China Issues Data Protection Measures for the Healthcare and Medical Industry

September 26, 2018 | BY

Jacelyn Johnson

Vivian Wu, counsel, and Xuan He, associate at FenXun Partners, in Beijing discuss the new rule issued by China's National Health Commission regulating the administration of data protection in the healthcare and medical industry

Technology development is driving the big data revolution in the healthcare sector in China. The Chinese government sent out clear signals on developing and applying big-data in healthcare and medical treatment back in 2015. However, accessing the medical data maintained by Chinese healthcare institutions and transferring those data outside China by business operators triggered regulatory concerns from a cybersecurity administration perspective. The National Health Commission of the People's Republic of China (NHC) recently issued a rule to regulate data protection in the healthcare industry.

The Measures on Administration of Standard, Security and Service for National Healthcare and Medical Data (Trial Implementation) (Measures) (国家健康医疗大数据标准、安全和服务管理办法(试行))was publicly announced on September 13, although the NHC issued them on July 12 this year. The Measures apply not only to healthcare institutions but also to any entities or individuals that may be involved in the administration of the healthcare and medical big data. The term “healthcare and medical big data” (HM Data) is broadly defined to include Chinese citizens' healthcare data generated during the process of disease prevention and health management within the territory of PRC.

|

WHAT ARE THE HIGHLIGHTS UNDER THE MEASURES?

Healthcare institutions to strengthen protection of HM Data

The Measures impose general requirements on healthcare institutions to ensure they comply with the HM Data protection rules and ensure its safety. In particular, they are required to establish security management systems, satisfy cybersecurity grading protection requirements, and comply with state secrets protection requirements as applicable.

The Measures explicitly require that when engaging HM data service providers, healthcare institutions must ensure those service providers comply with the statutory requirements, are capable of ensuring the security of data and have comprehensive data security management, privacy protection and contingency response management systems. The service providers should carry out the tasks on storage, administration and operation of HM Data in accordance with applicable laws and regulations as well as the processing agreements.

Further, the Measures emphasize that the leaders of healthcare institutions should take accountability of the security of HM Data. Failure to comply with those requirements may expose entities and responsible individuals to disciplinary actions and other legal liabilities.

In light of this new rule, Chinese healthcare institutions are expected to become more and more reluctant to share HM Data with third parties for data research and development, or other cooperation projects unless there are compelling reasons to do so, and sufficient security protection measures have been put in place.

Healthcare institutions maintaining HM Data as CII operators

The Measures explicitly mention that the security administration of HM data involves national strategy security. Further, Article 19 of the Measures requires upgrading security protection capability on the critical information infrastructure (CII) and critical information systems, which implies that Chinese healthcare institutions maintaining HM Data are viewed as possessing CII for HM Data.

This is consistent with the draft Regulations on the Protection of the Security of Critical Information Infrastructure (关键信息基础设施安全保护条例), published on July 10, 2017 which provides that an entity providing healthcare and medical services shall constitute as a CII operator.

Security assessment for cross-border transfer of HM Data

According to the Measures, HM Data should be stored on a secured and reliable server within China and can only be transferred overseas with sufficient business justifications, subject to the security assessment in accordance with applicable laws and regulations. The Measures sends out a clear signal that HM Data are likely to be viewed as important data from a cybersecurity perspective and NHC is taking a position generally in line with the Cyberspace Administration of China.

Article 37 of the PRC Cybersecurity Law (CSL) requires CII operators to store locally the personal information and important data collected and generated during the operation within the territory of China. If such data has to be transferred outside China due to business needs, it shall be subject to the security assessment conducted in accordance with relevant measures, unless otherwise provided by laws and regulations.

The draft Information Security Technology – Guidance on Security Assessment on Cross-border Data Transfer (信息安全技术 – 数据出境安全评估指南), published on August 30, 2017 which provides detailed guidance in relation to cross-border transfer of data categorizes healthcare information as important data that is subject to security assessment prior to a cross-border transfer. In particular, such healthcare information includes personal electronic medical records, health records and other medical and health data kept by medical institutions and health management service providers.

HM Data protection standard management

The Measures only provide general principles on HM Data protection. Nonetheless, it calls for building up a HM Data standard management system. NHC together with its local counterparts will take lead in planning and preparing the HM Data protection standards and supervise implementation of those standards. Healthcare institutions, research institutions, enterprise, and trade associations are expected to participate in preparing the HM Data protection standards.

WHAT BUSINESS OPERATORS IN HEALTHCARE SECTOR NEED TO CONSIDER?

The Measures clarifies that HM Data will be treated as important data and HM Data operators are likely to be viewed as CII operators under the CSL.

Business operators intending to access HM Data through cooperation with healthcare institutions should be mindful about the strengthened protection extended to HM Data, in particular the local data residency requirements as well as the security assessment for cross-border transfer of important data.

For business operators who wish to provide data processing services to Chinese healthcare institutions, it is important to understand the relevant qualification and capability requirements, as well as the scope of work under the relevant processing agreements.

Separately, since the CSL implementing rules and guidelines with regards to local residency requirements and cross-border data transfer have not been finalized and issued, business operators in the healthcare industry should closely monitor the regulatory development in this area and start formulating plans to comply with various data security requirements as soon as possible.

Last but not least, business operators may consider participating or contributing to the preparation of the HM Data protection standards under the leadership of NHC and its local counterparts.

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]