Realizing the Potential of Telemedicine in China, Part 2: Data Privacy and Security

05 November 2014 Health Care Law Today Blog
Author(s): Nathaniel M. Lacktman Tianran Yan

This post is the second in Foley’s blog series, “Realizing the Potential of Telemedicine in China,” meant to address top issues facing U.S. companies looking to enter the Chinese telemedicine market.

At a Glance

• Meeting U.S. laws on medical record privacy and security is not sufficient to cover a company expanding into China; medical records must meet Chinese requirements as well

• EHR cloud storage standards differ in China; U.S. hospitals and providers should consider alternatives to cloud storage on servers located outside of China when handling Chinese patient and other healthcare data

• Ultimate authority to interpret regional and sector specific regulations rests with the Chinese legal system, which differs significantly from the U.S. legal system

The Chinese market presents a tremendous opportunity for U.S. hospitals and providers, as long as the intricacies of data privacy and security issues are thoroughly understood. This includes Chinese regulations regarding medical records, electronic health record (EHR) storage, and practical enforcement.

The fact that a U.S. company’s medical record privacy and security software/technology meets HIPAA or HITECH regulations is important, but is sufficient only in the United States. U.S.-based entities that provide healthcare services in China are expected to meet different standards and requirements that govern specific industrial sectors, including Chinese laws and rules on data privacy and health information and medical records.

For example, according to the Management Measures for Population Health Information (for Trial Implementation), issued May 5, 2014 by China’s National Health and Family Planning Commission of China, an entity “in charge of the collection, utilization, management, security and privacy protection of population health information” cannot “store population health information in overseas servers, [or] host or rent overseas servers.” Such an entity is also required to “establish a tracing management system under which any user who creates, modifies and accesses population health information shall be subject to stringent real-name identity authentication and authorization control.”

These provisions potentially apply to a wide range of health-provider activities in China, including activities at corporation clinics. Keeping this in mind, U.S. hospitals and providers operating in China should not store Chinese patient health information in the cloud unless those cloud servers are physically located in China. Given information security concerns, U.S. providers should assess and deliberate options before transmitting and downloading China patient information. One approach is to establish an online portal to a Chinese facility the U.S. providers can use to access patient images and files in a manner that does not risk violation of Chinese requirements.

U.S. hospitals and other healthcare providers operating in China should also be aware of the existence of “technical guidance documents” issued by various Chinese governmental agencies which underscore a regulatory trend increasing restrictions on the use and storage in overseas servers of a broader range of “personal information.” For example, GB/Z 28828-2012, published November 5, 2012 by the Standardization Administration of the People’s Republic of China, provides that “without express consent of the subject of personal information, the express requirement of any law or regulation, or the consent of the competent authority, a personal information administrator should not transmit personal information to any overseas personal information recipient, including an individual located abroad or an organization or institution registered abroad.”

Although such “technical standards” do not have the explicit effect of law, there is always a risk that they could be interpreted by local governments as obligatory, or that they could be given mandatory effect when referenced within newly developed Chinese laws and regulations in the dynamic area of personal and data privacy. Regardless, it is clear that the trend in China favors “localization” of health and other personal information storage and use, and greater informed consent for such use.

Are you interested in learning more about telemedicine in China? Foley offers two opportunities to get up to speed with the latest developments:

English Translations of China’s NHFPC Opinions (Issued August 2014)

Members of Foley’s Telemedicine and China Practices have completed English-language translations of two opinions issued in August 2014 by The National Health and Family Planning Commission of the People’s Republic of China regarding:

The Promotion of the Medical Institution Telemedicine Services

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.