At a Glance

  • Meeting U.S. laws on medical record privacy and security is not sufficient to cover a company expanding into China; medical records must meet Chinese requirements as well
  • EHR cloud storage standards differ in China; U.S. hospitals and providers should consider alternatives to cloud storage on servers located outside of China when handling Chinese patient and other healthcare data
  • Ultimate authority to interpret regional and sector specific regulations rests with the Chinese legal system, which differs significantly from the U.S. legal system

The Chinese market presents a tremendous opportunity for U.S. hospitals and providers, as long as the intricacies of data privacy and security issues are thoroughly understood. This includes Chinese regulations regarding medical records, electronic health record (EHR) storage, and practical enforcement.

The fact that a U.S. company’s medical record privacy and security software/technology meets HIPAA or HITECH regulations is important, but is sufficient only in the United States. U.S.-based entities that provide healthcare services in China are expected to meet different standards and requirements that govern specific industrial sectors, including Chinese laws and rules on data privacy and health information and medical records.

For example, according to the Management Measures for Population Health Information (for Trial Implementation), issued May 5, 2014 by China’s National Health and Family Planning Commission of China, an entity “in charge of the collection, utilization, management, security and privacy protection of population health information” cannot “store population health information in overseas servers, [or] host or rent overseas servers.” Such an entity is also required to “establish a tracing management system under which any user who creates, modifies and accesses population health information shall be subject to stringent real-name identity authentication and authorization control.”

These provisions potentially apply to a wide range of health-provider activities in China, including activities at corporation clinics. Keeping this in mind, U.S. hospitals and providers operating in China should not store Chinese patient health information in the cloud unless those cloud servers are physically located in China. Given information security concerns, U.S. providers should assess and deliberate options before transmitting and downloading China patient information. One approach is to establish an online portal to a Chinese facility the U.S. providers can use to access patient images and files in a manner that does not risk violation of Chinese requirements.

U.S. hospitals and other healthcare providers operating in China should also be aware of the existence of “technical guidance documents” issued by various Chinese governmental agencies which underscore a regulatory trend increasing restrictions on the use and storage in overseas servers of a broader range of “personal information.” For example, GB/Z 28828-2012, published November 5, 2012 by the Standardization Administration of the People’s Republic of China, provides that “without express consent of the subject of personal information, the express requirement of any law or regulation, or the consent of the competent authority, a personal information administrator should not transmit personal information to any overseas personal information recipient, including an individual located abroad or an organization or institution registered abroad.”

Although such “technical standards” do not have the explicit effect of law, there is always a risk that they could be interpreted by local governments as obligatory, or that they could be given mandatory effect when referenced within newly developed Chinese laws and regulations in the dynamic area of personal and data privacy. Regardless, it is clear that the trend in China favors “localization” of health and other personal information storage and use, and greater informed consent for such use.