China: Personal information protection in health and pharmaceutical industries - part two
The requirements for personal information protection in the health and pharmaceutical industries are complex. Danjun Wu, Partner at Guantao Law Firm, provides a two-part overview: part one introduces the basic requirements for personal information protection to be met by medical institutions and pharmaceutical companies, and part two introduces the specific protection obligations to be fulfilled by medical institutions and pharmaceutical companies in the key contexts of processing personal information.
Personal information access context
A patient's access to their personal information
When a patient requests access to their medical records, a medical institution shall provide the appropriate service after checking the patient's valid identification.
When a patient accesses their medical records through the online system, the medical institution is also required to take steps to verify the true identity of the patient. For example, a patient is required to log into the system via a real-name mobile phone number and a verification code. The Information Security Technology - Guide for Health Data Security (GB/T 39725-2020) recommends that medial institutions display user instructions via system pages when patients perform the appropriate actions, such as informing patients that they are responsible for protecting the security of their medical records after downloading. At the same time, medical institutions shall consider using verification or encryption technology to ensure the confidentiality and integrity of personal healthcare data during transmission.
A third party's access to a patient's medical records
According to the 2013 Regulations on the Management of Medical Records in Medical Institutions (the 2013 Regulations), except for medical personnel providing medical services to patients, as well as departments or personnel in charge of case management and medical management authorized by the National Health and Family Planning Commission, the administration of traditional Chinese medicine, or medical institutions, no other institution or individual shall have unauthorized access to patients' medical records. If other medical institutions and medical personnel need to access or borrow medical records for scientific research or teaching purposes, they shall apply to the medical institution where the patient is treated, and only after the institution has agreed and gone through the appropriate procedures can they access or borrow the records. Medical records shall be returned immediately after access, and borrowed medical records shall be returned within three working days. Accessed medical records shall not be taken away from the institution. The Guide for Health Data Security provides a reference for medical institutions to establish systems for managing access to patient records by medical personnel in terms of data classification, role definition, data labeling, authority allocation, identity identification, and data access.
In addition, a patient's agent, a legal heir, or an agent of the deceased patient, insurance agencies, and relevant law enforcement agencies can apply for access to the patient's medical records. The 2013 Regulations require medical institutions to designate a department or full-time (part-time) staff to receive applications for copying or accessing medical records. When accepting an application, medical institutions shall require the applicant to provide relevant supporting materials and review the application materials.
If a medical institution provides medical records to others in violation of the law, it may face administrative penalties. For example, in December 2022, the Health Commission imposed an administrative penalty and fine of RMB 20,000 (approx. $2,810) on a hospital for disclosing a patient's privacy by providing a patient's medical records to a third party other than the patient themself in violation of the provisions of the 2013 Regulations.
Online processing context
As the digital transformation of the health industry progresses, the People's Republic of China (PRC) is gradually entering a state of development where hospital-led online hospitals are in the majority. In order to provide online diagnosis and treatment services to patients, medical institutions will process personal information, including patients' identity information and medical history data. In order to protect the security of personal information in the process of online diagnosis and treatment, the PRC has put forward personal information protection requirements for online hospitals through legal documents, such as the Measures for the Administration of Online Diagnosis and Treatment (trial implementation), the Measures for the Administration of Online Hospitals (trial implementation), the Norms for the Administration of Telemedicine Services (trial implementation), and the Norms for the Application of Electronic Medical Records (trial implementation), including that:
- an online hospital shall strictly implement the relevant laws and regulations on cybersecurity and confidentiality of medical data, properly store patient information, and not illegally trade or disclose patient information;
- an online hospital shall establish a data access control information system to ensure system stability and service traceability throughout the online diagnosis and treatment, and realize data exchange and sharing with the Hospital Information System (HIS), Picture Archiving and Communications System (PACS), Radiology Information and System (RIS), and Laboratory Information System (LIS) of a brick-and-mortar medical institution;
- an online hospital shall establish and improve relevant management systems and service processes to ensure that the entire process of online diagnosis and treatment is traceable, and open data interfaces to the regulatory authorities;
- an online hospital shall have at least two sets of servers for its operation and divide a database server from an application system server, whereby the room where the servers are housed shall have dual power supply or emergency power generation facilities;
- servers used by an online hospital to store medical data shall not be stored outside the territory of the PRC;
- the information system of an online hospital shall implement the third level of cybersecurity-graded protection;
- an online hospital shall designate personnel responsible for the management of medical quality, medical safety, and electronic medical records, provide technical services, such as maintenance of the online hospital information system, and ensure the stable operation of the online hospital system; and
- in the event of leakage of patient information and medical data, an online hospital shall promptly report to the competent health administration department and immediately take effective response measures.
