Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.

This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.

1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?

Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.

2. What are the key compliance steps for health care data collection in China?

Collection of human genetic information by foreign entities or foreign individuals is strictly regulated, and such collection is subject to the approval of regulatory authorities.

Multinationals may wish to consider taking the following steps to be compliant with Chinese laws:

  • For direct collection from data subjects, review the data collection agreements and clarify the purposes, rules, methods, ranges and other important aspects of collection disclosed to the data subject. For indirect collection (i.e., collection from business partners), review the partnership or delegation contracts to ascertain ownership of the health care data collected and ensure that the delegated party is compliant with Chinese cybersecurity laws and regulations.

3. What are the key compliance steps for health care data storage in China?

Multinationals should first focus on China’s data localisation requirements. Chinese laws and regulations have strict requirements regarding storage of health care big data and human genetic information. Principally, health care big data and human genetic information must be stored in local, secured and trusted servers. Similar requirements are likely to expand to other types of health care data in the future.

Multinationals storing health care data in China should consider taking the following precautions:

  • Keep an eye on legislative trends, especially recently published draft regulations by cybersecurity authorities.
  • Adjust your global data protection strategy and prepare to move servers storing health care data into China.
  • Review contracts between multinationals and network device/service vendors, especially from a technical and managerial perspective.
  • Adjust your management strategy for internal system control.
  • Conduct regular data protection audits and strengthen access control and personnel management.
  • Conduct regular training and prepare a response plan for potential data breach events.

4. What are the key compliance steps for use and transfer of health care data?

The use, transfer or sharing of any health care data involving personal information with third parties requires the consent of the data subject. Alternatively, data may be de-identified to downgrade its sensitivity. For certain types of health care data, such as health care big data and human genetic information, security assessments review or approval from administrative authorities will apply prior to cross-border transfer.

Multinationals should considering taking the following steps before transfer:

  • Ensure consent is obtained through contracts or other cooperation agreements.
  • Clarify the rules, purposes, scope and other important aspects of usage. If the data usage activities are beyond the agreed scope, additional consent must be obtained.
  • Review cooperation agreements with research institutions in China to ensure they have the necessary qualifications to conduct research on certain types of data, such as human genetic resources.
  • Conduct a security assessment review based on the requirements of government authorities, or obtain approval from government authorities if required.

This post was originally published by the MWE China Law offices as a China Law Alert under the title “Health Care Data Compliance in China: FAQ.” Authors Carol B. Sun (Partner) and Jenny Z.N. Chen (Associate) are based in the MWE China Law Offices in Shanghai. Click here to view the article on the MWE China Law Offices website.