Data Protection Laws and Compliance in China for Healthcare Industry

Although the Covid-19 pandemic was devastating and disruptive, it accelerated the digital health sector in China. The Digi-health industry saw a bumper surge in both numbers of online medical users and revenue generation.

According to available data, online medical users increased from  214.8 million in 2020 to 233.3 million in 2021, generating an additional $44.7 in revenue per user. Statista is also very positive, predicting that China’s digital health industry will gross $46 billion in 2022 and $84.7 billion in 2027, indicating a growth rate of 12.98% year over year.

While this growth is exciting and induces the temptation to jump into China’s digital medical space. Healthcare companies will need to get acquainted with personal data protection laws to have a smooth business operation. Below, we will reveal all necessary China medical device regulations businesses must comply with while sharing data outside the country. 

Who should be aware of medical data regulations in China

According to  Article 28 of China PIPL, personal health information is considered sensitive data and must be protected from unlawful collection, transfers, and processing. Not complying with the rules governing PHI data residency regulation could mean opening the portal that leaves your business at the mercy of fines and other penalties. 

Here are businesses that need to be aware of medical data regulations in China.

Key Chinese data protection laws for healthcare industry

With a population of over 1.45 billion people and a digital health market projected to hit $46 billion in  2022 and $84.7 billion by 2022, China is one market that can cause colossal upside spikes in your company’s revenue if successfully tapped into. However, in tapping into this huge market, your business or products can suffer significant setbacks if they fail to comply with any of China’s medical device regulations or data privacy laws. 

DIDI, one of China’s largest ride-hailing companies, was fined $1.2 billion, while top-tier executives were fined $148,000 in personal liability.  If your company hopes to have hassle-free operations, below is a list of China’s medical regulations that your business or company’s products must comply with:

 

Chinese data cross-border rules

The PIPL in Article 28 defines health data as sensitive data and, as such, mandates companies and businesses that collect, process, store, and transmit these data in their normal course of business to set up security management systems to ensure the secured management of data during its lifecycle. The PIPL obligates these companies to store personal data information of Chinese citizens within China. However, business operations often warrant that citizens’ data be transferred outside the originating country, and in such scenarios, Chapter 3 of PIPL comes into force.

The PIPL in Chapter 3 provides the rules that business owners that utilize personal information must follow to avoid breaches when sharing China health data across borders. These rules are provided below:

Article 38: General requirement

Medical company owners must satisfy the following requirements before sharing personal information with any party outside China.

(i). Must satisfy the security assessment requirements organized by the State cyberspace administration in line with Article 40. In essence, your company must be subjected to a security assessment by specialized government institutions before sharing the medical data of users or customers with an overseas partner in the following circumstances per Article 40:

(ii). The company must have been certified by a specialized body(Certification Specification for Cross-Border Processing of Personal Information) to protect the personal information of users or consumers in line with the provisions of the state cyberspace administration.

(iii). Companies must have a contract with the overseas recipient that specifies the rights and obligations of both parties in line with the standard contract formulated by the state cyberspace administration.

(iv). Companies(data processors) must have met other conditions stipulated by other relevant laws and regulations of the People’s Republic of China.

Article 39: Guidelines for cross-border data sharing

The PIPL in Article 39 mandates medical health service providers who wish to disclose personal information of their users to a party outside of China to do the following:

Article 42: Guidelines for Special Purpose

As a digital health service provider, your company can work with the permission of Competent authorities of the People’s republic of China and, concerning relevant laws and international treaties, honor requests from foreign judicial or law enforcement bodies to transfer personal information of Chinese citizens stored in China. But granting this request is subject to express approval from a competent authority of the People’s Republic of China.

The penalty for breach of data privacy laws

Violating the provisions of the Chinese personal data protection laws may expose your business to crippling penalties. Your company may be fined up to 5% of its previous year’s turnover, or its operating license may be revoked. Also, your company’s executives may face personal liabilities.

Now you know the numerous laws guiding sharing data in China and overseas, the question that readily comes to mind is how your institution can run successful business operations in China while remaining compliant with China’s medical device regulations. Let’s find out in the next section.

How InCountry can help healthcare companies to stay compliant with Chinese laws

Complying with China’s medical device regulation as it concerns the PHI of users/customers can be quite arduous. However, InCountry’s Data Residency-as-a-Service has made it such that you do not have to worry about falling short of compliance with data protection laws when running your business operations. InСountry data residency as a service platform offers a seamless method of healthcare data compliance while allowing your global brand to penetrate the Chinese market in a compliant fashion.

Our Data Residency-as-a-Service solutions offer medical health companies an InCountry for Salesforce integration that ensures PHI is handled in line with China’s data localization requirement. Also, with our Alibaba Cloud InCountry Service, your company’s medical applications and devices can successfully penetrate the Chinese market while remaining compliant with relevant localization regulations.