“Guide for Healthcare Data Security”will come into effect on July 1st

On December 14 2020, the State Administration for Market Regulation and Standardization Administration of the People’s Republic of China jointly released the Information Security Technology - Guide for Healthcare Data Security (GB/T 39725 - 2020, hereinafter referred to as “the Guide”). The Guide will come into effect on July 1, 2021.

With the emergence of “Internet + Healthcare” platforms and the development of intelligent healthcare, the Guide aims to achieve several goals, including ensuring the confidentiality, integrity and availability of healthcare data, protecting personal information, safeguarding public interest and national security and to promote the utilization of healthcare data. The main content of the Guide is summarized as follows.

1. Classification System for Healthcare Data 

The Guide classifies the healthcare data categories, data levels, relevant roles, circulation and usage scenarios, and publicity formats, in order to differentiate and refine requirements for security measures regarding different scenarios and data.

Healthcare data. Healthcare data refers to personal healthcare data and the healthcare-related data processed from personal healthcare data, including overall analysis results for groups, trend predictions, disease prevention and treatment statistics. (Article 3.2). The Guide classifies healthcare data into the following categories and provides relevant examples:

Personal character data refers to data that can, alone or in combination with other information, identify a particular natural person, such as their name, ID card, and telephone number.

Health status data refers to data that can reflect a person’s health status or data that is closely related to his health status, such as chief complaints, current medical history, test data and genetic counseling data.

Medical application data refers to data that can reflect the conditions of medical care, outpatient services, hospitalization, hospital discharge and other medical services, such as outpatient service records, inpatient service check-up reports and hospitalization records.

Medical payment data refers to cost-related data involved in medical or insurance services, such as medical insurance payment information, transaction amounts and insurance status.

Health resource data refers to data that can reflect the capabilities and characteristics of health service personnel as well as health plans and health systems, such as hospital basic data and hospital operational data.

Public healthcare data refers to data related to the public health of a country or region, such as environmental healthcare data, epidemic data of infectious diseases, and births and deaths data. (Article 6.1)

Levels of healthcare data. Healthcare data is classified from low to high as five levels, based on the importance of the data, the level of risk and the possible damage and impact on the data subject of the personal healthcare data.

Level 1: data that can be completely public and accessible, including the data that is publicly available.

Level 2: data that can be accessed on a larger scale. For example, the data that cannot identify personnel can be used for analysis by doctors in each department after being approved.

Level 3: data that can be accessed within a medium range and that may cause a medium degree of harm to the data subject of personal healthcare data if disclosed without authorization. For example, data that has been partially de-identified but may still be re-identified is limited to use within the authorized project group.

Level 4: data that can be accessed on a small scale and that may cause a high degree of harm to the data subject if it is disclosed without authorization. For example, data that can directly identify personnel is only accessible by medical care personnel involved in the medical practice.

Level 5: data that can be accessed and used only on a very small scale with stringent restrictions that may cause a serious degree of harm to the data subject if disclosed without authorization. For example, detailed materials of certain diseases (such as AIDS, sexually transmitted diseases) is only accessible to attending health care personnel and needs to be strictly controlled. (Article 6.2)

The roles of related organizations or personnel. Related organizations or personnel can be classified into four different roles based on particular types of data and scenarios:

• Subject of personal healthcare data (hereinafter referred to as “data subject”);

  
  

• Controller: the organization or person who can determine the purpose, manner, and scope of the healthcare data processing;

• Processor: the organization or person who collects, transmits, stores, uses, processes or discloses healthcare data on behalf of a controller, or who provides services of using, processing or disclosing healthcare data to a controller;

• User: the organization or person who is neither the data subject nor the controller and processor but uses the healthcare data for a specific type of data in a specific scenario. (Article 6.3)

The logic of the above definition is somewhat different from the definition of a personal information processor in the Civil Code and the Personal Information Protection Law (Draft) (“PIPL”) and refers to the classification standards of the European Union to some extent. The definition of “user” is brought up. It remains to be seen whether the definition will be adjusted accordingly after the introduction of the PIPL.

