Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAWS

Health & Medical · 医疗健康.

26 entries. The sector-specific layer for healthcare institutions and life sciences — healthcare-institution data security and personal-information protection, electronic medical records and population-health information, human genetic resources, and real-world clinical data — stacked on top of the general regime.

← All sectors / 全部分区

§ LAWS

Laws .

法律 · National People's Congress

  • § 01 · Basic Health Care Law

    Basic Medical and Health Care and Health Promotion Law of the People's Republic of China

    中华人民共和国基本医疗卫生与健康促进法

    China's foundational health-sector statute, enacted by the NPCSC on 28 December 2019 and effective from 1 June 2020, establishes the architecture of the national health-care system across 10 chapters and 110 articles — covering basic medical and public-health services, health-care institutions, medical personnel, drug supply, health promotion, funding, and supervision. For data-compliance purposes the central provision is Article 92, which lays down a sector-specific protection regime for citizens' personal health information (公民个人健康信息) that operates as an overlay on PIPL: it prohibits any organisation or individual from unlawfully collecting, using, processing, or transmitting such information, or from unlawfully buying, selling, providing, or disclosing it. Article 102 makes disclosure of personal health information by medical personnel a disciplinary offence, and Articles 101 and 105 attach administrative and public-security penalties to inadequate information-security systems and unlawful data handling. Overseas counsel advising on health-data projects, clinical-trial data transfers, or digital-health deployments in China should read this law alongside PIPL and the Cybersecurity Law to identify the full stack of obligations.

    Standing Committee of the National People's Congress Effective 2020-06-01
  • § 02 · Drug Administration Law

    Drug Administration Law of the People's Republic of China (2019 Revision)

    中华人民共和国药品管理法(2019修订)

    The Drug Administration Law is China's foundational statute governing the research, manufacture, distribution, and use of drugs. The 2019 revision overhauled the regime around the marketing authorization holder (MAH) system, under which the holder bears full-lifecycle responsibility for a drug's safety, efficacy, and quality controllability. Although the law is predominantly product- and market-regulation in character, it contains discrete data-compliance touchpoints: a national drug traceability system, a pharmacovigilance and adverse-reaction reporting and monitoring regime, extensive production, inspection, and purchase-and-sale recordkeeping duties, and the use of clinical-trial and real-world data to support drug approvals. These provisions impose data integrity, retention, and reporting obligations on MAHs, manufacturers, distributors, and medical institutions.

    National People's Congress Standing Committee Effective 2019-12-01
§ ADMINISTRATIVE REGULATIONS

Administrative Regulations .

行政法规 · State Council

  • § 01 · Medical Devices Regulation

    Regulation on the Supervision and Administration of Medical Devices (2024 Revision)

    医疗器械监督管理条例(2024修订)

    The Regulation on the Supervision and Administration of Medical Devices is the State Council's foundational administrative regulation governing the research, manufacture, distribution, and use of medical devices on a risk-based, full-lifecycle basis. For data-compliance purposes it mandates the unique device identification (UDI) system to achieve device traceability (Article 38), requires registrants to build and operate product traceability and recall systems (Articles 20, 62), and establishes the adverse-event monitoring regime with a dedicated information network and mandatory reporting to monitoring technical institutions (Chapter V). It also requires registration applicants to ensure submitted data is lawful, authentic, accurate, complete, and traceable, and requires device-use records (including implant and large-equipment parameters) to be preserved in patient medical records and use archives.

    State Council Effective 2025-01-20
  • § 02 · HGR Regulation

    Regulation of the People's Republic of China on the Administration of Human Genetic Resources

    中华人民共和国人类遗传资源管理条例

    China's primary instrument governing the collection, preservation, utilization, and cross-border provision of human genetic resources (HGR), including both physical materials (organs, tissues, cells) and the data and information derived from them. Promulgated as State Council Decree No. 717 on 28 May 2019, effective 1 July 2019, and amended by the State Council Decision on Revising and Abolishing Certain Administrative Regulations dated 10 March 2024 (which transferred administrative authority from MOST to the National Health Commission). The Regulation prohibits foreign organizations, individuals, and their controlled entities from collecting or preserving China's HGR within the territory or providing it abroad, and requires Chinese-party collaboration for any international cooperative research; cross-border transfer of HGR materials and provision of HGR information to foreign parties are subject to approval, security review, and filing requirements. For overseas pharmaceutical, biotech, and clinical-research counsel this is the single most operationally significant instrument: it governs every phase of multinational clinical trials and genomic research that touches Chinese samples or data, and non-compliance carries fines of RMB 100 000–10 000 000 plus permanent debarment.

