Summary of the IT Requirements for the Community Pharmacy Programme

Functions and Features

  • The Government has created a Government IT Platform built on the eHealth System to collect, store, share, and use data for Programme Patients.
  • The contractor is required to have its own pharmacy operation IT system, known as the “Pharmacy System,” to perform the services.
  • The Pharmacy System must be able to retrieve electronic prescriptions and other information from the Government IT Platform and submit dispensing data, clinical documentation, and co-payment details to it.
  • The Pharmacy System has a variety of required functions, including: retrieving electronic prescriptions and information, verifying patient identity by scanning a QR code from the eHealth App, documenting clinical notes for pharmacist services, calculating patient co-payments, and submitting records promptly.
  • Other functional requirements include a medication dispensing function that ensures safety , a Programme Patient list maintenance function, a user account access control maintenance function, and a back-date input function for system breakdowns.
  • The Pharmacy System must process electronic prescriptions in accordance with applicable laws and regulations.
  • Contractors must be able to retrieve data from eHealth by conforming to the
    eHR Data Interoperability Standards and the FHIR Developers’ Quick Guide for Community Pharmacy Programme.

eHealth-Related Security Requirements

  • The contractor must be a registered healthcare provider (HCP) for Hong Kong’s eHealth System.
  • The contractor must have a reliable and secure internet connection for eHealth access and service operation.
  • Electronic Medical Records (EMR) or systems that interface with the eHealth System must undergo independent penetration testing.
  • The contractor must conduct a Security Risk Assessment and Audit (SRAA) and a Privacy Impact Assessment (PIA) every two years.
  • All Personally Identifiable Information (PII) must be encrypted regardless of the storage media, and secure management of encryption keys must be implemented.
  • Connections from healthcare providers to cloud EMR systems must use a Virtual Private Network (VPN) or a leased line.
  • Contractors must also conduct an annual Compliance Checking and Endorsement Process, which includes submitting a security assessment checklist and having a third party perform annual network port and web vulnerability scanning.

TImeline

  • The contractor is required to have successfully interfaced its Pharmacy System with the Government IT Platform within 16 weeks of the Letter of Conditional Acceptance being issued.
  • Within the first four weeks, the contractor is responsible for preparing hardware and software for the connectivity network and performing end-to-end network connectivity testing.
  • Within the 16-week period, the contractor must also provide sample dispensing and drug order data, perform programme development, and perform end-to-end testing and interface testing with the eHealth IT Systems.
  • Upon successful completion of the interface testing, the contractor must have a production-ready IT connectivity and submit documentation to confirm the successful completion of the testing, both within the same 16-week timeframe.
  • The contractor must also submit a checklist confirming essential IT knowledge within four weeks from the date of the Letter of Conditional Acceptance.
Scroll to top