The paper introduces the obligations that medical institutions should undertake in the protection of patients’ privacy rights. Taking typical online medical projects as an example, it elaborates the common functions of online medical services, the privacy level of patients’ information involved, the authentication mode of “handled by relatives and friends” and the situation of permission opening, analyzes the existing problems and puts forward suggestions, including providing “relatives and friends” options with clear semantics from a legal perspective, verifying the authenticity of bound users’ identities, exploring standardized and efficient online patient authorization methods, etc.