An overview of the regulatory requirements for cybersecurity and data protection in the Chinese healthcare industry. It focuses on data compliance issues that might be encountered by pharmaceutical companies and medical institutions, in particular regarding the requirements on data localisation and cross-border transfers of various types of healthcare data, including sensitive personal information (PI), human genetic resources (HGR) data, clinical trial data, medical records, and so on.
Healthcare data exhibits distinctive characteristics, such as high data sensitivity, diverse and complex data forms, large differences in data scenario-based compliance requirements, and so on. In China (PRC), the management of healthcare data is mainly regulated by the "three pillars" of China's data compliance legal framework (namely, the Cybersecurity Law of the PRC 2016 (2016 CSL, with effect from 1 June 2017), the Data Security Law of the PRC 2021 (2021 DSL) and the Personal Information Protection Law of the PRC 2021 (2021 PIPL)), while additional requirements are scattered in different sector-specific laws and regulations. There is no one unified legislation which systematically addresses the management of healthcare data. Definitions and concepts provided in different legislative documents intersect with each other, and some compliance requirements on similar subjects even contradict one another to certain extent. The complexity of the legal framework, coupled with the diverse characteristics of data in the healthcare industry render it complicated to meet compliance in this area.
This Practice Note provides an overview of the regulatory requirements for cybersecurity and data protection in the Chinese healthcare industry. It focuses on data compliance issues that might be encountered by pharmaceutical companies and medical institutions, in particular regarding the requirements on data localisation and cross-border transfers of various types of healthcare data, including sensitive personal information (PI), human genetic resources (HGR) data, clinical trial data, medical records, and so on.
According to the 2021 PIPL, prior to engaging in outbound transfer activities of PI, the PI processor must first fulfil the obligation to inform the relevant individuals and obtain their consents, followed by an impact assessment on PI protection (Articles 39 and 55).
According to Article 38 of the 2021 PIPL, the three paths for the outbound transfer of PI are as follows:
Passing a security assessment organised by the Cyberspace Administration of China (CAC).
Obtaining PI protection certification by an authorised certification institution in accordance with the CAC's provisions.
Entering into a standard contract adhering to the template formulated by the CAC.
Data processors falling under any of the following circumstances must apply for an official security assessment to the CAC through the local cyberspace administration at the provincial level before transferring data abroad:
Where a data processor transfers important data abroad.
Where a critical information infrastructure (CII) operator or a data processor processing the PI of more than one million individuals transfers PI abroad.
Where a data processor has provided PI of 100,000 individuals or sensitive PI of 10,000 individuals cumulatively abroad since 1 January of the previous year.
Other circumstances prescribed by the CAC for which declaration for security assessment for outbound data transfers is required.
(Article 4, Measures on Security Assessments of Cross-Border Transfers of Data 2022.)
(For expanded coverage, see Practice Note, Cross-Border Data Transfers: Data Export Security Assessment in China.)
Non-CII operators and data processors not meeting the specified quantity threshold for security assessment (see Security Assessment) may undergo PI protection certification by an authorised certification institution in accordance with the CAC's rules. On successful obtaining the certification certificates, applicants are allowed to transfer PI overseas.
(For expanded coverage, see Practice Note, Cross-Border Data Transfers: Personal Information Protection Certification in China.)
In parallel with the PI certification path, non-CII operators and data processors not meeting the specified quantity threshold for security assessment (see Security Assessment) can also choose to enter into a standard contract for the outbound transfer of PI with each of their overseas recipients in accordance with the provisions of the Measures on the Standard Contract for Outbound Transfer of Personal Information 2023. This also allows applicants to engage in outbound transfers of PI.
(For expanded coverage, see Practice Note, Cross-Border Data Transfers: Standard Contract for Personal Information Exports (China).)
Multiple types of data in the medical and healthcare industry may constitute important data.
Export of important data should be subject to security assessment, and competent authorities in respective localities, levels, and sectors should develop their catalogues of important data for the region, department, and related industries and fields accordingly (Articles 21 and 31, 2021 DSL).
The scope of important data in the field of medical and healthcare, in principle, should be formulated by the national health administration. However, no such catalogue has been released so far, which renders the classification and grading of data in this field remaining unclear.
The Information Security Technology – Guide for Important Data Identification (Draft for Comments) 2022 (2022 Draft Important Data Identification Guide) issued by the National Committee for Standardization (TC260) on 13 January 2022 identifies "basic data reflecting the health and physiological conditions of groups, ethnic characteristics and genetic information" as important data. The numerated examples include "census information, HGR information, and raw data of gene sequencing" (Article 5(h), 2022 Important Data Identification Guideline). (For more information on the draft, see Legal Update, TC260 circulates draft guidelines on identification of important data.)
