Currently, neither China nor other countries have enacted specific legislation dedicated to the protection of personal information in the healthcare and medical sector. Requirements for safeguarding such information are scattered across various laws, ministerial and local regulations, and rules. The implementation of the Personal Information Protection Law will have varying degrees of impact on data processing activities conducted by enterprises of all types within the industry.
Recently, the Zhejiang Digital Medical and Health Technology Research Institute, Hangzhou Shuniu Technology Co., Ltd., and Zhong Lun Law Firm jointly released the white paper titled “New Interpretation of Health and Medical Data Privacy Protection under the Personal Information Protection Law,” which provides an interpretation of how the Personal Information Protection Law safeguards medical data privacy.
For ease of reading, this article has been abridged from the white paper without altering its original meaning.
As the digital economy, digital society, and digital governance flourish, data resources have emerged as a new strategic asset, elevating the big data strategy to the level of national strategy. On the other hand, the innovation and application of network and digital technologies driven by this strategy have given rise to a myriad of emerging issues, particularly the unauthorized processing of personal information and increasingly severe misuse, resulting in harm or risks to individual privacy and identity security.
Driven by the wave of digitalization, legislation on personal information protection has accelerated dramatically. Between 2000 and 2010, 40 countries enacted personal information protection laws, and an additional 62 such laws were introduced between 2010 and 2019. Although certain Chinese laws, regulations, and normative documents address personal information protection, the provisions defining the legal obligations and liabilities of personal information processors—such as enterprises and institutions—remain ambiguous overall. Furthermore, the roles and authority of relevant administrative law enforcement agencies are not clearly defined, leaving these bodies without sufficient legal basis for conducting administrative management and law enforcement activities. Therefore, enacting a Personal Information Protection Law is practically necessary. It is not only an objective requirement for strengthening the rule-of-law safeguards for personal information protection but also a practical need to maintain a healthy online ecosystem, as well as a significant measure to promote the sound development of the digital economy.
Tracing its origins, China’s legislative efforts in personal information protection have actually undergone a twenty-year developmental journey. We have primarily divided this legislative history into the pre-legislation phase and the legislation phase, and have outlined the landmark events from the proposal to the enactment of the Personal Information Protection Law.

From September 2018, when the Personal Information Protection Law was included in the “Legislative Plan of the Standing Committee of the 13th National People’s Congress,” to the promulgation and implementation of the Personal Information Protection Law in August 2021, only three years elapsed. The implementation of China’s Personal Information Protection Law has also become an important milestone in the legislative history of personal information protection laws.
As of December 2021, the regulatory framework for the protection of personal health and medical data primarily comprised 10 laws, one administrative regulation, six ministerial rules, six national standards, and three guidance policy documents. The management requirements for personal information protection in the health and medical sector are mainly based on laws and standards, which represent governance approaches commonly adopted by countries worldwide to safeguard the privacy of patients' health information.

Currently, China has not enacted specialized legislation for the protection of personal health and medical information at the legal level. Requirements for protecting personal information in the health and medical sector are scattered across laws, ministerial/local regulations, and ministerial/local rules. Specifically, relevant laws in the health sector, such as the Mental Health Law and the Physicians Law, stipulate the responsibilities and obligations of healthcare workers to protect the privacy of personal health information. In light of the new regulatory framework established after the implementation of the Personal Information Protection Law, the impact on the compliant utilization of health and medical data will manifest in the following aspects:
1. Requirements for the identification of personal information and other health- and medical-related data.
2. Appropriate security and technical measures shall be implemented for the processing of health and medical data.
3. The Impact of the Burden of Proof under the Presumption of Fault Principle for Personal Information on Healthcare Enterprises.
For different healthcare institutions, the compliance obligations they follow may vary depending on their entity status, business operations, or the types of data collected. Under China’s current regulatory framework, the data processed by the healthcare industry not only involves personal information and sensitive personal information as defined in the Personal Information Protection Law, but may also include other data types related to healthcare. When processing such data, entities should adhere to the Personal Information Protection Law while also referring to existing relevant requirements to implement comprehensive personal privacy protection.

