What Ordinance No. H-5 regulates and to whom it applies
The ordinance was issued by the Minister of Health on the basis of Art. 6b, paras 8 and 9 of the Medical Establishments Act. It enters into force three days after its promulgation — that is, in early May 2026 — and from that moment every healthcare establishment that already provides, or plans to provide, remote services must align its activity with it.
Ordinance No. H-5 governs four core matters: the procedure for providing remote medical care; the criteria for activities in which such care is not permitted; the conditions for informed consent through digital technologies; and the requirements for the medical, information and communication technologies themselves.
Who falls within the scope
Remote medical care is provided by healthcare establishments set up under the Medical Establishments Act and by the medical professionals working in them. The ordinance expressly excludes the establishments referred to in Art. 10, items 2 and 7 of the same act — they may not provide remote medical care.
There is also one situation that remains outside the scope: the ordinance does not apply to remote consultations between medical professionals in which no personal data is processed. As soon as data relating to a specific patient is exchanged during the consultation, the regime of Ordinance No. H-5 is triggered.
Types of remote medical care
The ordinance permits a broad range of activities — prevention, diagnostics, treatment, rehabilitation, as well as professional consultations, expert assessments and remote interpretation of medical data between professionals. It also introduces a clear classification that matters in practice, because the deadlines and the organisation of work depend on the type of service.
By urgency and method of communication
| Criterion | Type | Description |
|---|---|---|
| Urgency | Scheduled | Provided upon request by a patient, healthcare establishment or professional, in line with internal rules announced in advance. |
| Emergency | Advisory care between healthcare establishments in emergency situations, for which the establishments conclude a contract between themselves. | |
| Method of communication | Synchronous | Real-time communication between the patient and the professional, or between professionals. |
| Asynchronous | Medical data and test results are exchanged and assessed without simultaneous presence — for example, imaging studies sent for subsequent assessment. |
Who may initiate the service
Remote medical care may be initiated by a patient or their legal representative, by a medical professional or by a healthcare establishment. The care itself may be provided directly to a patient, between professionals or teams within one establishment, or between different establishments in connection with the diagnosis, treatment and follow-up of a specific patient.
When remote medical care is NOT permitted
This is one of the most important parts of the ordinance. It sets out exhaustively the cases in which the remote format is prohibited — and the decision is always a matter of the physician’s clinical judgement in the specific case. Remote medical care is not provided where:
- providing it may endanger the patient’s life and/or health;
- the required quality, safety and effectiveness cannot be guaranteed in accordance with the medical standards and the rules of good medical practice;
- the nature of the activity requires mandatory direct physical contact for examination, diagnosis or treatment;
- the identity of the patient or of the applicant cannot be established reliably;
- it concerns activities in the field of dental medicine — with two exceptions: remote consultations between dental practitioners, and the interpretation of imaging and other diagnostic studies related to dental care.
Separately, the ordinance expressly provides that the management of childbirth is not carried out remotely — in that case only remote consultations and expert support between professionals are permitted. The establishment of death is likewise not carried out remotely.
Obligations of healthcare establishments
The ordinance places telemedicine within a framework of specific and verifiable obligations for healthcare establishments. Here are the most significant ones.
Public information on the website
Healthcare establishments announce on their website (if they maintain one), or by another means accessible to the public:
- a description of the medical services they provide remotely;
- the medical specialties in which these services are provided;
- the medical professionals who provide them;
- the options for providing the services in line with the internal rules or rules announced in advance via an information system or another digital channel.
Centres for the provision of remote medical care
Healthcare establishments may pool their efforts and resources by setting up, on a functional basis, a centre for the provision of remote medical care. This is done through a contract under Art. 95, para 1, item 1 of the Medical Establishments Act, which defines at least the coordination structure, the rights and responsibilities of the participants, the scope of the services, the rules for joint controllership of personal data under Art. 26 of Regulation (EU) 2016/679, and the uniform rules for access to, storage, exchange and protection of the data.
Documentation and deadlines
The results of each service are documented through an electronic health record entered into the patient’s health file in the National Health Information System. The documentation is completed after the service ends, within the following deadlines:
| Type of care | Documentation deadline |
|---|---|
| Scheduled medical care | No later than 4 p.m. on the next working day |
| Complex clinical cases, image processing, remote monitoring or expert consultations | No later than two working days |
| Emergency medical care | As soon as possible, but no later than 30 minutes |
| Emergency care in a complex case or with extensive computer image processing | No later than 120 minutes |
The provision of care is also documented through an electronic medical document — an outpatient sheet or another medical record — drawn up by the professional and certified with a qualified electronic signature or another recognised method of electronic identification. Where digital tools for clinical decision support have been used in the service, this fact is also reflected in the documentation.
Liability, resources and oversight
The medical professional bears professional liability for the decision taken and for the care provided, including where they use digital tools and clinical decision-support systems. Healthcare establishments, for their part, must ensure a sufficient number of professionals for the activity. Oversight of the healthcare establishments and professionals providing remote medical care is exercised by the Executive Agency “Medical Supervision”.
Informed consent and patient rights
Remote medical care is provided only after the patient has given informed consent — in accordance with Art. 87 of the Health Act and Art. 6b, para 5 of the Medical Establishments Act. The information is provided before the care is rendered, in an appropriate scope and form that allow freedom of choice.