To export important data, data processors should carry out the data export risk self-assessment and conduct the data security assessment as required (see Security Assessment).
Plenty of healthcare data is sensitive PI.
On 14 December 2020, the Standardization Administration of China and the State Administration for Market Regulation issued the Information Security Technology – Guide for Healthcare Data Security (GB/T 39725- 2020) (2020 Healthcare Data Security Guide), with effect from 1 July 2021.
According to the 2020 Healthcare Data Security Guide:
"Personal healthcare data" refers to electronic data that can identify a specific natural person or reflect the physiological or psychological health of a specific natural person, either alone or in combination with other information.
"Healthcare data" includes personal healthcare data and healthcare-related electronic data obtained after the processing of personal healthcare data, including overall group analysis, trend prediction, disease prevention, control statistics, and so on.
(Articles 3.1 and 3.2.)
Under the 2020 Healthcare Data Security Guide, personal biometric information (including gene, fingerprint, voice print, palm print, iris, and facial features) and health status data (including medical history, family medical history, genetic consultation data, gene sequencing data, transcription product sequencing, human microbial detection data, protein analysis, metabolic small molecule detection data) may all be considered as sensitive PI.
With respect to sensitive PI, information on the purpose, manner and scope of collection should be expressly stated at the time of collection, and the PI subjects should be informed of the necessity of handling the sensitive PI and the impact on their rights and interests. The processing can only be made based on the separate express consent of the PI subjects. In addition, the threshold for data export security assessment and declaration is lower if the data processed constitutes sensitive PI (see Security Assessment).
Population Health Information
According to the Administrative Measures for Population Health Information (for Trial Implementation) 2014 (2014 Population Health Information Measures) promulgated by the former National Health and Family Planning Commission, "population health information" refers to basic population information, medical and health services information and other population health information generated by medical and health services institutions at all levels in the process of service and management in China according to national laws and regulations and working responsibilities (Article 3).
The collection of population health information requires "one data one source" and "minimal sufficient." The storage of population health information should be based on the grade of the data. The responsible entity should establish a reliable working mechanism for disaster-tolerant backup of population health information and implement a trace management system to ensure that the users' behaviours can be managed, controlled and traced (Articles 8-9, 2014 Population Health Information Measures).
The 2014 Population Health Information Measures explicitly require that "population health information should not be stored on an overseas server or through a hosted or rented overseas server" (Article 10, 2014 Population Health Information Measures). In other words, the cross-border transfer of population health information is strictly prohibited.
According to the National Healthcare Big Data Standards, Security and Service Management Measures (for Trial Implementation) 2018 (2018 Healthcare Big Data Measures), "healthcare big data" refers to the healthcare-related data generated in the process of disease prevention and treatment, health management, and so on (Article 4).
For the storage of healthcare big data, medical institutions and relevant entities should take measures such as data classification, important data backup and encryption authentication, and carry out electronic real-name authentication and data access control, and strictly regulate the data access and use rights of users of different levels. They should also ensure that access behaviours of healthcare big data can be managed and controlled, and the whole service and management process can be traced (Articles 18, 22, and 23, 2018 Healthcare Big Data Measures).
Healthcare big data also has local storage requirements. In principle, it should be stored in a safe and reliable domestic server. The export of this data is only permitted on an as-needed basis after passing a security assessment by the CAC (Article 30, 2018 Healthcare Big Data Measures).
Localisation Requirement in the 2020 Healthcare Data Security Guide
According to 2020 Healthcare Data Security Guide, healthcare data is divided into the following six categories:
Personal attribute data.
Health status data.
Medical application data.
Medical payment data.
Health resource data.
Public health data.
The 2020 Healthcare Data Security Guide sets out recommendatory (not compulsory) compliance requirements for the full lifecycle of healthcare data, including a requirement for "domestic storage" in order to realise "storage security."
Hospitals as CII Operators
According to paragraph C(3) of Article 3.2(iii) of the National Network Security Inspection Operation Guide 2016 developed by the Network Security Coordination Bureau of the CAC in June 2016, for processors in the healthcare industry (for example, hospitals), a security incident such as the leakage of important data may result in consequences that seriously endanger national security, national livelihood and public interests. Therefore, hospitals and other entities handling healthcare data may constitute CII operators. Article 37 of the 2016 CSL requires PI and important data generated during CII operations to be stored within China, but allows CII operators to transfer these types of data abroad for necessary business needs after they complete a security assessment.
