互联互通和共享利用,推动卫生计生事业科学发展,制定本办法。
Article 1. These Measures are formulated in order to standardize the administration of population health information, promote the interconnection, interoperability, and shared utilization of population health information, and advance the scientific development of health and family-planning undertakings.
第二条 本办法适用于各级各类医疗卫生计生服务机构所涉及的人口健康信息的采集、管理、利用、安全和隐私保护工作。
Article 2. These Measures apply to activities involving the collection, management, utilization, security, and privacy protection of population health information by health and family-planning service institutions of all levels and types.
第三条 本办法所称人口健康信息,是指依据国家法律法规和工作职责,各级各类医疗卫生计生服务机构在服务和管理过程中产生的人口基本信息、医疗卫生服务信息等人口健康信息。符合《中华人民共和国电子签名法》等有关法律法规规定的人口健康电子信息,与纸质文本具有同等法律效力。
Article 3. The term “population health information” as used in these Measures refers to basic population information, medical and health service information, and other population health information generated by health and family-planning service institutions of all levels and types in the course of service provision and administration, in accordance with the laws and regulations of the State and the institutions’ respective work responsibilities. Population health electronic information that meets the requirements of the Electronic Signature Law of the People’s Republic of China and other relevant laws and regulations shall have the same legal effect as paper documents.
第四条 人口健康信息管理工作应当统筹规划、统一标准,属地管理、责权一致,保障安全、便民高效。
Article 4. Population health information administration work shall be guided by overall planning and unified standards; local management with aligned responsibilities and powers; and security assurance with efficiency and public convenience.
第五条 县级以上人民政府卫生计生行政部门(含中医药行政部门,下同)是人口健康信息主管部门。国家卫生计生委负责制订全国人口健康信息发展规划和管理规范,统筹指导全国人口健康信息管理工作;县级以上地方人民政府卫生计生行政部门负责推进、指导、监督本行政区域人口健康信息管理工作。各级各类医疗卫生计生服务机构(含中医药服务机构,下同)负责人口健康信息的采集、利用、管理、安全和隐私保护,是人口健康信息管理中的责任单位。
Article 5. Health and family-planning administrative departments of people’s governments at or above the county level (including traditional Chinese medicine administrative departments; the same applies below) are the competent authorities for population health information. The National Health and Family Planning Commission is responsible for formulating national development plans and administrative norms for population health information and for providing overall guidance on population health information administration across the country. Local health and family-planning administrative departments of people’s governments at or above the county level are responsible for promoting, guiding, and supervising population health information administration within their respective administrative regions. Health and family-planning service institutions of all levels and types (including traditional Chinese medicine service institutions; the same applies below) are responsible for the collection, utilization, management, security, and privacy protection of population health information, and are the responsible units in population health information administration.
第六条 责任单位采集、利用、管理人口健康信息应当按照法律法规的规定,遵循医学伦理原则,保证信息安全,保护个人隐私。
Article 6. Responsible units shall, in collecting, utilizing, and managing population health information, comply with the provisions of laws and regulations, observe the principles of medical ethics, ensure information security, and protect personal privacy.
第七条 责任单位应当根据本单位人口健康信息采集、利用和管理的情况,设立相应的人口健康信息管理部门和岗位职责,建立完善的人口健康信息质量控制管理制度,建立或利用相应的信息系统。严格执行相关标准和程序,做到标准统一、术语规范、内容准确。
Article 7. Responsible units shall, in accordance with the circumstances of their collection, utilization, and management of population health information, establish corresponding population health information management departments and define their duties, develop a sound quality-control management system for population health information, and establish or make use of corresponding information systems. Relevant standards and procedures shall be strictly observed so as to achieve unified standards, standardized terminology, and accurate content.
