DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ DOMAIN · HEALTH & MEDICAL DATA

Health & Medical Data.

医疗健康数据

China's health- and medical-sector data regime — the sector-specific overlay on PIPL, the Data Security Law, and the Network Data Security Regulation governing how healthcare institutions, life-sciences companies, and digital-health providers handle patient and population data.

The health and medical sector sits under a dedicated layer of data rules stacked on top of China’s general data-protection regime. This domain collects the instruments that overseas pharma, medtech, hospital, and digital-health operators must layer onto PIPL, the Data Security Law, and the Network Data Security Regulation: the 2026 Measures for Data Security and Personal Information Protection of Healthcare Institutions, the national health and medical big-data measures, healthcare cybersecurity rules, the electronic-medical-record and population-health-information regimes, the Human Genetic Resources regulation and its implementing rules (with their cross-border choke points), real-world clinical-data guidance, and the foundational Basic Medical and Health Care and Health Promotion Law.

Patient health information is sensitive personal information under PIPL Article 28, so the consent, minimization, retention, and security baselines run higher in this sector than in most. Several instruments here also impose localization and access-control duties specific to medical institutions, and the genetic-resources regime adds an approval-and-security-review layer that has no general-regime equivalent.

§ LAWS IN THIS DOMAIN

The legal corpus.

15 laws.

§ BRIEFS

In this domain.

1 brief.

  • § 01 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.