Relevant enterprises and practitioners should ensure compliant processing of health and medical data throughout its entire lifecycle, building upon existing personal information protection requirements in the health and medical sector while incorporating the new mandates introduced by the Personal Information Protection Law. Overall, compliance requirements are most extensive for the data usage phase in the health and medical field; the management of human genetic data is the most sensitive and subject to the highest level of scrutiny. Possibly due to the value of health and medical data and retention period requirements, provisions regarding data destruction and deletion are less frequently addressed in most health and medical data processing practices.

Currently, research on the protection of personal health information primarily focuses on privacy protection, patients’ right to privacy, the application of blockchain technology in privacy protection, and privacy protection in the context of big data. Among these, the application of blockchain technology to safeguard personal health information is the fastest-growing area of research interest. Key hotspots in personal information protection research include medical big data, electronic medical records (EMRs), electronic health records (EHRs), mobile health, internet-based healthcare, and the Internet of Things (IoT). In the past three years, emerging research areas have mainly centered on epidemic prevention and control, as well as privacy protection in data sharing.

Current Status and Progress of Management
Hospitals are the primary entities responsible for processing patients’ personal information and play a crucial role in safeguarding individual privacy. Currently, hospitals have not yet established a systematic management framework for personal information protection; instead, privacy protection measures are primarily embedded within the management protocols of specific information systems. Regarding the main challenges faced by hospitals in protecting personal information, nearly 80% of hospitals cite “lack of financial support,” approximately 50% identify “insufficient legal and regulatory basis” and “inadequate security technologies,” and around 40% point to “weak information security awareness” and “lack of operability in management regulations.”
Currently, the vast majority of medical information systems or informatization construction projects mention requirements for privacy protection; however, there are significant variations in the specificity of evaluation metrics and detailed requirements. This disparity reflects, to some extent, the considerable differences in the healthcare industry’s understanding of privacy security and its capacity to address it. In areas with relatively clear management frameworks, such as electronic medical records (EMR) and national health information platforms, more explicit functional requirements and evaluation criteria for privacy and security protection can be provided. For instance, these systems may meet the information security and privacy protection indicators specified in Level 4 Class A of the Standardized Maturity Assessment for Interconnectivity of Hospital Information Systems. In contrast, requirements for privacy protection in new systems and applications often remain superficial and lack depth.
Personal Information Protection in Critical Systems
The Electronic Medical Record (EMR) system is the core of the Hospital Information System (HIS). According to the Functional Specifications for Electronic Medical Record Systems, the essential functional requirements for patient privacy protection include: “① Assign confidentiality levels to electronic medical records and implement tiered management of operator permissions. Users shall access EMR data corresponding to their authorized confidentiality levels. When authorized users access EMRs, data with a confidentiality level higher than the user’s permission level shall be automatically hidden. ② When medical personnel need to view EMR data of patients not under their direct care due to work requirements, the system shall alert the user to handle such patient EMR data in accordance with relevant regulations.”
Although corresponding management systems have been established, issues such as breaches of patient privacy due to non-compliant operational practices persist during implementation. For instance, while departments responsible for medical record quality control are granted read-only access without modification privileges, healthcare practitioners may fail to adhere to medical record management protocols in practice, resulting in discrepancies between the records and patients’ actual clinical data. Additionally, unauthorized personnel may gain access to patient medical information by exploiting other users’ credentials or through alternative means.
Driven by the steady advancement of grassroots health informatization, significant progress has been made in the development of electronic health records (EHRs) for residents, with a continuous expansion in the number of established records and the population covered by services. The next key focus is to activate the application of health records in resident-centric, full-lifecycle health information management services. Under the premise of legally protecting personal privacy, further optimization should be made to the online access channels and interactive formats that allow residents to view their own EHRs upon authorization and to utilize these records directly.
As the fundamental carrier of personal health and medical data, electronic health records (EHRs) aggregate an individual’s health information from the vast majority of healthcare institutions, serving as the primary source for healthcare service data. Furthermore, EHRs will incorporate health-related data generated outside of healthcare settings, such as personal health examinations, gene sequencing, Internet of Things (IoT) data, and data from smart devices. This necessitates a resident-centric secure storage and authorized-access service endpoint to help individuals achieve unified management of their personal health data, thereby establishing a highly reliable and trustworthy foundation for technical safeguards and operational mechanisms. With the further sharing and opening of electronic health records, ensuring privacy security during data transmission and access has become a critical issue.
Personal Information Protection in Key Scenarios
“Internet + Healthcare” has transformed traditional face-to-face doctor-patient interactions into exchanges of data and information, giving rise to the role of “personal information controllers.” Based on current privacy protection practices by internet platforms providing healthcare services, a comprehensive system for safeguarding personal private information has yet to be established. For internet hospitals established with hospitals as the main entities, the *Administrative Measures for Internet Hospitals (Trial)*, jointly issued by the National Health Commission and the National Administration of Traditional Chinese Medicine, explicitly requires that cooperation agreements between medical institutions and third-party organizations clearly define the rights and responsibilities of all parties regarding medical services, information security, and privacy protection.
Conducting clinical scientific research is one of the primary applications of health and medical data, which also involves the use of personal information. When utilizing electronic medical records (EMRs) for research projects, hospitals implement certain security measures, including signing confidentiality agreements, data de-identification, anonymization techniques, and timely data destruction. However, the current data application process presents corresponding issues across various domains of information security (physical security, data security, and information security). This is particularly evident in access control management, where 95.7% of surveyed researchers failed to set access permissions for their research data.

