New Chinese Requirements on Management of Health Information

On May 5, 2014, China’s National Health and Family Planning Commission (“NHFPC”)¹ promulgated the Administrative Measures for Population Health Information (For Trial Implementation) (“Health Information Measures”) governing the collection, use, and management of “Population Health Information” by medical, health care, and family planning services. According to the NHFPC, the Health Information Measures are intended to “standardize and strengthen population health information collection, management and utilization, as well as to protect [information] security and individual privacy.”²

NHFPC officials have informed us that the new regulations apply to both public- and private-sector entities, although it remains unclear which specific entities are targeted.

The Measures also prohibit storage on overseas servers of Population Health Information collected in China, the first time a cross-border prohibition has been applied to health information in China.

Key Definitions

‘Population Health Information’

Under the Health Information Measures, “Population Health Information” (renkou jiankang xinxi) is defined as “basic demographic information, information collected from the provision of medical and health care services, and other population health information generated by medical, health care, and family planning services agencies of all types and at all levels.”³

Based on discussions with NHFPC officials, this term is meant to encompass personal health information, such as an individual’s medical records, as well as any further aggregated or derivative data, such as information on provincial health patterns.

‘Responsible Entities’

The Health Information Measures state that “medical, health care and family planning service agencies of all types and levels” are the “Responsible Entities” for “collection, use, management, security, and privacy protection of Population Health Information.”⁴

We have confirmed with the NHFPC that this term applies to both public-sector and private-sector entities, although we have been unable to confirm with these officials which specific private entities fall under this umbrella.

Substantive Provisions

While the Health Information Measures include a mix of policy prescriptions and occasionally vague substantive requirements,⁵ its more detailed provisions provide an array of common data protection mechanisms for Responsible Entities to follow.

These include:

• Minimal Collection: Responsible Entities must collect only the minimum amount of information necessary for their work.⁶

• System Security: Responsible Entities must design and implement security safeguards for their Population Health Information systems in accordance with national security standards, and must have in place “data storage, disaster recovery, and management conditions that meet the relevant national requirements.”⁷

• Data Quality Assurance: Responsible Entities must promptly update and maintain Population Health Information to ensure such information is “up-to-date, continuous, and valid.”⁸

• Disclosure to Third Parties: Responsible Entities may entrust another entity with responsibility for the storage, use, and maintenance of Population Health Information, but the Responsible Entities must retain responsibility for its management and security.⁹

• User Access: Responsible Entities must provide channels for their “service recipients” (i.e., patients or data subjects) to inquire and receive duplicate copies of their personal health information.¹⁰

In addition, Responsible Entities are instructed to “set up appropriate population health information management departments” to oversee data collection and management,¹¹ and to establish a “trace management system” involving real-name registration in order to “manage, control, and trace” the activities of users with access to Population Health Information.¹²

Significantly, the Health Information Measures prohibit the storage of Population Health Information collected in China on servers outside China, as well as the hosting or renting of overseas servers by Responsible Entities.¹³ While various provisions in PRC law protect a patient’s “privacy” and “medical records,” and prohibit transfer to third parties without the patient’s consent, this provision is the first prohibition on cross-border transfer of health information.

Remedial Provisions

The Health Information Measures instruct central and local NHFPC affiliate agencies to strengthen their routine inspection and supervision work over Responsible Entities’ management of Population Health Information.

Entities violating the Health Information Measures may be instructed to make corrections or may be subject to public criticism or administrative sanctions, depending on the severity of the violation. Where a criminal violation has occurred — for instance, where such information is illegally sold to a third party — remedies may be pursued in accordance with the PRC Criminal Law.

Legislative Background

While various PRC laws and regulations have included provisions related to personal health information, the Health Information Measures are China’s first regulations that are primarily focused on such data.

The promulgation of the Health Information Measures seems to be part of China’s general strategy to promote domestic “informatization” (xinxihua), a strategic concept that essentially describes a nationwide “big data” push to collect, safeguard, and utilize the vast amounts of data generated in China.

In 2013, the NHFPC drafted a policy paper entitled Guidelines of the National Health and Family Planning Commission and the Chinese Traditional Medicine Association on Promoting the Development of Informatization for Population Information. The Health Information Measures appear designed to implement the broadly articulated policy goals contained in this document.

Eric Carlson is a Partner and Scott Livingston is an Associate at Covington & Burling LLP, Beijing. They may be contacted at ecarlson@cov.com and sdlivingston@cov.com.