With the continuous advancement of cloud computing and Internet of Things (IoT) technologies, the internet is increasingly penetrating and even reshaping the healthcare industry. Seizing this opportunity, hospitals have effectively advanced their informatization initiatives, while the mobile health sector has demonstrated rapid growth momentum. The deepening integration of internet technologies with the healthcare industry has led to an unprecedented expansion in the scale of medical data, prompting a growing number of enterprises to focus on and actively explore the in-depth mining and application of big data in health and medicine.
In this context, on October 25, 2016, the Central Committee of the Communist Party of China and the State Council issued the Outline of the “Healthy China 2030” Plan. As the action plan for advancing the construction of a Healthy China over the next 15 years, the Outline places particular emphasis on developing the health industry and medical big data, as well as fostering new business models based on the application of health and medical big data. It is evident that, guided and incentivized by national policies, medical big data has the potential to become a new growth pole for the future development of the health and medical industry. Meanwhile, the Outline also explicitly points out the need to strengthen the development of regulations and standards related to health and medical big data.
Currently, laws and regulations in the field of health and medical big data are significantly lagging. The development of health and medical big data is severely constrained by the lack of comprehensive, detailed, and clear guidelines and rules. Although many private and foreign-funded enterprises are eager to enter this field and strive for in-depth layout, they are still feeling their way forward due to uncertainties in market access and industrial policies. As a result, market enthusiasm and vitality have not been fully and effectively unleashed.
This article aims to provide a brief overview and exploration of the policy and legal issues that may arise in the field of big data for health and medical care, for reference and critique by industry professionals.
“Big Data,” like “Cloud Computing” and the “Internet of Things,” is a new term that has emerged in recent years alongside the deepening development of a new round of industrial revolution. According to the Notice on the Outline for Promoting the Development of Big Data issued by the State Council in August 2015, “Big Data” refers to data sets characterized primarily by large volume, diverse types, high-speed access, and high application value. “Healthcare Big Data” is simply a subfield of “Big Data,” focusing on the integration and application of “healthcare data.”
In 2014, the National Health and Family Planning Commission defined “population health information” in the Administrative Measures for Population Health Information (Trial): Population health information refers to basic demographic data, medical and healthcare service information, and other population health-related data generated by medical, healthcare, and family planning service institutions at all levels and of all types during the course of providing services and management, in accordance with national laws, regulations, and job responsibilities. Based on the aforementioned definition of “population health information,” “health and medical data” should primarily refer to data generated from personal health activities such as immunization, physical examinations, outpatient visits, and hospitalization. However, with the widespread adoption of Internet of Things (IoT) smart products such as wearable devices, the broader concept of “health and medical data” may also extend to data generated through individuals’ use of mobile health and medical applications.
Healthcare big data is a high-value-added information asset. Although individual health and medical records have limited value for technological innovation in healthcare, the collection, storage, deep learning-based analysis, and development of massive, dispersed, and heterogeneous data can uncover new knowledge, create new value, and enhance new capabilities, thereby further feeding back into and strengthening the healthcare service industry. Therefore, the development of healthcare big data is closely tied to national welfare and people’s livelihoods, holding significant strategic importance.
Currently, the state has successively issued relevant policies to support the development of medical big data, initially completing top-level design and outlining a grand blueprint for the development of medical big data:
In 2014, the National Health and Family Planning Commission formulated the “46312” Project, which entails building four-tier health information platforms at the national, provincial, prefectural city, and county levels; relying on electronic health records and electronic medical records to support six business applications: public health, medical services, healthcare security, drug management, family planning, and comprehensive management; constructing three databases: an electronic monitoring archive database, an electronic medical record database, and a population-based individual case database; establishing a secure health network; and strengthening the development of health standard systems and security systems.
In 2015, at the Third Session of the 12th National People's Congress, Premier Li Keqiang proposed the formulation of the "Internet Plus" action plan, under which "Internet Plus Healthcare" further promoted the integration of the internet with the traditional healthcare industry.
In June 2016, the General Office of the State Council issued the Guiding Opinions on Promoting and Regulating the Application and Development of Health and Medical Big Data, which pointed out that the sharing and opening of health and medical big data resources would be promoted.
