Newsletter
Key points of the Draft Amendment to the Regulations Governing the Preparation and Management of Electronic Medical Records by Healthcare Institutions recently announced for public comment by the Ministry of Health and Welfare
In response to the digitalization trend of healthcare information, the Medical Care Act was amended in 2004 to include the following provision under a newly added Article 69: "Healthcare institutions which prepare and retain medical records via electronic means shall be exempt from producing a hard copy thereof. The regulations regarding the criteria, production method, content, and other requirements for electronic medical records shall be set forth by the central competent authority. The regulations regarding the criteria, production method, content, and other requirements for electronic medical records shall be set forth by the central competent authority". Pursuant to such provision, the central competent authority at the time, the Department of Health (later restructured and became the Ministry and Health and Welfare), promulgated the Regulations Governing the Preparation and Management of Electronic Medical Records by Healthcare Institutions (these "Regulations") in 2005, which have been in force since then with certain amendments made in 2008 and 2009.
Nevertheless, with the rapid development of technology in recent years, these Regulations, promulgated decades ago, are no longer adequate in addressing the difficulties faced by the stakeholders in terms of the laws or practices in this field. To continue promoting the effort of going paperless (or electronic) for healthcare information, the Ministry of Health and Welfare announced the draft amendment to these Regulations (the "Draft Amendment") on December 8, 2021 for the public comment period. In accordance with the Administrative Procedure Act, any person who has any comments or proposed revisions to this Draft Amendment may submit their comments or proposals within 60 days (i.e., by February 7, 2022), so that the Ministry can evaluate whether to revise the Draft Amendment after receiving the public comments before the Draft Amendment officially take effect. Therefore, relevant institutions and businesses may review the provisions under this Draft Amendment and submit their comments to the competent authority before the above-mentioned deadline.
The key points of this Draft Amendment are as follows:
1. Clarification regarding the order of application between these Regulations and the Personal Data Protection Act (the "PDPA") (Post-Amendment Article 22 22).
Medical records constitute special personal data defined under and subject to Article 6 of the PDPA. To avoid confusion regarding the application of the laws, Post-Amendment Article 22 stipulates the order of application in this regard: where the personal data involved fall within the scope of electronic medical records (EMRs), these Regulations shall take precedence; where these Regulations are silent on the data at issue, it shall be subject to the PDPA or other relevant laws and regulations.
2. Provision in response to the requirement to obtain written consent under the Medical Care Act (Post-Amendment Article 21).
i. In accordance with Paragraph 1 of Article 63, Paragraph 1 of Article 64, and Paragraph 1 of Article 79 under the Medical Care Act, Articles 4, 6 and 7 of the Hospice Palliative Care Act, and Article 34 of the Emergency Medical Services Act, healthcare institutions shall obtain written consent from the patients undergoing certain medical procedures and shall keep such consent together with the patient's medical records.
ii. In order to achieve the goal of going paperless, Post-Amendment Article 21 prescribes that the relevant documents may be prepared and retained in electronic form pursuant to the Electronic Signatures Act.
iii. However, there are still a portion of the general public who prefer signing hard-copy documents, paper copies may still be provided upon request.
3. Provisions to Enhance Information Security (Post-Amendment Articles 3 to 5).
i. Since medical records are important legal documents and are also important evidence in the event of a medical dispute, to protect the security of medical information, Post-Amendment Articles 3-5 address issues on transmission access rights, the use of encryption mechanisms applicable to international standards organizations, and mechanisms for prevention, notification and response, review and correction of data destruction, leakage or other security incidents.
ii. Regarding issues of notification, in reference to similar provisions under the PDPA, this Draft Amendment requires that the person concerned or his/her representative be notified of the occurrence of a security incident and that the healthcare institution notifies the competent authority within 72 hours if the operation of the healthcare institution or the interests of the person concerned are affected thereby.
4. Outsourcing of EMR Information System (Post-Amendment Article 6 and Article 7).
i. Due to the complexity and expertise involved in the field of ICT and information security, in practice, most healthcare institutions have engaged tertiary academic institutions, corporations, organizations or associations to build their EMR information system. In order to ensure the quality of such third-party service provider and the security of the EMR information system, the Draft Amendment prescribes that the service provider must meet certain criteria and have the relevant certification. However, despite using a third-party service provider, the healthcare institution shall still remain responsible under the Medical Care Act and these Regulations. The healthcare institutions have one year to ensure their compliance with this requirement after the Draft Amendment takes effect.
ii. When outsourcing the building and management of the EMR information system, a written engagement contract shall be executed, setting forth the scope of the engagement and the rights and obligations of the service provider in order to avoid disputes. In particular, the contract shall procure the service provider to comply with the relevant provisions under these Regulations.
iii. In order to prevent the service provider from further outsourcing the work to another service provider, which will result in complicated contractual relationship and confusion of accountability, the service provider is prohibited from further outsourcing the work, except for cloud storage service (such as suing the cloud server service provided by Chunghwa Telecom).