Pharmaceutical clinical trial context
In a pharmaceutical clinical trial context, sponsors, and investigators (i.e., personal information processors) are also required to comply with legal documents, such as the Personal Information Protection Law (PIPL) and the Code of Practice for the Quality Management of Pharmaceutical Clinical Trials, which require the protection of the subjects' personal information. In addition, in March 2023, the Guangdong Pharmaceutical Association released the Pharmaceutical Clinical Trial, Information Security, Guangdong Consensus, which provides detailed requirements on personal information protection in pharmaceutical clinical trials, which can be used as an important reference for personal information processors.
Inform and obtain consent in advance
In a pharmaceutical clinical trial context, personal information processors will process the subjects' personal information by collecting, using, and storing it, among others, and shall therefore inform the subjects and obtain the subject's consent or other legal bases in advance. Personal information processors could add content related to the processing of personal information to original informed consent forms and allow the subjects to choose whether to consent after reading.
In this context, personal information processors may process sensitive personal information or provide personal information to other personal information processors. In this case, personal information processors shall obtain the separate consent of the subjects. If personal information processors obtain the subjects' general consent to all personal information processing activities only through one informed consent form, that consent may be found to be invalid. To reduce this risk, personal information processors could consider the following approaches:
- issuing a separate informed consent form for a specific context, such as sensitive personal information processing or external provision of personal information; and
- adding checkboxes to the original informed consent form for sensitive personal information processing or provision of personal information; if a subject agrees to the specific personal information processing, they could manually check the checkbox to indicate separate consent.
In addition, personal information processors shall establish and disclose response mechanisms for the subjects' personal information rights and interests and promptly process the subjects' requests for exercising their rights. Where a subject's request is rejected, the personal information processor shall give reasons as to why.
Personal information categorization and classification management
Personal information processors shall categorize and classify subjects according to their personal identification information, health information, contact information, and other categorization dimensions, as well as data sensitivity levels, and be equipped with appropriate security protection measures. If an industry authority or other regulatory authorities stipulate that certain categories of personal information are important data, personal information processors shall give it the highest level of security protection.
Internal management system and authority setting
Personal information processors shall establish internal management systems and operational procedures of personal information protection to limit the processing of the subjects' personal information within the scope of the subject's consent. Further, personal information processors shall clarify the processing authority of test participants to avoid unauthorized personal information processing activities. For instance, in trials where subjects are assigned codes in lieu of names, only the investigator and research team members could access the subjects' information corresponding to the codes to the extent necessary in accordance with their work authorization. Subject to the principles of confidentiality and relevant regulations and to the extent necessary for their work, supervisors, inspectors, ethics committees, and drug regulatory authority inspectors could access the original medical records of relevant subjects to verify the process and data of the clinical trial. Before any person is allowed to access the subjects' personal information, the person in charge shall verify their valid identity to ensure the confidentiality of the trial information.
Medical institutions and pharmaceutical companies may also be involved in using personal information for marketing purposes in order to raise awareness of medical institutions and pharmaceutical companies or to sell medicines. In these contexts, medical institutions and pharmaceutical companies shall still inform the subjects and obtain the appropriate legal bases of the processing of personal information, otherwise, they may face penalties.
In addition, medical institutions and pharmaceutical companies shall safeguard the subjects' rights of refusal. When a subject refuses to have their personal information processed by medical institutions and pharmaceutical companies in order to send them marketing information, the medical institutions and pharmaceutical companies shall promptly cease to continue sending such information. If medical institutions and pharmaceutical companies use automated decision-making to push information and commercial marketing to subjects, they shall also provide the option of not targeting the subjects' personal characteristics or provide them with convenient ways to refuse.
