October 03, 2022

Data Protection Laws and Compliance in China for Healthcare Industry

Data Protection Laws and Compliance in China for Healthcare Industry

Although the Covid-19 pandemic was devastating and disruptive, it accelerated the digital health sector in China. The Digi-health industry saw a bumper surge in both numbers of online medical users and revenue generation.

According to available data, online medical users increased from  214.8 million in 2020 to 233.3 million in 2021, generating an additional $44.7 in revenue per user. Statista is also very positive, predicting that China’s digital health industry will gross $46 billion in 2022 and $84.7 billion in 2027, indicating a growth rate of 12.98% year over year.

While this growth is exciting and induces the temptation to jump into China’s digital medical space. Healthcare companies will need to get acquainted with personal data protection laws to have a smooth business operation. Below, we will reveal all necessary China medical device regulations businesses must comply with while sharing data outside the country. 

Who should be aware of medical data regulations in China

According to  Article 28 of China PIPL, personal health information is considered sensitive data and must be protected from unlawful collection, transfers, and processing. Not complying with the rules governing PHI data residency regulation could mean opening the portal that leaves your business at the mercy of fines and other penalties. 

Here are businesses that need to be aware of medical data regulations in China.

  • Telemedicine/Virtual care providers
  • Mobile medical Apps
  • Providers of medical robots
  • Manufacturers/providers of medical wearables include hearing aids, wearable ECG monitors, biosensors, smart health watches, wearable blood pressure monitors, etc.
  • Software as a medical device (SaMD) providers
  • Clinical decision support software providers
  • Providers Of AL/ML-powered digital medical solutions
  • Digital therapeutics
  • Medical 3D printings/bioprinting
  • Internet of things and connected devices

Key Chinese data protection laws for healthcare industry

With a population of over 1.45 billion people and a digital health market projected to hit $46 billion in  2022 and $84.7 billion by 2022, China is one market that can cause colossal upside spikes in your company’s revenue if successfully tapped into. However, in tapping into this huge market, your business or products can suffer significant setbacks if they fail to comply with any of China’s medical device regulations or data privacy laws. 

DIDI, one of China’s largest ride-hailing companies, was fined $1.2 billion, while top-tier executives were fined $148,000 in personal liability.  If your company hopes to have hassle-free operations, below is a list of China’s medical regulations that your business or company’s products must comply with:

  • Laws of the PRC on Protection of consumer rights and interest.
  • Data security law of PRC.
  • Personal information protection law
  • Cybersecurity laws of the PRC
  • Civil Code of PRC
  • Guiding opinions on the internet plus medical services
  • Guiding opinions of the national healthcare security administration on improving the internet plus medical service.
  • Administrative measures for the internet-based diagnosis.
  • Administrative measures for internet hospitals.
  • Administrative regulations for telemedicine service.
  • Laws of the PRC on the promotion of Basic Medical and Healthcare.
  • Administrative regulations on applications of electronic medical records.
  • Administrative measures on standards security and services of national Healthcare big data.
  • Guiding Principles for AI medical software products.
  • Information security technology- personal information security specification (GB/T 35273-2020).
  • Measures for Cybersecurity Law.
  • Administrative regulation on Human Genetic Resources of PRC.
  • Measures for the administration of scientific data.
  • Measures for the administration of population health information.
  • Certification Specification for Cross-Border Processing of Personal Information. 
  • The standard contract for the cross-border transfer of personal information.


data residency for the healthcare industry

Chinese data cross-border rules

The PIPL in Article 28 defines health data as sensitive data and, as such, mandates companies and businesses that collect, process, store, and transmit these data in their normal course of business to set up security management systems to ensure the secured management of data during its lifecycle. The PIPL obligates these companies to store personal data information of Chinese citizens within China. However, business operations often warrant that citizens’ data be transferred outside the originating country, and in such scenarios, Chapter 3 of PIPL comes into force.

The PIPL in Chapter 3 provides the rules that business owners that utilize personal information must follow to avoid breaches when sharing China health data across borders. These rules are provided below:

Article 38: General requirement

Medical company owners must satisfy the following requirements before sharing personal information with any party outside China.

(i). Must satisfy the security assessment requirements organized by the State cyberspace administration in line with Article 40. In essence, your company must be subjected to a security assessment by specialized government institutions before sharing the medical data of users or customers with an overseas partner in the following circumstances per Article 40:

  • If your company processes the personal data of more than 1 million users or if your company is certified as a critical information infrastructure operator.
  • If your company has processed over 1 million personal data since January of the previous year.
  • Or have processed sensitive information(medical data of over 10,000 persons.

(ii). The company must have been certified by a specialized body(Certification Specification for Cross-Border Processing of Personal Information) to protect the personal information of users or consumers in line with the provisions of the state cyberspace administration.

(iii). Companies must have a contract with the overseas recipient that specifies the rights and obligations of both parties in line with the standard contract formulated by the state cyberspace administration.

(iv). Companies(data processors) must have met other conditions stipulated by other relevant laws and regulations of the People’s Republic of China.

Article 39: Guidelines for cross-border data sharing

The PIPL in Article 39 mandates medical health service providers who wish to disclose personal information of their users to a party outside of China to do the following:

  • Firstly, they must inform their users or consumers of the names of the overseas recipient of their health data.
  • Provides the users with the contact information of the overseas recipient.
  • Furnish the users or consumers with information regarding the purpose of collection, method of processing, and the type of health data to be transmitted.
  • In this regard, medical companies(data controllers) are also mandated to inform their users or customers of the way and procedure to exercise the rights prescribed herein against the overseas recipient. 
  • Also, medical companies are mandated to obtain the separate consent of their users before sharing personal data with a third party across China’s borders.

Article 42: Guidelines for Special Purpose

As a digital health service provider, your company can work with the permission of Competent authorities of the People’s republic of China and, concerning relevant laws and international treaties, honor requests from foreign judicial or law enforcement bodies to transfer personal information of Chinese citizens stored in China. But granting this request is subject to express approval from a competent authority of the People’s Republic of China.

The penalty for breach of data privacy laws

Violating the provisions of the Chinese personal data protection laws may expose your business to crippling penalties. Your company may be fined up to 5% of its previous year’s turnover, or its operating license may be revoked. Also, your company’s executives may face personal liabilities.

Now you know the numerous laws guiding sharing data in China and overseas, the question that readily comes to mind is how your institution can run successful business operations in China while remaining compliant with China’s medical device regulations. Let’s find out in the next section.

How InCountry can help healthcare companies to stay compliant with Chinese laws

Complying with China’s medical device regulation as it concerns the PHI of users/customers can be quite arduous. However, InCountry’s Data Residency-as-a-Service has made it such that you do not have to worry about falling short of compliance with data protection laws when running your business operations. InСountry data residency as a service platform offers a seamless method of healthcare data compliance while allowing your global brand to penetrate the Chinese market in a compliant fashion.

Our Data Residency-as-a-Service solutions offer medical health companies an InCountry for Salesforce integration that ensures PHI is handled in line with China’s data localization requirement. Also, with our Alibaba Cloud InCountry Service, your company’s medical applications and devices can successfully penetrate the Chinese market while remaining compliant with relevant localization regulations.