5. Relaxing the Use of Cloud Services (Post-Amendment Article 8).
i. Migration to the cloud is an unavoidable trend in this data-driven era, and it is inevitable for healthcare institutions to utilize cloud services that combine cloud computing, cloud storage and internet connection to meet its business needs. Nevertheless, as EMRs contain the health data of patients, and the EMR Information System cannot be separated from the cloud services, they shall be subject to a higher level of control.
ii. In this regard, the Draft Amendment stipulates that healthcare institutions shall still take appropriate risk management measures when using cloud services, implement mechanism to avoid disruption of healthcare services, supervise cloud service providers either by themselves or through third parties or other professional institutions, and put in place a mechanism for data reversal upon the discontinuation or termination of the cloud services.
iii. The Draft Amendment also prescribers that the data storage location of the cloud service shall be within the territory of the Republic of China (Taiwan); except under special circumstances (e.g., when collaborating with foreign countries) and subject to the approval of the Ministry of Health and Welfare.
6. EMR approval system (Post-Amendment Articles 9 and section 10).
i. The EMR information system is an important system for healthcare institutions to operate and medical records are important legal documents; therefore, the Draft Amendment specifies that healthcare institutions must apply to and be approved by the local competent authorities before implementing an EMR information system. Any changes to or discontinuation of such system shall be reported to the competent authority for recordation. The healthcare institutions have one year to ensure their compliance with this requirement after the Draft Amendment takes effect.
ii. The Draft Amendment also specified the mandatory information to be provided in the application; if the healthcare institution uses a service provider, the service provider's certification documents and the engagement contract between the parties shall also be attached.
iii. The Draft Amendment further states that the healthcare institutions shall disclose the commencement date and scope of the approved EMR information system in a conspicuous place within the institution.
7. Preparation and Signing of EMRs (Post-Amendment Articles 12 and 13).
i. Article 68 of the Medical Care Act stipulates: "Medical care institutions shall instruct its medical personnel to personally make documentation of medical record, affix signature or seal, and add the year, month and date of inspection when conducting medical practices (Paragraph 1). In the case that the medical records referred to in the preceding Paragraph is revised or amended, the signature or sign and date shall be affixed to the revised or amended portions. Amended records shall be drawn out with a line, and not deleted (Paragraph 2). The physician's orders shall be clearly stated in the medical record or in written form. However, in case of emergency, the physician's orders may be given orally, and documented within 24hours (Paragraph 3)."
ii. With regard to the above-cited provisions, in the case of EMRs, the relevant identification codes and electronic signatures (by means of healthcare professional's authentication code and, in certain exceptional circumstances, by means of healthcare institutions authentication code) shall be used in order to comply with the provisions of its parent legislation.
8. Storage and Destruction of EMRs (Post-Amendment Articles 14 to 18).
i. For healthcare institutions that cannot continue to operate for any reason and transfer the medical records to the successor, a record of the relevant events shall be made and the records should be kept for a period of at least five years in accordance with Article 16 of the Implementation Regulations for the Safety and Maintenance Program of Personal Data File Maintained by Healthcare Institutions.
ii. Since medical records are important legal documents and are also important evidence in the event of a medical dispute, and the Medical Care Act provides that healthcare institutions and their personnel who have access to or are in possession of the information about a patient's condition or health due to the performance of their job duties must not disclose it without legitimate causes. To this end, the Draft Amendment provides the rules regarding the destruction of EMRs by health institutions.
iii. In the case of relevant storage media such as computers, automated machines or other electronic media, appropriate measures shall be taken to ensure that EMRs are completely removed or erased without risk of leakage when they are disposed of, retired or converted to other uses; if the EMRs cannot be completely removed or erased from the storage media or the data therein can be restored later, such media shall be physically destroyed so that they can no longer be used.
iv. Records of the persons, methods, time and places involved in such destruction shall be kept for at least five years: the process of destruction shall be monitored and photographed for record to ensure that such media is completely destroyed.
v. Documents that shall be signed in hard copy pursuant to the law and shall be kept together with undersigned's medical records, as well as the hard-copy medical records existing before the implementation of EMR information system in healthcare institutions can be electronically transcribed into electronic files and sealed with the certificate of the institution. The records of the original paper copies being destroyed shall be kept for five years after the destruction.
9. Setup, Exchange or Use of EMR Exchange Platform (Post-Amendment Article 19 and Article 20).
i. The exchange of EMRs shall take into consideration the information security and professional quality of the healthcare institutions. Therefore, the Draft Amendment prescribes that the authorities and institutions approved by the Ministry of Health and Welfare may set up EMR exchange platforms and the exchanges of EMRs shall be conducted through such platforms. The EMR exchange platforms established before the Draft Amendment takes effect have one year to ensure their compliance with this requirement after the Draft Amendment takes effect.
ii. To ensure consistency in the exchange of EMRs by healthcare institutions, the exchange formats, signatures and time stamps and other related matters as published by the Ministry of Health and Welfare shall be followed.
iii. To ensure that patients are able to decide whether their own medical records data are to be exchanged by healthcare institutions in the form of EMRs, the Draft Amendment prescribes that healthcare institutions shall inform patients and obtain their consent in this regard.
10. Grace Period (Post-Amendment Article 23).
As provided in Sections IV(I), VI(I) and IX(I) above.
The aforementioned amendments to these Regulations will affect healthcare institutions, past/future institutions/vendors that assist in the establishment of EMR information systems, and past/future users of EMR data. Therefore, it is advisable to review the above provisions and express your opinion to the competent authority as soon as possible if you have any concerns regarding the practice thereof, such as whether the grace period is sufficient, so that proper revisions can be made before the Draft Amendment officially takes effect. In addition, advance preparations can be made for the possible impact on future business activities.
If you have any questions, please contact our Medical and Pharmaceutical practice group for more information.