Provision of personal information outside the territory of the PRC
Data which shall in principle be stored in the territory of the PRC
The PRC currently has requirements for specific categories of personal information that are, in principle, not allowed to be provided outside the territory of the PRC, as reflected in the health and pharmaceutical industries as follows:
Related legal document
Population health information
Entities in charge shall not store population health information in any server outside the PRC and shall not host or lease any server outside the PRC.
Measures for the Administration of Population Health Information (trial implementation)
The server storing medical data must not be stored outside the PRC.
Basic Standards for Internet Hospitals (trial implementation)
Healthcare and medical big data
Healthcare and medical big data shall be stored in the territory of the PRC on secure and trusted servers. A personal information processor that, due to business needs, provides information outside the territory of the PRC, shall be in accordance with relevant laws and regulations and relevant requirements for a security assessment and review.
National Management Approach for Healthcare and Medical Big Data Standards, Security and Services (trial implementation)
Human genetic resources
Human genetic resources cannot be cross-border transferred in principle. Personal information processors are required to meet specific conditions in specific contexts, such as international collaborative scientific research, before they can provide human genetic resources outside the territory of the PRC.
Regulation on Human Genetic Resources Administration
Main approaches to provide personal information outside the territory of the PRC
A medical institution or pharmaceutical company that truly needs to provide personal information for a party outside the territory of the PRC for business' sake or other reasons, shall meet one of the following requirements:
- passing the security assessment for cross-border data transfers organized by the Cyberspace Administration of China (CAC);
- obtaining personal information protection certification from the relevant specialized institution according to the provisions issued by the CAC; and
- concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the CAC.
Security assessment for cross-border data transfers
When a medical institution or pharmaceutical company really needs to provide personal information outside the PRC for business or other reasons, and one of the following circumstances exists, it shall apply a security assessment for cross-border data transfers to the CAC through the provincial cyberspace administration where it is located:
- the personal information provided by a medical institution or pharmaceutical company outside the PRC is deemed to be important data;
- a medical institution or pharmaceutical company identified as a critical information infrastructure operator provides personal information abroad;
- a medical institution or pharmaceutical company that processes personal information of more than one million subjects provides personal information outside the PRC;
- a medical institution or pharmaceutical company that has provided personal information of 100,000 subjects or sensitive personal information of 10,000 subjects in total abroad since January 1 of the previous year; and
- other circumstances prescribed by the CAC for which the application of a security assessment for cross-border data transfers is required.
Before applying a security assessment, a medical institution or pharmaceutical company shall conduct a Personal Information Protection Impact Assessment (PIPIA) and a risk self-assessment for cross-border transfers in accordance with the PIPL and the Measures on Security Assessment of Cross-border Data Transfer, and clarify with the overseas recipient their responsibilities for data security protection.
The results of an approved security assessment are valid for two years from the issue date of the assessment result. If there is a need to continue data export activities, the medical institution or pharmaceutical company shall re-apply the assessment 60 working days before the expiry of the validity period. In the event of the circumstances stipulated in Article 15 of the Measures on Security Assessment of Cross-border Data Transfer, the validity period shall expire and the corresponding medical institution or pharmaceutical company shall re-apply the assessment.
Based on the sensitivity and volume of the personal information processed by medical institutions or pharmaceutical companies, applying security assessments for cross-border data transfers may be the major way for them to provide personal information outside the territory of the PRC. In January 2023, the Cyberspace Administration of Beijing disclosed that the CAC approved and passed a research project between Beijing Friendship Hospital and Amsterdam University Medical Centers, becoming the first case in the PRC to pass a security assessment for cross-border data transfers. This case provides practical guidelines for strengthening the secure management of healthcare and medical data out of the PRC and promoting international medical research collaboration.
Standard contract and personal information protection certification
A medical institution or pharmaceutical company could choose to conduct personal information export activities by signing a standard contract with an overseas recipient or obtaining personal information protection certification from the relevant specialized institution when it meets all four of the following conditions:
- it is not a critical information infrastructure operator;
- it processes the personal information of less than 1 million subjects;
- it has cumulatively transferred abroad the personal information of less than 100,000 subjects since January 1 of the previous year; and
- it has cumulatively transferred abroad the sensitive personal information of less than 10,000 subjects since January 1 of the previous year.