    State Council Effective 2019-07-01
  • § 03 · Medical Institutions Regulation · AMENDED

    Regulation on the Administration of Medical Institutions

    医疗机构管理条例

    A State Council administrative regulation first promulgated in 1994 that establishes the licensing, registration, and supervision framework for all medical institutions operating in China. It requires institutions to obtain and maintain an execution licence (or, for clinics, complete a filing), to practise within their registered scope, and to protect patients through informed-consent requirements and honest documentation — obligations that directly underpin the duty to safeguard medical records and patient personal information. The regulation was amended twice: in 2016 (State Council Decree No. 666) and in 2022 (State Council Decree No. 752, effective 1 May 2022), with the 2022 revision extending the clinic filing system and aligning the informed-consent standard with the Civil Code. For overseas counsel advising health-sector clients in China, this regulation is the foundational licensing instrument and provides the institutional context in which sector-specific health-data rules — including electronic medical-record standards and PIPL obligations for sensitive personal information — operate.

    State Council Effective 1994-09-01
§ DEPARTMENTAL RULES

Departmental Rules .

部门规章 · CAC, MIIT, MPS and others

  • § 01 · Healthcare Data Security & PI Measures

    Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial)

    医疗卫生机构数据安全和个人信息保护管理办法(试行)

    Issued jointly in February 2026 by five agencies — the National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration — this trial rule applies the Data Security Law, PIPL, and the Regulation on Network Data Security Management to healthcare institutions. The Measures establish a three-tier data classification and grading framework (core data, important data, and general data), impose full-lifecycle security management obligations (governance, personnel, operations, technology, and incident response), and set out a ten-item data security prohibition list and an eight-item personal information prohibition list covering unlawful collection, unauthorized cross-border transfers, excessive access, and misuse of facial recognition. It is the sector's primary data-compliance instrument and the reference point for overseas pharma, medtech, and hospital joint-venture operators navigating data sharing, cross-border transfers, AI deployment, and clinical research partnerships in China.

    National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration Effective 2026-02-12
  • § 02 · Health & Medical Big Data Measures

    Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial)

    国家健康医疗大数据标准、安全和服务管理办法(试行)

    Issued by the National Health Commission on 12 July 2018 (document no. 国卫规划发〔2018〕23号), these Measures declare health and medical big data a fundamental national strategic resource and establish a comprehensive governance framework across three pillars: standards management, data security, and service management. Mandatory domestic storage within PRC territory is required, and cross-border transfer of health and medical big data is subject to a security assessment and approval process. Responsible units — including hospitals, health-information platforms, and enterprises — must implement the national Multi-Level Protection Scheme (MLPS), establish electronic real-name authentication and access-control systems, maintain full-process audit trails, and report major cybersecurity incidents. The Measures predate but directly feed into the Data Security Law and the Personal Information Protection Law and remain the primary sector-specific rule governing Chinese health data.

    National Health Commission Effective 2018-07-12
  • § 03 · Healthcare Cybersecurity Measures

    Measures for the Cybersecurity Management of Healthcare Institutions

    医疗卫生机构网络安全管理办法

    Issued jointly in August 2022 by the National Health Commission (NHC), the National Administration of Traditional Chinese Medicine (NATCM), and the National Disease Control and Prevention Administration (NDCPA), these Measures translate the Cybersecurity Law and the Multi-Level Protection Scheme (MLPS) into sector-specific obligations for every healthcare institution operating a network in China. They establish a graded classification and protection framework, fix the institution as the primary responsible party for cybersecurity, and impose tailored security requirements for emerging technologies including cloud computing, IoT, internet-based diagnosis, facial recognition, and cross-border data flows. A dedicated data security chapter covers the full data lifecycle — from lawful collection through encrypted storage and transmission to irreversible destruction — with a hard data-localization rule and a requirement to submit national security review filings for processing activities that affect or may affect national security. Overseas counsel advising on digital-health investments, telemedicine joint ventures, or health-data export transactions will find these Measures to be the primary sector law governing operational cybersecurity and data security obligations for Chinese healthcare entities.