In addition, if hospitals and other relevant responsible entities are identified as CII operators, they may also need to review their procurements of network products and services in accordance with the Network Security Review Measures 2021 (2021 Network Security Review Measures, with effect from 15 February 2022), to assess the national security risks that may be brought by the products and services after they are put into use. If it is considered that certain procurement affects or may affect national security, they should apply for network security review by the Network Security Review Office (Article 5, 2021 Network Security Review Measures). (For more information, see Practice Note, Cybersecurity Review of Network Products and Services in China.)
Apart from that, hospitals that constitute CII operators also need to make a filing of network security level protection. According to the Guidance on Information Security Level Protection in the Health Industry 2011, the core business information systems of Grade 3 first-class hospitals, should, in principle, be identified as no lower than Level 3, and the relevant systems should be filed with the local public security bureaus and healthcare administrations (Article 4.1(1)).
HGR includes the following two categories:
HGR materials. HGR materials refer to organs, tissues, cells and other genetic materials containing human genome, genes and other genetic materials.
HGR information. HGR information refers to information materials such as data generated by using HGR materials.
(Article 2, Regulations on the Administration of Human Genetic Resources 2019 (2019 HGR Regulations); Article 85, Biosafety Law of the PRC 2020 (2020 Biosecurity Law).)
HGR information may also constitute "personal information" and "important data" under the 2016 CSL, the 2021 PIPL and the 2021 DSL. Taking the items listed in Annex B of the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) for example, personal biometric information (such as genetic data, fingerprints, and voice prints) and personal health and physiological information (such as family medical history) are both HGR information under the 2019 HGR Regulations and sensitive PI under the 2021 PIPL. According to Article 5(h) of the 2022 Important Data Identification Guide, HGR information may also constitute important data under the 2021 DSL (see Important Data).
The Ministry of Science and Technology (MOST) is the department responsible for nationwide management of HGR, and the CAC (same panel with the Office of the Central Cyberspace Affairs Commission) is responsible for maintaining the security of national cyberspace and data. Therefore, for those pharmaceutical companies and institutions involved in the utilisation of HGR, they need to comply with the relevant regulatory requirements from both MOST and the CAC.
Cross-Border Transfer of HGR Information
According to the 2019 HGR Regulations, the export of Chinese HGR materials requires the approval of MOST, and the export of Chinese HGR information requires a filing with MOST (Articles 27 and 28). Both providing HGR information to a foreign party and opening access to a foreign party are considered export.
Together with the filing with MOST, information backup should also be submitted. In addition, if the export may affect China's public health, national security and social public interests, the export is subject to a security review organised by MOST (Articles 28, 2019 HGR Regulations).
Meanwhile, the export of HGR information that constitutes PI is subject to the requirements under the 2021 PIPL. Specifically, before providing any HGR information outside of China, the entity concerned should inform the data subjects of the name and contact information of the recipient outside of China, the purpose and manner of the processing, the type of HGR information processed, and the relevant mechanism for the data subjects to exercise their rights regarding their PI, and obtain the data subjects' separate consents. In addition, the entity must conduct a PI protection impact assessment and take the necessary measures (see Outbound Transfer of PI).
Certain HGR information may constitute important data. Data processors of such important data must pass a security assessment organised by the CAC before providing the data outside China (see Important Data).
(For expanded coverage, see Practice Note, Regulation of China's Human Genetic Resources: Overview.)
Similar to the 2019 HGR Regulations, the 2020 Biosafety Law also provides that foreign organisations, foreign individuals and those institutions established by them or under their actual control should not collect or conserve China's HGR within China's territory and should not provide China's HGR to foreign countries. (Article 56(4)).
The scope of "foreign entity" should include organisations and individuals originated from Hong Kong, Macao, and Taiwan, and institutions established by them or under their actual control (Article 56, 2020 Biosafety Law; Articles 11 and 12, Rules for the Implementation of theRegulations on the Administration of Human Genetic Resources 2023 (2023 HGR Implementing Rules)).
(For expanded coverage, see Practice Note, Chinese Biosecurity Law: Overview.)
PI Protection Compliance in Clinical Trials: Requirements for Informed Consent
Article 1008 of the Civil Code of the PRC 2020 (with effect from 1 January 2021) stipulates that clinical trials should be approved by the relevant competent authorities and reviewed and approved by the ethics committee in accordance with the law, and the subject or the subject's guardian should be informed of the purpose, usage and possible risks of the trial in detail, and should give their written consent.
