This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai.
Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.
This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.
1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?
Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.
|Category||Definition||Key Regulatory Compliance Focus|
Health Care Big Data
The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)
Data relating to health care generated in the course of disease prevention and control as well as health management
Note: the Measures do not clarify what data qualifies as health care “big” data.
Localisation and storage
Transfer: Cross-border data transfer is subject to security assessment.
Human Genetic Resources
The Interim Administrative Measures for the Management of Human Genetic Resources
|Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.||
Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.
Localisation and storage
Transfer: Approval from administrative bodies is required before cross-border transfer.
The Pharmaceutical Data Management Specification (Draft for Comments)
|Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation.||Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.|
Medical Device Data
The Guidelines for Technical Review of Network Security Registration for Medical Devices
|Health care data and device data.||Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.|
The Regulations for Medical Institutions on Medical Records Management
All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.
Medical records are filed as medical history.
Collection: Consent from data subject is required.
Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.
The Measures for the Management of Scientific Data
|Primarily data produced from basic research, application research, pilot development and other endeavours in such areas as natural science and engineering technology science, and the original data and data derived via observation and monitoring, survey and investigation, and inspection and detection that is used for scientific research activities.||Transfer: Data involving state secrets are strictly forbidden to be transferred to a third party.|
2. What are the key compliance steps for health care data collection in China?
Collection of any health care data involving personal information should be based on the three principles of China’s Cybersecurity Law (legitimacy, justification and necessity) and requires the consent of the data subject. The rules, purposes, methods and ranges of such collection should also be disclosed to the data subject.
Collection of human genetic information by foreign entities or foreign individuals is strictly regulated, and such collection is subject to the approval of regulatory authorities.
Multinationals may wish to consider taking the following steps to be compliant with Chinese laws:
Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in…
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.
The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).…
Join us on November 8, 2018, for the third installment of McDermott’s live webinar series on digital health. In this installment, partners Bernadette M. Broccolo, Jiayan Chen and Vernessa T. Pollard will explore opportunities for accelerating biomedical research, development and commercialization through digital health tools and solutions, such as end-user license agreements (EULAs), wearables…
The interest in leveraging the value of big data in digital health has become a focus of health care industry mainstays and newcomers alike. Within a challenging regulatory landscape, it is critical for those looking to play in this space to be proactive in planning their data strategy, with an eye towards compliance planning and solid due diligence to maximize its value. In this Q&A, big data thought leaders Bernadette Broccolo and Sarah Hogan, both partners in McDermott Will & Emery’s Health Industry Advisory group, discuss the challenges and opportunities that health industry stakeholders face when stepping into the world of big data.
For information on this topic and to hear the full Q&A with Bernadette and Sarah, listen to the newest episode of the Of Digital Interest podcast. You can access the full episode at here or subscribe to the podcast on iTunes, Pocket Casts or Soundcloud.
Q. Where is the value in big data in digital health? Who is seeing value today and what are their motivations?
BB: The best short answer is that everybody is seeing value – both long standing industry players and newcomers. The real value in big data comes not from raw data or just having a lot of data, but in the ability to use it and mine it, to have it in a form that’s analyzable. What’s very surprising too, in addition to the speed with which the interest in big data has escalated, is who is interested. In the past, one certainly expected academic medical centers and universities that have major research initiatives and clinical trial initiatives to be interested. But now others like molecular lab testing organizations, CLIA regulated laboratories and entrepreneurs are interested in capturing data.
SH: I think one of the surprising players is actually the pharma companies. It may sound odd to say that, but they have a lot of data – including a lot of clinical data – that they’re looking at mining to determine how they can target their therapeutics in a way that helps patients more efficiently. They are looking at themselves and asking “What does the 21st century pharma company look like?”…
California’s Senate and Assembly unanimously approved AB 375 (also known as the California Consumer Privacy Act of 2018), on June 28, 2018. This new consumer privacy bill will be the most progressive and comprehensive privacy law in the United States, reaching far beyond California’s borders to give California consumers more visibility and control over their…
Join McDermott next Wednesday for a live webinar on the unique considerations in developing and procuring AI solutions for digital health applications from the perspective of various stakeholders. We will discuss the legal issues and strategies surrounding:
- Research and data mapping essential to the development and validation of AI technologies
- Protecting and maintaining intellectual property
The digitization of health care and the proliferation of electronic medical records is happening rapidly, generating large quantities of data with potential to provide valuable insights into disease and wellness and help solve challenging public health problems.
There is tremendous enthusiasm over the possibilities of leveraging this data for secondary use–i.e., a use…
As Europe’s General Data Protection Regulation (GDPR) takes effect, companies around the world are racing to implement compliance measures. In parallel with the GDPR’s development, China’s new data protection framework has emerged over the past year and is in the final stages of implementing the remaining details. With similar and often overlapping obligations, full compliance with the GDPR and China’s data protection framework presents a significant new challenge for companies with operations in China.
Does the GDPR Apply to Companies in China?
The GDPR applies to the processing of personal data of people who are in the European Union, even for a controller or processor in China, where the processing of the data is related to:
- The offering of goods or services to the data subjects in the European Union, regardless of whether a payment is required; or
- The monitoring of people’s behavior in the European Union.
As a result, even if a Chinese company does not have any formal establishments in the European Union, the GDPR will nonetheless apply if it is conducting either of these two types of activities.
What Are the Requirements for Companies in China Subject to the GDPR?
The GDPR primarily focuses on two categories of entities: “controllers” and “processors.” These two types are similar to concepts in the Chinese rules. “Controllers” are entities that, alone or jointly with others, determine the purposes and means of the processing of personal data. “Processors” are entities that carry out the processing of personal data on behalf of the controllers.
Key requirements for most controllers under the GDPR:…