When a medical institution or pharmaceutical company chooses to provide personal information abroad by signing a standard contract, it will be required to sign a Standard Contract of Personal Information Cross-Border Transfer with the overseas recipient, which is annexed to the Measures for the Standard Contract for Personal Information Cross-Border Transfer (which took effect on June 1, 2023). It is also required to conduct a PIPIA. The PRC has not yet issued official guidelines or reporting templates for PIPIA. There are overlaps in the content of the key assessment elements of the PIPIA required by the Measures for the Standard Contract for Personal Information Cross-Border Transfer and the cross-border data transfer risk self-assessment report template provided in the first version of the Guidelines for the Application of Security Assessment of Cross-border Data Transfer. The risk self-assessment report template can be used as a reference for preparing a PIPIA report. In addition, it shall file the standard contract with the provincial cyberspace administration where it is located within 10 working days from the date of the standard contract entry into force. The following materials shall be submitted for filing:
- the standard contract; and
- the PIPIA report.
Regarding the personal information protection certification, the PRC has currently issued the Personal Information Protection Certification Implementation Rules, the Cybersecurity Standard Practice Guideline - Safety Certification Specification for Personal Information Cross-border Processing Activities V2.0, and the draft Information Security Technology - Certification Requirements for Cross-border Transmission of Personal Information. Currently, a personal information processor can apply to the China Cybersecurity Review Technology and Certification Center for a personal information protection certification. However, there are still many gaps in the designation of specialized institutions and the implementation of certifications in the PRC, and further improvements are needed.
Special personal information: providing human genetic resources outside the PRC
There have been several cases in the PRC where the Ministry of Science and Technology (MOST) has penalized the unauthorized provision of human genetic resources information outside the PRC. The violations included:
- the unauthorized export of human genetic resources (human serum) as dog plasma, with the following penalties:
- confiscation and destruction of the human genetic resources materials in the research project; and
- suspension from accepting applications for international cooperation and export activities involving human genetic resources from the PRC by the company, to be reinstated after rectification is accepted by the MOST;
- the unauthorized transfer of part of the human genetic resources information from the internet outside the PRC, with the following penalties:
- requirement to cease the relevant research project;
- requirement to destroy all genetic resource materials not exported, as well as all related research data from the research project; and
- requirement to stop the company's international cooperation involving Chinese human genetic resources and restart it again after the rectification is accepted by the MOST.
According to the Regulation on Human Genetic Resources Administration, foreign organizations, individuals, and the institutions established or actually controlled thereby shall not collect or preserve Chinese human genetic resources within the territory of the PRC, nor shall they provide Chinese human genetic resources out of the country. Where Chinese scientific research institutions, institutions of higher learning, medical institutions, or enterprises use Chinese human genetic resources to carry out international cooperative scientific research, or it is truly necessary to transport, mail, or carry out Chinese human genetic resources materials due to other special circumstances, they shall meet the following conditions and shall obtain export certificates for human genetic resource materials issued by the MOST:
- there is no harm to the public health, state security, and public interest of the PRC;
- the entities have legal person status;
- the entities have clear overseas cooperation partners and reasonable purposes of use for the transfer;
- the human genetic resource materials are collected in a legal manner or obtained from legal preservation institutions; and
- the entities have passed the ethical review.
When carrying out international cooperation in scientific research by utilization of Chinese human genetic resources, if it is necessary to transport, mail, or carry Chinese human genetic resources out of the PRC, a separate application may be filed, or the application may be filed simultaneously by listing the export plan in the application for international cooperation in scientific research, which shall be examined and approved in a consolidated manner by the MOST. If the Chinese human genetic resource materials are transported, mailed, or carried out of the PRC, the customs formalities shall be processed on the basis of the export certificates for human genetic resource materials.
In addition to the administrative penalties that may be imposed for illegally providing Chinese human genetic resources outside the PRC, a personal information processor may also commit the crime of smuggling human genetic material under the Criminal Law and will be subject to criminal liability for:
- whoever illegally transports, mails, or carries Chinese human genetic resources materials out of the PRC, endangering public health or social public interests, and the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years, criminal detention, or public surveillance, and shall also be sentenced to a fine or a single fine; and
- if the circumstances are particularly serious, the personal information processor shall be sentenced to fixed-term imprisonment of not less than three years and not more than seven years, and shall be liable to a fine.
Danjun Wu Partner
Guantao Law Firm, Shanghai