On October 22, 2016, Fujian Province and Jiangsu Province, along with the cities of Fuzhou, Xiamen, Nanjing, and Changzhou, were designated as the first batch of pilot provinces and cities for the National Pilot Project on the Construction of Health and Medical Big Data Centers and Industrial Parks, aimed at promoting and standardizing the application and development of health and medical big data.
On October 25, 2016, the Central Committee of the Communist Party of China and the State Council issued the “Outline of the ‘Healthy China 2030’ Plan,” which specifically emphasized strengthening the development of an application system for health and medical big data, and promoting the open sharing, in-depth mining, and extensive application of medical and health big data based on regional population health information platforms.
Although the state encourages and supports the development of health and medical big data at the macro-policy level, there are still multiple practical difficulties and obstacles to be overcome in terms of policy implementation and specific operations, mainly including:
Low Level of Sharing and Openness in Healthcare Big Data
Healthcare institutions are undoubtedly the primary force in collecting and storing big health and medical data. Compared to data generated by mobile health applications, data originating from healthcare institutions, particularly electronic medical records (EMR), offer higher accuracy and greater commercial development value. However, under the current medical system, healthcare institutions lack sufficient incentive to share this data. Data barriers exist to varying degrees both between healthcare institutions and between healthcare institutions and the public sector. The data silo effect not only leads to redundant patient data collection and waste of medical resources but also hinders the systematic development and construction of big health and medical data.
With the deepening of healthcare system reforms and the advancement of hospital informatization, data barriers between hospitals are expected to be further broken down. The General Office of the State Council, in its Guiding Opinions on Promoting and Regulating the Application and Development of Health and Medical Big Data, pointed out the need to establish a mechanism for sharing health and medical data featuring close inter-departmental coordination and unified management. The Outline of the “Healthy China 2030” Plan mentioned the elimination of data barriers and the establishment of a mechanism for sharing health and medical data with close cross-departmental and cross-sectoral coordination and unified management, so as to achieve data collection, integrated sharing, and business collaboration among application information systems in public health, family planning, medical services, medical security, drug supply, and comprehensive management.
It is evident that, under government leadership and with multi-departmental coordination, the application of big data in health and healthcare will undergo systematic development and construction. The issue of data silos within hospitals is expected to be further alleviated or even fundamentally resolved. However, it remains uncertain whether such medical data resources will be opened to private and foreign-invested enterprises, and to what extent. Furthermore, establishing a national integrated platform for health and medical data resource sharing involves multiple regulatory authorities and participating entities, posing significant implementation challenges. There may still be a long way to go before the platform is fully built and subsequently developed and utilized. In the interim, private and foreign-invested enterprises may only be able to cautiously explore the development and application of big data in health and healthcare by engaging in bilateral collaborations with healthcare institutions to facilitate data resource sharing.
The Legal Framework for Big Data in Health and Healthcare Urgently Needs Improvement
On the Ownership of Health and Medical Data: The current legal framework fails to adequately explain and define the ownership of health and medical data, particularly the ownership of medical data, leading to ongoing disputes in practice over whether such data belongs to individual patients or hospitals. Some argue that since both hospitals and patients contribute to the generation of medical data, health and medical data should theoretically be considered jointly owned. Others contend that ownership of medical data resides with individual patients, control lies with hospitals, and management authority rests with the government; third-party institutions can only commercialize and utilize such data with government support and hospital cooperation. The ambiguity surrounding the ownership of health and medical data not only hinders authorized access and use but also poses significant challenges and risks to the protection of patients’ personal information rights.
As an information asset, big data in health and healthcare can be protected under the frameworks of intellectual property or trade secrets if medical institutions or authorized third-party entities have lawfully processed such data, thereby endowing it with the attributes of intellectual achievement or economic value under the current legal framework. In contrast, the raw information and data related to personal health and medical care collected by medical institutions and mobile health operators primarily fall within the scope of personal information and privacy, and may be protected from the perspective of personal rights.