According to Article 11(11) of the Code for Quality Management of Pharmaceutical Clinical Trials 2020 (GCP), "informed consent" refers to "the process by which subjects confirm their consent to participate voluntarily in a clinical trial after being informed of all aspects that may influence their decisions to participate in the clinical trial. The process should be documented by a written, signed and dated informed consent form." Similar provisions can be found in Article 64 of the Code for Quality Management of Medical Device Clinical Trials 2022 (Medical Device GCP).
The informed consent rule consists of two parts: "informed" and "consent," that is, after the subject has been informed of various aspects that may affect their decision to participate in the clinical trial, the subject confirms their consent to voluntarily participate in the clinical trial in writing.
Content of the Informed Consent Form
The GCP stipulates that the informed consent form and other information provided to subjects should include 20 pieces of information (such as clinical trial profile). The provisions are consistent with the basic requirements of the technical guidelines for the Good Clinical Practice (ICH-GCP) developed by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use (ICH).
The Medical Device GCP also stipulates that 13 matters must be explained to subjects.
Withdrawal of Informed Consent
Withdrawal of informed consent, that is, the subject withdraws their willingness to participate in the study and no longer participates in the clinical trial. Item 13 of Article 24 of the GCP and item 9 of Article 14 of the Medical Device GCP both stipulate that clinical trial subjects should have the right to withdraw at any stage without discrimination or retaliation, and their medical treatment and rights should not be affected.
PI of Healthcare Professionals (HCP)
The PI of HCP involved in clinical trials are mainly PI of the investigators and staff of clinical trial institutions.
An investigator is defined in the GCP as a principal of a trial site who implements a clinical trial and is responsible for the quality of the clinical trial and the rights, interests, and safety of subjects (Article 11, GCP).
In practice, a clinical trial institution will also employ other staff members for a clinical trial in addition to investigators, whose PI will also be collected.
For investigators, since they sign the clinical trial agreements, collection of their PI can be considered based on necessity of the conclusion and performance of contracts as stipulated under Article 13(2) of the 2021 PIPL.
As for other staff of clinical trial institutions, the legal basis to process their PI should be their consent. One way is to require the clinical trial institution to guarantee that the consent of the staff on the provision of their PI to relevant pharmaceutical companies has been obtained; the other way is to check whether there are corresponding PI clauses in the clinical trial institution's internal personnel management rules and regulations which can support the institution's provision of the staff's PI to relevant pharmaceutical companies.
PI in International Collaborative Scientific Research
According to the 2019 HGR Regulations and the 2020 Biosafety Law, carrying out international co-operation in scientific research by foreign units and Chinese partners should either obtain an approval from MOST as a principle or conduct a record filing with MOST.
Article 32 of the 2023 HGR Implementing Rules provides that only when clinical institutions use China's HGR to conduct international collaborative clinical trials without exporting of HGR materials, and one of the following conditions is met, can a filing be made with MOST (instead of an approval):
Where the relevant HGR collection, testing, analysis and disposal of surplus HGR materials are conducted in the clinical medical and healthcare institutions which are filed with relevant authorities in China.
Where the HGR involved is collected within clinical medical and healthcare institutions and the test, analysis and residual samples disposal are conducted by the domestic entity designated by the relevant pharmaceutical and medical device marketing authorisation clinical trial programmes.
In addition, for the exploratory research part involved in the clinical trials, to obtain the relevant drugs and medical devices market entry in China, the administrative approval for international scientific research co-operation in HGR should be obtained.
International collaborative scientific research may be accompanied by the export of relevant clinical trial data. The collaborating party should apply for approval or filing with MOST in accordance with the 2019 HGR Regulations and the 2023 HGR Implementing Rules (see HGR Data).
Concept of Medical Records
According to the Rules on the Management of Medical Records in Medical Institutions 2013 (with effect from 1 January 2014), medical records refer to the sum of texts, symbols, graphics, images and slides produced in medical activities by medical personnel, which include both physical medical records and electronic medical records. As medical records typically contain information such as the patient's name, gender, age, and other details that can individually or in combination identify the patient's identity, such information constitutes PI under the 2021 PIPL. Additionally, certain contents within medical records may also reveal the patient's medical and health condition, thereby potentially constituting sensitive PI.
Cross-Border Transfer of Medical Records
Under Chinese law, the cross-border transfer of medical records must comply with both data-related regulations and laws related to the healthcare industry.
From the perspective of laws related to the healthcare industry, while there are no explicit regulatory requirements specifically addressing the cross-border transfer of medical records, there are corresponding principles outlined in relevant laws and regulations. For example, according to the Good Practices for the Application of Electronic Medical Records (Trial Implementation) 2017, medical institutions are required to ensure the secure and compliant transfer of medical records. Information such as the traceability of transfer, transfer time, and personnel involved should be made searchable and traceable.