    National Health Commission, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration Effective 2022-08-08
  • § 04 · Population Health Information Measures

    Measures for the Administration of Population Health Information (Trial)

    人口健康信息管理办法(试行)

    Issued by the National Health and Family Planning Commission in May 2014 under Document No. 国卫规划发〔2014〕24号, these Measures govern the collection, storage, management, use, and security protection of population health information by all health and family-planning service institutions. The Measures define population health information, establish a 'one data point, one source' collection principle, and—crucially—prohibit the storage of population health information on servers located overseas. They impose a system of classified information utilization, trace-management for all access and modification, and a liability-investigation mechanism for breaches. As one of China's earliest sectoral health-data localization rules, these Measures remain relevant for overseas counsel advising on health-tech investment, cross-border health-data transfers, and compliance due diligence under the layered framework that now includes PIPL and the Data Security Law.

    National Health and Family Planning Commission Effective 2014-05-05
  • § 05 · Shenzhen Health Data Measures

    Shenzhen Health Data Management Measures

    深圳市卫生健康数据管理办法

    Shenzhen's 2023 local rule operationalizes the Shenzhen Special Economic Zone Data Regulations specifically for the health sector, establishing a unified municipal health data platform (the Shenzhen Municipal Health Data Center) and a 'one-data-one-source' collection principle. The Measures introduce a five-tier health data classification — general health data, public health data, personal health data, sensitive personal health data, and data processing — and impose differentiated notice-and-consent, access-control, security, and retention rules that track PIPL's risk-proportionate approach. A dedicated chapter on data sharing and openness sets out consent-gated sharing of personal health data, unconditional sharing of basic public health information, and a three-tier public openness framework (unconditional / conditional / not open), with explicit prohibition on re-identification of shared data. Overseas counsel advising multinational hospitals, diagnostics companies, health-tech platforms, or life-sciences firms with Shenzhen operations must understand these Measures: they impose MLPS filing requirements, domestic-server storage for health data, six specific transmission-security measures including mandatory use of nationally certified cryptographic algorithms, and an annual data-security audit cycle — obligations that layer on top of PIPL and the DSL.

    Shenzhen Municipal Health Commission Effective 2024-01-01
  • § 06 · Medical Records Provisions

    Provisions on the Administration of Medical Records of Medical Institutions (2013)

    医疗机构病历管理规定(2013年版)

    These Provisions, jointly issued by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in November 2013 and effective from 1 January 2014, govern the creation, custody, access, copying, sealing, and retention of medical records (病历) in all medical institutions. Patients and their authorized agents, as well as deceased patients' statutory heirs, have a right to copy specified categories of their medical records; public security, judicial, insurance, and medical-malpractice appraisal bodies may access records on production of prescribed credentials. Outpatient records must be retained for at least 15 years and inpatient records for at least 30 years from the last visit or discharge. Medical institutions and their staff are strictly prohibited from leaking patients' medical record materials for any non-medical, non-teaching, or non-research purpose, making this instrument a foundational rule on health-data privacy that overseas counsel should read alongside PIPL Article 28 (sensitive personal information) and the Civil Code personal information chapter when advising on patient-data sharing, cross-border transfers of health data, or secondary use of clinical records in China.

    National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine Effective 2014-01-01
  • § 07 · EMR Information Use Notice

    Notice on Further Strengthening the Administration of the Use of Electronic Medical Record Information by Medical Institutions

    关于进一步加强医疗机构电子病历信息使用管理的通知

    Issued jointly on 23 June 2025 by the General Offices of the NHC, NATCM, and NDCPA (Document No. 国卫办医政函〔2025〕262号), this notice tightens the rules under which hospitals and other medical institutions may access, copy, and share electronic medical records (EMRs), embedding the PIPL purpose-limitation and minimum-necessary principles into the clinical records environment for the first time at this regulatory level. Key obligations include graded and role-based access controls, full end-to-end audit trails (with digital-watermark support), strict restrictions on secondary use for research or commercial purposes, mandatory confidentiality and authorization agreements with external IT vendors, and a requirement to freeze access to records when a patient becomes the subject of public-controversy media coverage. Provincial health authorities must incorporate EMR-information compliance into hospital accreditation reviews and smart-hospital evaluations, creating a direct enforcement lever for overseas counsel advising multinationals that process Chinese patient data for clinical trials, real-world evidence studies, or health-tech product development.