2. The Principles of Use and Disclosure

Article 7 of the Guide stipulates 17 specific rules for the use and disclosure of healthcare data. For the collection and use of personal healthcare data, the Guide follows the principle of informed consent for the collection and use of personal information, but at the same time provides for relevant exceptions, the retrospective inquiry rights of individuals, provisions for data export and other innovative provisions. Healthcare is a highly ethical and professional area and it is difficult for patients to understand the specific security situations of data; therefore, the professional institutions and personnel shall undertake more responsibilities. These provisions reflect to some extent the need for greater flexibility and broader authorization to process personal healthcare data by medical institutions. However, whether the relevant authorizations will be approved by the government remains to be seen. These provisions are summarized as follows:

Using and disclosing personal healthcare data without personal authorization. The controller can use or disclose personal healthcare data without the authorization from the data subject under the following circumstances: (1) when the data is provided to the data subject; (2) when treatment, payment or healthcare is provided; (3) when it is in the public interest or is required by law; (4) when the restricted data set is used for scientific research, medical/health education and public health purposes; “restricted data set” refers to the data set that has been partially de-identified, but can identify the data subject and therefore needs to be protected. In such circumstances, the controller may rely on legal requirements, professional ethics and professional judgment to determine which personal healthcare data is permitted to be used or disclosed. (Article 7.b) It remains to be seen whether these provisions will be consistent with the final version of the PIPL

The controller can use treatment notes for treatment. After necessary de-identification processing, the controller can use or disclose the treatment notes for internal training and academic seminars in the absence of personal authorization. (Article 7.i) Article 10.2 provides the specific requirements and method advice for the de-identification process.

The above provisions appear to grant the controller the right to independently determine the use and disclosure of personal healthcare data in the course of diagnosis, treatment, payment and healthcare services. Further explanation may be needed to determine whether this conflicts with the principle of informed consent of personal information under the Civil Code and the PIPL.

Rights of data subjects. Article 7 of the Guide sets out the principles by which the data subject exercises his or her respective rights as data subjects, including the right to access and inquiry, the right to obtain a copy, the right of correction and supplement, the right of retrospective inquiry: namely, the right of a data subject to make a retrospective inquiry of the history of the use or disclosure of the data by a controller or its processor, with a minimum retrospective period of six years.

The controller decides on the use and disclosure of personal healthcare data. The data subject has the right to require the controller to restrict the use or disclosure of their personal healthcare data and to restrict the disclosure of information to relevant people in the course of diagnosis, treatment, payment and healthcare services. The controller is not obliged to agree to the above restricted requests.  But if the controller agrees so, it will need comply with the agreed restrictions unless otherwise required by law or in case of a medical emergency. (Article 7.h)

Data utilization. Article 7 separately provides for the circumstances in which data is to be used (except for data export):

First, the use of controlled data set. The controller can use the restricted data set for the purpose of scientific research, medical care service and public health after confirming the legality, legitimacy and necessity of the data use and the corresponding data security capability of the user, and after the user has signed the data use agreement and promised to protect the personal healthcare medical data of the restricted data set. Users can only use the data within the scope agreed to by contract and assume responsibility for the data security. After the use purpose is fulfilled, the data should be returned, destroyed or otherwise disposed of in accordance with the requirements of the controller. Users can not disclose data to third parties without the controller’s permission. (Article 7.m)

Second, anonymized data. If the controller obtains personal healthcare data that cannot identify the individual based on the aggregation and analysis of healthcare data, the data is no longer personal information; however, its use and disclosure shall comply with other relevant laws of the state. (Article 7.n)

Third, the application of data platforms. It is suggested that the controller adopt the opening form of the “data analysis platform” to strictly control the use and disclosure when conducting external development and cooperation of data.

Data export. The controller shall not store healthcare data in an overseas server and shall not host or lease overseas servers. If the controller needs to export corresponding data overseas for academic research purposes, the data can only be provided after the necessary de-identification and discussion and approval of the security committee and when the data is not confidential or important and there are more than 250 pieces of information, otherwise, it is advisable to make submissions to the relevant government departments for approval. Where no state secrets, important data or other data prohibited or restricted from being provided abroad are involved, the controller may provide the personal healthcare data to overseas destinations with authorization and consent from the data subject and after discussion, examination and approval by the data security committee. The accumulative data quantity should be controlled within 250 pieces of information; otherwise, it is advisable to make submissions to the relevant government departments for approval. (Article 7.o to 7.q)

Existing laws and regulations impose strict restrictions on the export of healthcare data. For example, the Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation) stipulates that healthcare big data shall be stored on safe and reliable servers within the territory of China, and shall go through security assessment and review according to relevant laws, regulations and requirements if it is necessary to provide such data abroad for business needs. The PIPL draft also provides a series of rules for information exit. It remains to be seen whether the Guide’s requirement to provide data abroad without the approval of the government constitutes an exemption in practice.

