A recent update to the Office of Management and Budget (OMB) website suggests that the answer is “yes”—though that depends on how one defines “soon.” According to its website, OMB received the Office of the National Coordinator for Health Information Technology’s (ONC’s) final rule, entitled 21st Century Cures Act: Interoperability, Information Blocking, and the ONC
The demand for healthcare innovation is driving collaboration between formerly disparate healthcare companies and bringing in new players, such as technology companies and start-ups, into an already complex space. As companies build partnerships and pool resources – particularly healthcare data – data ownership presents numerous challenges that need to be addressed throughout the lifecycle of…
In preparation for GDPR compliance, organizations around the globe worked months in advance of the deadline to ensure compliance. But what happened after the date of effectiveness? McDermott set out to learn how companies fared across the United States, Europe, China and Japan.
In digging deeper, we discovered valuable findings, including:
- Countries and regions are
This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai.
Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.
This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.
1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?
Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.
|Category||Definition||Key Regulatory Compliance Focus|
Health Care Big Data
The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)
Data relating to health care generated in the course of disease prevention and control as well as health management
Note: the Measures do not clarify what data qualifies as health care “big” data.
Localisation and storage
Transfer: Cross-border data transfer is subject to security assessment.
Human Genetic Resources
The Interim Administrative Measures for the Management of Human Genetic Resources
|Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.||
Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.
Localisation and storage
Transfer: Approval from administrative bodies is required before cross-border transfer.
The Pharmaceutical Data Management Specification (Draft for Comments)
|Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation.||Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.|
Medical Device Data
The Guidelines for Technical Review of Network Security Registration for Medical Devices
|Health care data and device data.||Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.|
The Regulations for Medical Institutions on Medical Records Management
All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.
Medical records are filed as medical history.
Collection: Consent from data subject is required.
Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.
The Measures for the Management of Scientific Data
|Primarily data produced from basic research, application research, pilot development and other endeavours in such areas as natural science and engineering technology science, and the original data and data derived via observation and monitoring, survey and investigation, and inspection and detection that is used for scientific research activities.||Transfer: Data involving state secrets are strictly forbidden to be transferred to a third party.|
2. What are the key compliance steps for health care data collection in China?
Collection of any health care data involving personal information should be based on the three principles of China’s Cybersecurity Law (legitimacy, justification and necessity) and requires the consent of the data subject. The rules, purposes, methods and ranges of such collection should also be disclosed to the data subject.
Collection of human genetic information by foreign entities or foreign individuals is strictly regulated, and such collection is subject to the approval of regulatory authorities.
Multinationals may wish to consider taking the following steps to be compliant with Chinese laws:
Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in…
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.
The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).…
Join us on November 8, 2018, for the third installment of McDermott’s live webinar series on digital health. In this installment, partners Bernadette M. Broccolo, Jiayan Chen and Vernessa T. Pollard will explore opportunities for accelerating biomedical research, development and commercialization through digital health tools and solutions, such as end-user license agreements (EULAs), wearables…
The interest in leveraging the value of big data in digital health has become a focus of health care industry mainstays and newcomers alike. Within a challenging regulatory landscape, it is critical for those looking to play in this space to be proactive in planning their data strategy, with an eye towards compliance planning and solid due diligence to maximize its value. In this Q&A, big data thought leaders Bernadette Broccolo and Sarah Hogan, both partners in McDermott Will & Emery’s Health Industry Advisory group, discuss the challenges and opportunities that health industry stakeholders face when stepping into the world of big data.
For information on this topic and to hear the full Q&A with Bernadette and Sarah, listen to the newest episode of the Of Digital Interest podcast. You can access the full episode at here or subscribe to the podcast on iTunes, Pocket Casts or Soundcloud.
Q. Where is the value in big data in digital health? Who is seeing value today and what are their motivations?
BB: The best short answer is that everybody is seeing value – both long standing industry players and newcomers. The real value in big data comes not from raw data or just having a lot of data, but in the ability to use it and mine it, to have it in a form that’s analyzable. What’s very surprising too, in addition to the speed with which the interest in big data has escalated, is who is interested. In the past, one certainly expected academic medical centers and universities that have major research initiatives and clinical trial initiatives to be interested. But now others like molecular lab testing organizations, CLIA regulated laboratories and entrepreneurs are interested in capturing data.
SH: I think one of the surprising players is actually the pharma companies. It may sound odd to say that, but they have a lot of data – including a lot of clinical data – that they’re looking at mining to determine how they can target their therapeutics in a way that helps patients more efficiently. They are looking at themselves and asking “What does the 21st century pharma company look like?”…
California’s Senate and Assembly unanimously approved AB 375 (also known as the California Consumer Privacy Act of 2018), on June 28, 2018. This new consumer privacy bill will be the most progressive and comprehensive privacy law in the United States, reaching far beyond California’s borders to give California consumers more visibility and control over their…