Requesting the service through an electronic form
The patient requests the service through an electronic form available via an information system, a remote medical care platform or another digital channel. The form contains at least: identification details of the recipient; contact details and preferred communication channel; a description of the health problem and the purpose of the consultation; information about available medical documents; consent to the provision of the care and to the processing of personal data; and consent to audio, video or other digital recording where applicable.
Audio and video recording — separate consent
Recording the interaction is permitted only with prior informed consent given in written or electronic form. This consent contains at least information about the grounds and purposes of the recording, the type of recording and the scope of the data processed, the manner and period of storage, the persons with access, and the patient’s right to withdraw consent.
Access to the health file
To assess the patient’s condition, professionals have the right to access the patient’s electronic health records in the National Health Information System — subject to the principles of necessity and proportionality, and only to the extent needed for the specific service. The patient assists with accurate and complete medical history data, information on treatments carried out, medicinal products taken and available test results. The healthcare establishment must inform the patient in advance of the type, scope and purpose of the data and of the consequences of not providing it.
Personal data protection and cybersecurity
Health data is a special category of personal data under Art. 9 of Regulation (EU) 2016/679. Its protection therefore occupies a central place in the ordinance — and it is the area in which the legal risks for healthcare establishments are highest.
Every healthcare establishment that provides remote medical care is a controller of personal data. It must apply the technical and organisational measures under Art. 32 of the Regulation and carry out a data protection impact assessment. Only the data necessary for the specific service is processed, in line with the data minimisation principle.
The ordinance also introduces a specific transparency obligation: the healthcare establishment publishes on its website a notice to data subjects under Art. 12–14 of the Regulation — setting out the categories of data processed, the purposes and legal grounds, the recipients, the storage period and the rights of patients. Where the service is provided by several establishments as joint controllers, the notice also includes the essence of the joint controllership arrangement under Art. 26 of the Regulation.
On the technology side, the systems used must ensure reliable identification of participants, traceability of actions and protection of the data. They must meet the cybersecurity requirements, including Section VIII “Cybersecurity” of Ordinance No. H-6 of 2022 on the functioning of the National Health Information System. Where medical devices or software with a medical purpose are used, they must hold valid CE marking. Backup power supply and resilience of the systems are also required, so that in the event of a technical failure the professional can refer the patient to in-person care.
Steps towards compliance
In practice, healthcare establishments that already operate remotely must bring their activity in line with the new regime. We recommend the following sequence:
- Review the current state — assess the services you already provide remotely and compare them against the scope and prohibitions under the ordinance.
- Update the internal rules — set out the procedure for scheduled and emergency care, the criteria for inadmissibility, and the allocation of responsibilities between professionals.
- Publish the mandatory information — place on your website the description of the services, specialties and professionals providing remote care.
- Review the technological capacity — check the identification of participants, traceability, cybersecurity, the CE marking of devices and backup power supply.
- Prepare the data protection documentation — a notice to data subjects, an impact assessment and — where activity is joint — a joint controllership arrangement.
- Draft informed consent templates — separately for the service itself and for audio/video recording, in written or electronic form.
- Set up the documentation process — ensure the deadlines are met and the electronic records are entered into the National Health Information System.
Frequently asked questions
The ordinance was promulgated in the State Gazette, issue 41 of 5 May 2026. As it does not contain an express provision for a later entry into force, it enters into force under the general rule — three days after promulgation. From that moment, healthcare establishments providing remote medical care must be in compliance with it.
Diagnostics is among the activities permitted remotely, but the decision is a matter of clinical judgement for each specific case. If the nature of the condition requires a direct physical examination, or if the required quality and safety cannot be guaranteed, remote care is not permitted and the patient is referred to an in-person examination.
As a rule, no. The ordinance prohibits dental medicine activities remotely, with two exceptions: remote consultations between dental practitioners, and the interpretation of imaging and other diagnostic studies related to dental care.
Yes. The healthcare establishment announces on its website — or by another means accessible to the public, if it does not maintain a website — a description of the remote services, the specialties and professionals providing them, and the options for their provision. Separately, it also publishes a notice to data subjects under Art. 12–14 of Regulation (EU) 2016/679.
Emergency care is documented as soon as possible, but no later than 30 minutes after the service ends. In a complex case, or where extensive computer image processing is needed, the deadline is up to 120 minutes. For scheduled care the deadline is 4 p.m. on the next working day, and for complex clinical cases — two working days.
Yes. Audio, video or other digital recording of the consultation is permitted only with prior informed consent in written or electronic form. The consent must state the grounds and purposes of the recording, the type and scope of the data, the manner and period of storage, the persons with access, and the patient’s right to withdraw consent.
Oversight of the healthcare establishments and medical professionals providing remote medical care is exercised by the Executive Agency “Medical Supervision”. Compliance with the rules on personal data protection is also monitored by the Commission for Personal Data Protection.
Need Assistance?
The Innovires Legal team can bring your healthcare establishment into compliance with Ordinance No. H-5 — review of the current state, updating internal rules, contracts for centres and joint controllership, personal data protection documentation and informed consent templates.