Legal Protection of Personal Data: Legislation on personal information protection is steadily advancing and becoming more comprehensive. The draft General Provisions of the Civil Law, currently under deliberation, is expected to separate the right to personal information from the right to privacy, providing it with dedicated protection. As citizens’ awareness of their personal information rights increases, legislative bodies may accelerate the formulation and enactment of a standalone Personal Information Protection Law. The third review draft of the Cybersecurity Law was released in October this year and is expected to be promulgated by the end of this year or next year.
It is worth noting that Article 41 of the second draft of the Cybersecurity Law stipulates that “network operators shall not divulge, tamper with, or damage the personal information of citizens they have collected; without the consent of the individuals concerned, such personal information shall not be provided to others. However, this restriction does not apply if the information has been processed in such a way that specific individuals cannot be identified and the data cannot be restored.” Pursuant to the proviso of this article, big data applications must process citizens’ personal information to render it non-identifiable. In other words, as long as data controllers de-identify legally collected personal information to the extent that individuals cannot be identified and the data cannot be restored, the processing and use of such data are exempt from the constraints of personal information protection rules. This indicates that legislators intentionally designed the regulatory framework to allow feasible space for big data applications, thereby achieving a balance between personal information protection and public interest.
Although the development of health and medical big data is guided and encouraged at the macro-policy level, there is currently a lack of systematic and detailed rules to provide guidance and regulation due to the lag in legislation. Nevertheless, based on our observations of industry practices and in light of current legislative trends, we have briefly summarized the following legal compliance recommendations for reference:
Standardizing the Collection of Health and Medical Data: (1) If health and medical data are collected through platforms developed by the entity itself or its affiliated companies, it must generally adhere to the principles of legality, legitimacy, and necessity. The purposes, methods, and scope of information collection and use shall be explicitly disclosed through a Privacy Policy or other means, and consent must be obtained from the individuals whose data is collected; (2) If relying on healthcare institutions to share medical data, patient data protection firewalls must be established, and effective de-identification measures must be implemented to ensure that the collected data cannot identify specific individuals and cannot be restored.
Notably, in April 2016, the European Union adopted the General Data Protection Regulation (GDPR). As the strictest data protection regulation in history, it mandates principles such as transparency and data minimization in personal data processing, and grants data subjects rights including the right to withdraw consent, the right to erasure (right to be forgotten), and the right to data portability.
Although Chinese law does not yet explicitly stipulate these principles or establish these rights, with the deepening advancement of personal information protection legislation and the increasing integration of economic globalization, it is believed that China will increasingly draw on and refer to the experience and standards of developed countries in personal information legislation. Therefore, we hereby advise paying attention to this trend and suggest that multinational enterprises with higher compliance standards consider applying these principles by analogy.
Data Localization Storage and Cross-Border Transmission:In the current context emphasizing cyber sovereignty, it is essential to localize the storage of big health and medical data within China. Furthermore, unless it can be definitively established that cross-border data transfers pose no significant threat to national security, the national economy and people's livelihood, or the public interest, the transmission of health and medical data with a certain degree of sensitivity to overseas jurisdictions should be avoided to the greatest extent possible.
Currently, there are no legal provisions prohibiting the cross-border transfer of big health and medical data, or even personal information. During the drafting of the Counter-Terrorism Law, a clause was proposed requiring telecommunications and internet service providers to store relevant equipment and domestic user data within China. However, due to significant controversy, this provision was ultimately removed from the version officially promulgated on December 27, 2015. Nevertheless, it is important to note that the second review draft of the Cybersecurity Law, currently released, introduces the concept of "critical information infrastructure" and restricts operators of such infrastructure from transferring "citizens' personal information" and "important business data," collected and generated during operations and stored within China, to overseas entities. If a health and medical data processing platform falls within the scope of critical information infrastructure, the cross-border transfer of "citizens' personal information" collected and stored on such platform must undergo corresponding security assessments before implementation. Moreover, even if technical measures can be applied to de-identify the data so that it no longer possesses the characteristics of "citizens' personal information," such data may still fall under the category of "important business data," thereby subjecting its cross-border transfer to equally stringent restrictions.
