Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

At the national level, on 27 May 2021, the National Bureau of Statistics issued the Statistical Classification of the Digital Economy and its Core Industries (2021), which defines the basic scope of the digital economy in terms of "digital industrialisation" and "digitalisation of industries", and explicitly covers "intelligent medical care" (ie, medical examination, testing and imaging taking advantage of digital technology and IT platforms), as well as online medical treatment and telemedicine services.

In addition, China has formulated regulations and policies in the field of remote diagnosis and treatment, internet drug sales, personal medical data protection, and the collection, storage and application of medical big data, and these are all in the process of being continuously improved.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

The main applicable regulations on digital medical services are the Measures for the Administration of Internet Diagnosis and Treatment (for Trial Implementation), the Measures for the Administration of Internet Hospitals (for Trial Implementation) and the Specifications for the Administration of Remote Medical Services (for Trial Implementation). According to these regulations, online medical treatment services should be provided by medical institutions with appropriate qualifications, and the scope of online diagnosis and treatment is limited to carrying out follow-up consultations for some common and chronic diseases, and signing contracts with the family doctor through internet. Patients can obtain electronic prescriptions through these online diagnosis and treatment. If only internet health consultations and health management services (not involving e-prescription and disease diagnosis) are provided, the foregoing regulations do not apply.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

Laws and regulations on data and privacy protection are generally enacted by the Standing Committee of the National People's Congress, while normative documents are usually formulated by the State Administration for Market Regulation and the National Standardization Management Committee. The Office of Cyberspace Security Commission, the Ministry of Industry and Information Technology, the Administration for Market Regulation, and the Public Security Bureau at all levels are generally the enforcement agencies for data or privacy infringement cases. China is continuously strengthening and improving its legislation on data and privacy protection. Recently the Civil Code, the Data Security Law and the Personal Information Protection Law were published. Other related laws or regulatory documents include the Cybersecurity Law, the Electronic Commerce Law, the Personal Information Security Norms, the Guidelines for Big Data Security Management and the Basic Requirements for Graded Protection of Cyber Security. Specific guidance or rules issued on data protection and privacy in the healthcare sector include the Guiding Opinions on Promoting and Regulating the Application and Development of Health and Medical Big Data and the Management Measures for the Health and Medical Big Data Standards, Security and Services (for Trial Implementation).

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

With respect to data protection and privacy, the following basic requirements are imposed on healthcare providers:

  • Data collection: data collection channels should be legal and the collection of data should be authorised by patients; data collection should conform to the principle of minimum necessity; and a system to protect personal medical data should be in place;
  • Data storage: this storage should meet the hardware requirements and implement classification protection and storage of data to be authorised by state; and
  • Data analysis and application: healthcare providers should operate and use data in line with national and local government authorisations and strictly carry out data desensitisation and ensure data use is traceable.

 

China has no specific regulations on data protection officers or other qualified personnel.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

Common infringements include collecting, storing, using and selling patients’ medical information without consent, and illegally disclosing patient information.