3. Security Measures

Articles 8, 9 and 10 of the Guide provide guidance for the protection of healthcare data in terms of key points of security measures, security management and security technology.

Key points of security measures. The Guide requires that data shall be classified according to the need for data protection and that different security measures may be applied to different levels of data, with an emphasis on authorization management, identity authentication and access control management. Article 8 specifies security measures requiring particular attention for different data levels and data circulation scenarios, such as the data security measures for subject-controller data flow, controller-subject data flow, controller internal data use, controller-processor data flow, controller-controller data flow and controller-user data flow.

Security Management. Article 9 stipulates that the controller should undertake security measures and inspect and improve any positive effect after implementing the measures. This is from the aspects of organization, process (including planning, implementation, inspection, improvement) and emergency disposal. The controller may establish the methods of data use and management according to Appendix C, examine and approve the data application according to Appendix D, sign the data processing (use) agreement with the processor (user) according to Appendix E, and conduct self-examination according to Appendix F.

According to this Article, relevant organizations shall conduct a continuous and effective compliance and management systems including institutions, establishments, procedures and training as a whole, which is in line with the principles of the Personal Information Protection Act (draft). Meanwhile, regarding the sensitivity of healthcare data, the Guide provides more detailed requirements in areas such as institutional setup, frequency of meetings, and process planning, which deserves enterprises’ attention and benchmarking.

Security technology. Article 10 provides guidance on common security techniques and de-identification. For example, for the de-identification, the Guide lists recommended solutions for the de-identification of the names, contact information, dates, date of births, ages, numbers and the numbers used within medical institutions. Decertification strategies, processes, and results should be approved by data security committees.

4. Data Security in Typical Scenarios

Finally, based on the different scenarios of data subject and usage of the data, the Guide classifies data usage into different scenarios including doctor accessing, patient querying, clinical research, secondary use, health sensor data, mobile application data, commercial insurance docking and medical device data. It provides specific recommendations for each scenario mentioned above. We take the doctor accessing and clinical research as examples below:

Doctor accessing. Firstly from the perspective of data classification, the data in the doctor access scenario can be classified into default, notification, and authorization levels, corresponding to the levels 2, 3, and 4 in the data classification. Secondly, the Guide specifies the roles and the authority allocation for doctors, how to tag data based on its level and granularity, the identity authentication method and data accessing methods. (Article 11.1)

Clinical research. The Guide considers different types of clinical research, such as retrospective clinical studies, pre-clinical studies, basic clinical studies, applied clinical studies, clinical pathway studies, pre-market and post-market studies, clinical studies based on real-world data and studies involving artificial intelligence. The Guide also classifies the roles of the related parties involved. For example, in a case of retrospective clinical studies, a sponsor needs to obtain the past data from a clinical research institution to conduct studies on pharmaceutical/medical products and the diagnostic and therapeutic solutions. The clinical research institution and the sponsor jointly play the role of the controller, and the tested personnel is the data subject. The Guide sets protection requirements for the use of clinical research data from the perspectives of ethical review and informed consent, data classification, data collection, data transmission, data storage, data use, data release and share, and audit management. (section 11.3)

5. Our Observation

The Guide provides localized recommendations for the use of healthcare data by the combination of referring to foreign legislations and standards such as the Health Insurance Portability and Accountability Act of the US, ISO 27799, and NIST800-66, and considering domestic practices and standards. The Guide delves into daily scenarios and makes a useful attempt to balance the values of personal information and healthcare data utilization and compliance protection in the medical and health professions. On the one hand, the Guide provides a practical reference for healthcare data controllers to take security measures to protect relevant data. On the other hand, since the Guide is not mandatory, how its relevant provisions, particularly those that differ from established laws or relevant drafts, will be implemented in the future in practice is yet to be observed.