At the regulatory level, the National Health and Family Planning Commission explicitly prohibits storing population health information on overseas servers in its issued Administrative Measures for Population Health Information (Trial). However, strictly speaking, such restrictions should be limited to population health information—that is, basic demographic data and medical and health service information generated by medical and health institutions at all levels during service provision and management. These restrictions should not apply to general personal health information collected through mobile health applications or to data derived from de-identified population health information.
Improve Security Protection Technical Measures: Operators of big data platforms for health and medical care shall adopt technical measures and other necessary measures to ensure information security and prevent data leaks, damage, or loss of citizens' personal information collected during business activities. In the event of actual or potential information leaks, damage, or loss, immediate remedial measures shall be taken. Furthermore, data security protection measures must meet the corresponding standards. The second draft of the Cybersecurity Law stipulates that the state shall implement a classified protection system for cybersecurity. Network operators shall establish internal compliance systems and fulfill their security protection obligations in accordance with different security levels.
In fact, the establishment of a classified protection system for cybersecurity is not a new requirement first introduced by the Cybersecurity Law. In 2007, four national ministries and commissions—the Ministry of Public Security, the National Administration of State Secret Protection, the State Cryptography Administration, and the State Council Information Office—jointly formulated the Administrative Measures for Classified Protection of Information Security. Article 7 of these Measures classifies the security protection levels of information systems into five tiers. Entities operating or using information systems shall implement classified protection in accordance with the Implementation Guidelines for Classified Protection of Information System Security. Upon completion of an information system’s construction, the operating or using entity, or its competent authority, shall select a qualified assessment agency that meets the conditions stipulated in the Measures to conduct regular classified assessments of the system’s security protection level, based on technical standards such as the Assessment Requirements for Classified Protection of Information System Security, and fulfill the corresponding filing procedures.
On this basis, in its 2011 notice entitled “Guiding Opinions on Information Security Level Protection in the Health Sector,” the Ministry of Health pointed out that the National Information Security Level Protection System classifies information security protection into five levels: Level 1 (Self-Protection), Level 2 (Guided Protection), Level 3 (Supervised Protection), Level 4 (Mandatory Protection), and Level 5 (Specialized Control Protection). In principle, the security protection level for critical health information systems shall not be lower than Level 3.
Given that the scope of data processing by health and medical big data platforms, along with application development built upon them, primarily involves or focuses on the healthcare sector, it is recommended to establish and implement a classified protection system for data security in accordance with the relevant provisions and standards set forth by the Ministry of Health in the "Guiding Opinions on Classified Protection of Information Security in the Health Sector."
Foreign Investment Restrictions in the Field of Healthcare Big Data: At present, there are no direct policy provisions restricting or prohibiting foreign investment from participating in the field of healthcare big data. However, if the data collected and processed involves human genetic resources, cooperation with foreign parties or foreign-invested enterprises to collect such resources or transfer them abroad must be approved by the Ministry of Science and Technology before implementation, in accordance with the Interim Measures for the Administration of Human Genetic Resources (1998) and the Service Guide for Administrative Licensing Items Concerning the Approval of Collection, Acquisition, Trading, Export, and Outbound Transfer of Human Genetic Resources (2015).
Foreign investment restrictions in the field of big data for healthcare may also manifest at the level of operational models and specific business structures of health and medical big data platforms. For instance, if multinational corporations enter the health and medical big data sector by establishing specialized medical institutions, they will be subject to policy restrictions on foreign-invested medical institutions. If multinational corporations collect and process health and medical big data through cloud platforms, Internet of Things (IoT) platforms, or Blockchain-as-a-Service (BaaS) platforms based on blockchain technology, this may also involve restrictions on foreign investment in the value-added telecommunications sector. Furthermore, when multinational corporations intend to collaborate with healthcare institutions on health and medical big data, they may encounter implicit commercial barriers, as healthcare institutions often prefer to partner with non-foreign entities.
In summary, whether foreign investment restrictions apply to the development and application of big data in healthcare, and if so, what specific restrictions exist, cannot be generalized. Each case requires a comprehensive analysis and assessment based on the scope of data involved, the operational model of the data platform, and the specific business structure within the context of each project.
Source: Han Kun Law Offices