Furthermore, numerous cases of personal privacy infringement emerged during epidemic prevention and control efforts. In response, the Office of the Central Cyberspace Affairs Commission issued the “Notice on Safeguarding Personal Information and Leveraging Big Data to Support Joint Prevention and Control Measures” in February 2020, which provided relatively clear guidelines for the protection of personal information in the context of epidemic prevention and control.
Current Status and Progress of Technology
Relying solely on legal and administrative measures to protect personal information often suffers from issues such as lag. Consequently, leveraging technology to mitigate the risk of privacy breaches has become a focal point of research in the field of privacy protection among academic, information security, and industrial communities both domestically and internationally. Currently, privacy-preserving technologies are predominantly categorized based on their data protection implementation methods, primarily including data perturbation techniques, data encryption techniques, data anonymization techniques, and access control techniques. Each of these privacy-preserving technologies has its own applicability and limitations.
Some scholars categorize privacy-preserving technologies based on the stages of data processing, primarily dividing them into privacy-preserving techniques for data publishing and privacy-preserving data mining techniques. In data publishing, privacy protection is achieved by perturbing, encrypting, or anonymizing raw data. The main techniques include anonymization, partitioning, encryption, and distortion techniques. Privacy-preserving data mining refers to the study of efficient mining algorithms for association rules, classification, clustering, and other tasks under privacy-preserving conditions. The focus of this category of techniques lies in ensuring the consistency of data mining results after privacy data has been protected and processed.
In the face of growing data volumes and increasing demands for large-scale data integration applications, emerging data protection technologies such as blockchain and privacy-preserving computation, which are gradually maturing, represent a new direction for the future development of personal privacy protection. As a key breakthrough in independent innovation of core technologies, blockchain has been widely applied in recent years across industries including finance, judiciary, supply chain management, and healthcare. Ensuring the security and privacy of health data is a significant application direction of blockchain technology in the medical field. By leveraging blockchain’s characteristics—such as immutability, full-process traceability, auditability, collective maintenance, and transparency—the storage and access of medical data can be made more secure.
The Personal Information Protection Law explicitly requires personal information processors to adopt appropriate technical security measures, such as encryption and de-identification, to safeguard the security of processed personal information. The protection of information security by privacy-enhancing computation technologies lies not only in the application of methods like anonymization, de-identification, and data encryption during data processing, but also in ensuring that raw data and personal privacy information remain within private domains at a deeper level, thereby minimizing the risk of leakage of personal and privacy-sensitive data to the greatest extent possible.
Management Practices
As China’s Personal Information Protection Law has been in effect for only a short period, relatively comprehensive privacy protection management practices have yet to be established in the health and medical sector. In contrast, the implementation of the United States’ Health Insurance Portability and Accountability Act (“HIPAA”), the European Union’s General Data Protection Regulation (GDPR), and Japan’s Personal Information Protection Law has moved beyond its initial phase, offering valuable references for China’s personal information protection law in shaping privacy protection management practices within the health and medical field.
In Japan, the utilization of medical data adopts a dual regulatory framework consisting of a “basic law + special law.” The basic law is the Act on the Protection of Personal Information, while the special law is the Next-Generation Medical Infrastructure Act (referred to by Japanese academia as the “Medical Big Data Law”). By aligning with the developmental characteristics of the healthcare industry, the implementation of this specialized legislation has paved the way for innovation in specific data categories, achieving a balance between deregulation and oversight.