第八条 责任单位应当按照”一数一源、最少够用”的原则采集人口健康信息,所采集的信息应当符合业务应用和管理要求,保证服务和管理对象在本单位信息系统中身份标识的唯一性,基本数据项的一致性,所采集的信息应当严格实行信息复核程序,避免重复采集、多头采集。
Article 8. Responsible units shall collect population health information in accordance with the principle of “one data point, one source, and the minimum necessary.” The information collected shall meet the requirements of business operations and administration; shall ensure the uniqueness of identity identifiers of service and management subjects within the unit’s information systems and the consistency of basic data items; and shall be strictly subject to information verification procedures in order to avoid duplicative collection and multi-channel collection.
第九条 人口健康信息实行分级存储。责任单位按照国家统一规划,负责存储、管理工作中产生的人口健康信息,应当具备符合国家有关规定要求的数据存储、容灾备份和管理条件,建立可靠的人口健康信息容灾备份工作机制,定期进行备份和恢复检测,确保数据能够及时、完整、准确恢复,实现长期保存和历史数据的归档管理。
Article 9. Population health information shall be stored according to a classified storage system. In accordance with unified national planning, responsible units that store and manage population health information generated in the course of their work shall possess data storage, disaster-recovery backup, and management capacities that meet the requirements of relevant national regulations; shall establish reliable disaster-recovery backup mechanisms for population health information; shall conduct regular backup and recovery tests; shall ensure that data can be recovered promptly, completely, and accurately; and shall achieve long-term preservation and archival management of historical data.
第十条 责任单位应当结合服务和管理工作需要,及时更新与维护人口健康信息,确保信息处于最新、连续、有效状态。不得将人口健康信息在境外的服务器中存储,不得托管、租赁在境外的服务器。
Article 10. Responsible units shall, in conjunction with the needs of service and management work, update and maintain population health information in a timely manner to ensure that information remains current, continuous, and valid. Population health information shall not be stored on servers located outside the territory of the People’s Republic of China, and servers located outside the territory shall not be hosted or leased for such purpose.
第十一条 委托其他机构存储、运维人口健康信息的,委托单位承担人口健康信息的管理和安全责任。受委托的存储、运维机构应当严格按照委托协议做好人口健康信息管理的技术支持,禁止超权限采集、开发和利用人口健康信息。
Article 11. Where a responsible unit entrusts another institution with the storage and operation and maintenance of population health information, the entrusting unit shall bear the management and security responsibility for the population health information. The entrusted storage and operation-and-maintenance institution shall provide technical support for the management of population health information strictly in accordance with the entrustment agreement, and is prohibited from collecting, developing, or utilizing population health information beyond the scope of the authorization.
第十二条 责任单位发生变更时,应当将所管理的人口健康信息完整、安全地移交给主管部门或承接延续其职能的机构管理,不得造成人口健康信息的损毁、丢失。
Article 12. When a responsible unit undergoes a change, it shall transfer all population health information under its management completely and securely to the competent authority or to the institution that assumes and continues its functions. Such transfer shall not result in the damage or loss of population health information.
第十三条 人口健康信息的利用实行分类管理,逐步实现互联共享。人口健康信息的利用应当以提高医学研究、科学决策和便民服务水平为目的。依法应当向社会公开的信息应当及时主动公开;涉及保密信息和个人隐私信息,不得对外提供。
Article 13. The utilization of population health information shall be subject to classified management, with the goal of progressively achieving interconnection and sharing. The utilization of population health information shall aim to improve the level of medical research, scientific decision-making, and public services. Information that shall be disclosed to the public in accordance with law shall be proactively disclosed in a timely manner; information involving classified information or personal privacy information shall not be provided to external parties.
第十四条 责任单位应当建立人口健康信息综合利用工作制度,授权利用有关信息。利用单位或者个人不得超出授权范围利用和发布人口健康信息。
Article 14. Responsible units shall establish a system for the comprehensive utilization of population health information and shall authorize the utilization of relevant information. Units or individuals utilizing such information shall not use or publish population health information beyond the scope of the authorization.
第十五条 责任单位应当为服务和管理对象提供其人口健康个案信息的查询和复制服务,并提供安全的信息查询和复制渠道。
Article 15. Responsible units shall provide service and management subjects with query and copying services for their individual population health information, and shall provide secure channels for such query and copying.
