Data protection, privacy and digitisation in healthcare


What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

At the national level, on 27 May 2021, the National Bureau of Statistics issued the Statistical Classification of the Digital Economy and its Core Industries (2021), which defines the basic scope of the digital economy in terms of 'digital industrialisation' and 'digitalisation of industries', and explicitly covers 'intelligent medical care' (ie, medical examination, testing and imaging taking advantage of digital technology and IT platforms), as well as online medical treatment and telemedicine services.

In addition, China has formulated regulations and policies in the field of remote diagnosis and treatment, internet drug sales, personal medical data protection, and the collection, storage and application of medical big data, and these are all in the process of being continuously improved.

Personal privacy protection and data security are the core legal issues in digital health. In addition, the monopoly of healthcare data, the liability for medical damage caused by medical AI, and the ethical risks brought by the application of AI diagnosis and treatment technology are also common legal issues in digital health.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

The main applicable regulations on digital medical services are the Measures for the Administration of Internet Diagnosis and Treatment (for Trial Implementation), the Measures for the Administration of Internet Hospitals (for Trial Implementation) and the Specifications for the Administration of Remote Medical Services (for Trial Implementation). According to these regulations, online medical treatment services should be provided by medical institutions with appropriate qualifications, and the scope of online diagnosis and treatment is limited to carrying out follow-up consultations for some common and chronic diseases and signing contracts with the family doctor through the internet. Patients can obtain electronic prescriptions through online diagnosis and treatment. If only internet health consultations and health management services (not involving e-prescription and disease diagnosis) are provided, the foregoing regulations do not apply.


Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

Laws and regulations on data and privacy protection are generally enacted by the Standing Committee of the National People's Congress, while normative documents are usually formulated by the National Health Commission, the State Administration for Market Regulation and the National Standardization Management Committee. The Office of Cyberspace Security Commission, the Ministry of Industry and Information Technology, the Administration for Market Regulation and the Public Security Bureau at all levels are generally the enforcement agencies for data or privacy infringement cases. China is continuously strengthening and improving its legislation on data and privacy protection. The Civil Code, the Data Security Law and the Personal Information Protection Law were published in the last two years. Other related laws or regulatory documents include the Cybersecurity Law, the Electronic Commerce Law, the Measures for the Administration of Population Health Information (for Trial Implementation), the Personal Information Security Norms, the Guidelines for Big Data Security Management and the Basic Requirements for Graded Protection of Cyber Security. Specific guidance or rules issued on data protection and privacy in the healthcare sector include the Guiding Opinions on Promoting and Regulating the Application and Development of Health and Medical Big Data and the Management Measures for the Health, National Medical Big Data Standards, Security and Services (for Trial Implementation) and Information Security Technology – Guide for Health Data Security.


What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

With respect to data protection and privacy, the following basic requirements are imposed on healthcare providers:

  • data collection: data collection channels should be legal and the collection of data should be authorised by patients; data collection should conform to the principle of minimum necessity and a system to protect personal medical data should be in place;
  • data storage: this storage should meet the hardware requirements and implement classification protection and storage of data to be authorised by the state; and
  • data analysis and application: healthcare providers should operate and use data in line with national and local government authorisations and strictly carry out data desensitisation and ensure data use is traceable.


China has no specific regulations on data protection officers or other qualified personnel.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

Common infringements include collecting, storing, using and selling patients’ medical information without consent, and illegally disclosing patient information.