The GDPR is the European Union’s latest privacy and data protection regulation, affording a high level of protection to personal data with sensitive characteristics, such as health information. The GDPR requires companies to obtain authorization from data subjects for specific, lawful purposes and to provide evidence of their data collection methods. It imposes stringent penalties for violations. In terms of data protection, accountability extends across all parties in the data supply chain, from top to bottom.
The implementation of the GDPR has significantly impacted health and medical data research. Non-interventional studies (NIS) conducted at Nuremberg Hospital in Germany constitute an important component of medical research. To ensure compliance with GDPR requirements, certain studies are subject to assessment by the local Data Protection Officer. The hospital has also implemented a series of measures to enhance the privacy protection of health and medical data.
Technical Practice
Personal Electronic Health Records (EHRs) are digital records of residents’ health information. As lifelong, secure, and confidential personal electronic health records stored in computer systems and designed to serve individuals, their secure sharing across different medical institutions plays a crucial role in enhancing the quality of diagnosis and treatment for residents. In traditional approaches, regional health information platforms typically enable health record query services for medical institutions and the public through standard application programming interfaces (APIs), generally employing relatively low-level privacy and security protection strategies such as user passwords, data de-identification, and encrypted transmission. In the future, leveraging blockchain technology will provide health informatization platforms with foundational capabilities for the open sharing of electronic health records, including services for EHR value management, EHR data security, patient data privacy protection, and EHR data regulation and auditing.
Electronic medical records (EMRs) contain critical medical information about patients. However, sharing historical medical history and treatment data across different healthcare institutions remains challenging, particularly in terms of verifying authenticity and enabling online access. Due to the need for robust medical data security, hospitals are often reluctant to grant patients direct access to electronic data. In traditional models, hospitals establish clinical information systems or EMR systems to record, store, and manage EMRs, which are housed within the hospital’s clinical information resource repository, thereby maintaining relative isolation from external institutions and social networks. In the future, blockchain technology will underpin a foundational platform for the open sharing of medical and health data, offering capabilities such as EMR evidence storage and sharing, privacy protection, regulatory oversight and traceability, and value management. Medical and health data encompass patients’ health records, EMRs, and interactive data generated from medical practices and health management activities.
Clinical research is indispensable for advancing medical progress and development. Clinical research refers to the exploration, collection, organization, and utilization of clinical medical resources, which relies heavily on efficient medical data acquisition and aggregation. Traditional multi-center research data mostly adopts a centralized storage and analysis model, employing de-identification or anonymization techniques during the sample data collection phase to protect privacy. In this model, full or processed data copies are transferred from one controller to another entity, thereby raising issues related to data security and privacy protection, such as compliant data processing, data leakage, and compliant use of personal data. In the future, during the development of information platforms for multi-center clinical research, next-generation information technologies—including blockchain, privacy-preserving computation, artificial intelligence, and big data—should be introduced to establish a data-sharing mechanism where raw clinical data remains within the originating hospital. This approach leverages privacy-preserving computational models to rapidly achieve standardized data screening, patient cohort enrollment, and the collection of computational results without exposing raw data.

Scan the mini-program QR code to download the full report.