Cybersecurity and Data Protection Issues for Enterprises in the Health and Medical Fields

In addition to the general personal information and cybersecurity protection obligations stipulated under Cybersecurity Law and its supporting regulations, health and medical enterprises also face more stringent and targeted regulations effecting medical big data, medical records and human genetic resources. These regulations bring challenges to health and medical enterprises in data collection, processing, usage, transfer, sharing, cross-border transmission, clinical trials, technology development, international cooperation and other aspects. With the developments in medical big data, the increasing use of online medical treatment platforms and tools, the deepening of the application of medical AI, healthcare enterprises face unique issues and challenges in complying with these new data and cybersecurity regulations.


JunHe provides legal services on data protection and cybersecurity to a number of life health and medical companies, based on the latest developments in the industry. The breadth and depth of legal services required by health and medical companies continues to expand. This includes the collection and usage of the personal information of patients and clients in daily business, compliance analysis for business cooperation, the drafting and revision of data transfer agreements, and daily staff training. There are also concerns around the use of third-party databases in pharmaceutical economics, the development of medical AI projects, and international cooperation on research and development. We have a wealth of experience in assisting companies to deal with legal issues in daily business, cutting-edge technologies and new business development, and we can assist companies in exploring their legal requirements and propose constructive solutions.


We Provide the Following Services:


Compliance advice on the special requirements for health and medical enterprises, and assisting in applying for government approvals, such as:

  • Conducting legal compliance analysis on data collection, data use and data sharing, etc., based on the requirements of population health information and health care big data, medical record management, human genetic resources information management, clinical trial quality management, biomedical research ethics management, etc.;

  • Drafting relevant informed consent forms for the collection of personal information and medical data in the course of daily business, in order to meet the regulatory requirements for the collection of medical and health data;

  • Providing legal advice on cooperation between Chinese and foreign medical projects and data exportation;

  • Providing advice on compliance and project approval requirements involving human genetic resources and assisting in obtaining government approval.


Draft, review and assist companies in negotiating data-related business agreements, such as:

  • Third-party data transfer agreements;

  • Data cooperation agreements;

  • Purchase agreements with suppliers of technology products or services, etc.


Draft due diligence and transaction documents of data for medical, pharmaceutical and health enterprises’ partnerships, investments and mergers and acquisitions.

  • Conduct data due diligence on all aspects including collection, use and ownership of data;

  • Draft transaction documents involved in the process of investment and M&As.


Compliance investigations

  • Provide advice and document reviews on data, cybersecurity and data export compliance for medical and pharmaceutical companies’ compliance investigations.


Ompliance training

  • Assist in internal training for company management and employees regarding data protection and network security.

Recent Representative Cases

Multiple data and cybersecurity compliance projects


JunHe provided services to many well-known pharmaceutical, medical, biotechnology and medical device companies. These services include drafting and reviewing data transfer agreements and clinical research collaboration agreements, drafting and reviewing individual informed consent documents, pharmaeconomic project compliance analysis, and drafting and reviewing related transaction documents. We have also provided internal training for employees on personal information and cybersecurity protection, CSL compliance, and compliance on data exports, cloud services and human genetic resource matters.


Strategic partnership between a renowned biotech company and a medical AI company


JunHe represented and provided legal advice to a prominent international biotechnology company on its technical cooperation with a high-profile domestic Internet company on the application of AI diagnostics. This included an analysis of key issues such as data collection, transmission and storage, personal information protection, use of human genetic resources information and medical devices.


Strategic investment by a well-known medical device group on a strategic medical AI project


JunHe represented a high-profile medical device group to enter into a strategic cooperation with a medical technology company on an AI assistance project, and we provided whole-process legal services including agreement drafting and executing, and advice on key issues related to data collection and personal information protection.


Investment in a medical imaging company by a renowned industrial instrumentation and equipment company


JunHe represented a leading industrial instrumentation and equipment multinational company in investigating a medical imaging company, providing whole-process legal services including DD, agreement drafting and executing, and advice on key issues related to data collection and personal information protection.