This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai.
Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.
This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.
1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?
Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.Category Definition Key Regulatory Compliance Focus
Health Care Big Data
The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)
Data relating to health care generated in the course of disease prevention and control as well as health management
Note: the Measures do not clarify what data qualifies as health care “big” data.
Localisation and storage
Transfer: Cross-border data transfer is subject to security assessment.
Human Genetic Resources
The Interim Administrative Measures for the Management of Human Genetic Resources Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.
Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.
Localisation and storage
Transfer: Approval from administrative bodies is required before cross-border transfer.
The Pharmaceutical Data Management Specification (Draft for Comments) Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.
Medical Device Data
The Guidelines for Technical Review of Network Security Registration for Medical Devices Health care data and device data. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.
The Regulations for Medical Institutions on Medical Records Management
All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.
Medical records are filed as medical history.
Collection: Consent from data subject is required.
Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.
The Measures for the [...]