Furthermore, information contained within medical records constitutes PI under the 2021 PIPL. Therefore, when transferring medical records overseas, it is necessary to comply with China's relevant regulations regarding the outbound transfer of PI (see Outbound Transfer of PI).
Online Treatment and Internet Hospital
The medical data involved in internet hospitals typically includes patients' electronic medical records, PI, and, in some cases, genetic information such as genetic sequences. Chinese law imposes strict requirements for the protection of such data.
Storage of Medical Data by Internet Hospitals
The Management Specifications for Remote Medical Services (Trial Implementation) 2018 set forth strict responsibilities for data security management in internet hospitals. It requires medical institutions that provide telemedicine services to strengthen information security and patient privacy protection, prevent illegal transfer and modification, prevent data loss, and establish data security management procedures to ensure network security, operational security, data security, and privacy security. Moreover, the Provisions on the Administration of Internet Hospitals (Trial Implementation) 2018 specify requirements for the storage methods and storage locations of medical data involved in internet hospitals. It states that internet hospitals must have at least two sets of servers for their operations, including database servers and application system servers. The server room where these servers are stored should have dual power supply or emergency power generation facilities. Importantly, the server used for storing medical data should not be located outside China.
Cross-Border Transfer of Medical Data
From a regulatory perspective, laws and regulations such as the 2021 PIPL, the 2021 DSL, and the 2016 CSL do not explicitly prohibit internet hospitals within China from transferring data overseas. In other words, internet hospitals can provide medical data collected within China to recipients outside the country, as long as they comply with the applicable laws, regulations, and regulatory requirements in China. Similar to the cross-border transfer of medical records (see Cross-Border Transfer of Medical Records), since the medical data involved in internet hospitals mostly consist of PI, internet hospitals are also required to fulfil the obligation to inform the individuals and obtain their consents before transferring PI overseas. Subsequently, an impact assessment on PI protection must be conducted before the outbound transfer. Compliance with the three paths for the outbound transfer of PI is also necessary (see Outbound Transfer of PI). Due to the typically large volume of medical data involved in the cross-border transfer by internet hospitals and the potential inclusion of sensitive PI, a security assessment is highly likely to be required (see Security Assessment).
GMP/GSP data refers to the data generated and retained during the drug production and sales process in accordance with the Good Manufacturing Practice for Drugs 2010 (GMP) and the Good Supply Practice for Pharmaceutical Products 2016 (GSP). The main purpose of keeping GMP/GSP data is to ensure that activities such as drug production, quality control and quality assurance can be traced. GMP and GSP have very specific requirements on the types of records to be kept, the form of record keeping, data alteration and deletion, as well as record keeping time, in order to ensure that the data is original, true, accurate, secure and traceable.
According to Articles 171 and 176 of the GMP, each batch of products should have the corresponding batch production records so that each batch of products can be traced back to identify the production history of the products and their quality, and the packaging of each batch of products or part of the batch should be recorded in order to trace its packaging operations and the quality related thereto. The GMP sets detailed provisions for the batch production records and batch packaging records of pharmaceutical products, including the required content of records, the personnel responsible for record review and approval, and other related aspects. Additionally, the GMP also requires the documentation of processes such as equipment assembly and calibration, maintenance of premises and equipment, cleaning and disinfection, and environmental monitoring (Article 183).
The GSP specifies clear record-keeping requirements for matters such as training of company personnel, quality management systems, regular inspections, cleaning, and maintenance of storage and transportation equipment, drug procurement, and other related matters. Furthermore, the GSP also establishes explicit requirements for the retention period of relevant records and supporting documents related to quality management systems, stipulating that they should be retained for a minimum of five years (Article 42).
Cross-Border Transfer of GMP/GSP Data
Neither the GMP nor the GSP explicitly provides regulations regarding the cross-border transfer of GMP/GSP data. However, it is believed that when engaging in cross-border transfer of GMP/GSP data, it is still necessary to comply with the regulations concerning cross-border data transfer under relevant data governance laws.
Article 23 of the Physicians Law of the PRC 2021 (with effect from 1 March 2022) specifies that physicians should "protect the privacy and PI of patients in accordance with the law."
In accordance with the 2020 Healthcare Data Security Guide, patients' privacy and PI may constitute Level 2 to Level 5 data as described there in. Physicians should handle data at all levels in strict accordance with the table below, otherwise they may constitute leakage of patients' privacy and PI and receive penalties (which may include warnings, confiscation of illegal income, fines, suspension of practice or even revocation of the certificate).
Summary of Cited Laws and Regulations