第十六条 责任单位应当做好人口健康信息安全和隐私保护工作,按照国家信息安全等级保护制度要求,加强建设人口健康信息相关系统安全保障体系,制定安全管理制度、操作规程和技术规范,保障人口健康信息安全。利用单位和个人应当按照授权要求,做好所涉及的人口健康信息安全和隐私保护工作。
Article 16. Responsible units shall properly perform population health information security and privacy protection work, strengthen the construction of security assurance systems for population health information-related systems in accordance with the requirements of the national information security multi-level protection scheme, formulate security management systems, operating procedures, and technical specifications, and ensure data security for population health information. Units and individuals utilizing such information shall, in accordance with authorization requirements, properly perform security and privacy protection work in relation to the population health information involved.
第十七条 涉及国家秘密的人口健康信息系统应当按照国家涉密信息管理的要求进行分级保护,杜绝泄密。
Article 17. Population health information systems involving State secrets shall be subject to classified protection in accordance with the requirements of State classified information management, so as to prevent any disclosure of secrets.
第十八条 责任单位应当建立痕迹管理制度,任何建立、修改和访问人口健康信息的用户,都应当通过严格的实名身份鉴别和授权控制,做到其行为可管理、可控制、可追溯。
Article 18. Responsible units shall establish a trace-management system. Any user who creates, modifies, or accesses population health information shall be subject to strict real-name identity authentication and authorization controls, so that their conduct is manageable, controllable, and traceable.
第十九条 人口健康信息相关系统的信息技术产品和服务提供者应当遵守国家有关信息安全审查制度,不得中断或者以其他方式中断合理的技术支持与服务,并应当为人口健康信息在不同系统间的迁移、交互、共享提供安全与便利条件。
Article 19. Providers of information technology products and services for population health information-related systems shall comply with the national information security review system, shall not interrupt or otherwise discontinue reasonable technical support and services, and shall provide secure and convenient conditions for the migration, interoperability, and sharing of population health information across different systems.
第二十条 卫生计生行政部门应当加强对本行政区域内各责任单位人口健康信息管理工作的日常监督检查,对本行政区域内各责任单位人口健康信息综合利用工作的指导监督,提高精细化人口健康服务和管理能力。
Article 20. Health and family-planning administrative departments shall strengthen routine supervision and inspection of the population health information administration work of all responsible units within their respective administrative regions; shall provide guidance and supervision over the comprehensive utilization of population health information by responsible units within their administrative regions; and shall enhance the capacity for refined population health service and management.
第二十一条 卫生计生行政部门建立通报制度。相关单位和个人在人口健康信息利用、人口健康信息系统建设维护和技术支持等过程中,违反本办法规定造成不良后果的,主管部门或责任单位应当对其予以通报;情节严重、违反国家法律法规的,依照国家有关法律法规追究其法律责任。
Article 21. Health and family-planning administrative departments shall establish a notification system. Where relevant units or individuals violate the provisions of these Measures in the course of utilizing population health information, constructing and maintaining population health information systems, or providing technical support, and thereby cause adverse consequences, the competent authority or responsible unit shall issue a notification against them; where the circumstances are serious and constitute a violation of national laws and regulations, legal liability shall be pursued in accordance with relevant national laws and regulations.
第二十二条 卫生计生行政部门建立人口健康信息管理工作责任追究制度。对于违反本办法规定的主管部门和责任单位,上级主管部门应当视情节轻重予以督导整改、通报批评、提出给予行政处分的建议;构成犯罪的,依法追究刑事责任。
Article 22. Health and family-planning administrative departments shall establish a system of liability investigation for population health information administration work. Where a competent authority or responsible unit violates the provisions of these Measures, the superior competent authority shall, depending on the severity of the circumstances, order rectification through supervision, issue a public criticism notification, or recommend the imposition of an administrative sanction; where a crime is constituted, criminal liability shall be pursued in accordance with law.
第二十三条 本办法自印发之日起施行。
Article 23. These Measures shall come into force on the date of issuance.