On November 19, 2013, the National Health and Family Planning Commission of the People’s Republic of China published a draft of its proposed new Administrative Measures on Personal Health Information (the “Draft Measures”) and solicited public comments by December 20, 2013.

This is the first time the Chinese government has proposed an integrated and uniform framework for the administration and protection of its citizens’ personal health information. The Draft Measures provide a broad definition of “personal health information” as well as detailed rules for the protection of personal health information.

Under the Draft Measures, “personal health information” would include: (1) basic personal information, information on family members, and information regarding the administration of family planning; (2) electronic health files; (3) electronic medical records; and (4) other information, such as information on administrative matters and decision-making that arise during a hospital’s provision of medical services.

Although existing rules prohibit the duplication, alteration, destruction or disclosure of medical records without authorization, an individual’s medical records would be subject to significantly enhanced protection if the Draft Measures eventually become effective. Specifically, the Draft Measures require that:

  • a medical institution must inform a data subject of the purpose of the collection of personal health data and obtain the data subject’s consent for such collection;
  • government agencies or medical institutions may not engage an entity which may use personal health information for commercial purposes to create or operate a database containing personal health information; and
  • medical institutions must establish strict rules on user real-name identity verification and access controls on any personal health information database, for the protection of personal health information.

Finally, the Draft Measures include a cross-border transfer restriction. Under the proposed Draft Measures, no personal health information collected by government agencies or medical institutions may be stored in any server located outside of China.