    General Office of the National Health Commission, General Office of the National Administration of Traditional Chinese Medicine, and General Office of the National Disease Control and Prevention Administration Effective 2025-06-23
  • § 08 · HGR Implementing Rules

    Implementing Rules for the Regulation on the Administration of Human Genetic Resources

    人类遗传资源管理条例实施细则

    MOST's 2023 implementing rules operationalize the 2019 State Council Regulation on the Administration of Human Genetic Resources, providing granular definitions, the step-by-step approval and filing system for collection, preservation, international research collaboration, and clinical trials, and the criteria for determining when an entity is a 'foreign-party-controlled' institution (境外组织或个人控制). The rules establish the cross-border information-provision regime — requiring advance reporting, information backup submission to MOST, and a security review for certain sensitive categories (e.g., whole-exome or genome sequencing data for 500 or more subjects) — and set out inspection powers, penalty-discretion standards, and administrative-enforcement procedures. Overseas life-sciences counsel care because the rules directly govern how global pharma, biotech, and genomics companies structure China clinical trials and collaborative research arrangements to avoid unlicensed cross-border transfer of human genetic resource information.

    Ministry of Science and Technology (MOST) Effective 2023-07-01
  • § 09 · Internet Diagnosis & Treatment Measures

    Notice Issuing the Measures for the Administration of Internet Diagnosis and Treatment (Trial) and Two Related Documents

    关于印发《互联网诊疗管理办法(试行)》等3个文件的通知

    Issued jointly by the National Health Commission and the National Administration of Traditional Chinese Medicine in July 2018, Document No. 国卫医发〔2018〕25号 establishes the foundational regulatory framework for internet-based healthcare in China through three companion instruments. The first document, the Measures for the Administration of Internet Diagnosis and Treatment (Trial), restricts online diagnosis to follow-up consultations for previously diagnosed common and chronic diseases, prohibits first-visit online diagnosis, and requires healthcare institutions to safeguard patient information, adopt Cybersecurity Multi-Level Protection Scheme Level 3, and immediately report data breaches to health authorities. The Internet Hospital Measures (Trial) sets licensing conditions for internet hospitals, mandates real-name identity authentication for medical staff, and imposes patient-privacy and information-security duties including prohibition on illegally selling or disclosing patient data. The Telemedicine Service Norms (Trial) governs inter-institutional telemedicine referrals, requires written informed consent, mandates real-name patient management, and obliges all participating parties to protect information security and patient privacy. Together these instruments are the gateway rules for any digital-health or telemedicine product operating in China: they determine which online medical services are lawful, what licensing is required, and how patient personal information and medical records must be handled and protected.

    National Health Commission and National Administration of Traditional Chinese Medicine Effective 2018-07-17
  • § 10 · Tongfang Management Provisions

    Provisions on Strengthening the Administration of Prescription-Volume Statistics (Tongfang) in Healthcare Institutions

    关于加强医疗卫生机构统方管理的规定

    Issued jointly by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in November 2014 (Document No. 国卫纠发〔2014〕1号) and effective January 1, 2015, these Provisions define and tightly restrict access to prescription-volume statistics (tongfang) — the statistical compilation of individual physicians' or departments' drug and medical-consumable usage volumes — in order to sever the data conduit through which pharmaceutical companies pay kickbacks to prescribers. Core obligations include access-control and least-privilege rules for hospital information systems, mandatory query-logging and anomaly review, binding confidentiality agreements with IT vendors, a categorical prohibition on disclosing individual or departmental tongfang data to pharmaceutical or device marketers, and a ban on linking clinician income to prescription volumes. An early health-sector data-access-governance and anti-corruption measure, these Provisions remain operative and are relevant to overseas pharmaceutical and medical-device companies operating in China: supplying, inducing, or receiving tongfang data constitutes a compliance risk under both these Provisions and China's anti-commercial-bribery rules.

    National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine Effective 2015-01-01
  • § 11

    Interim Measures for the Administration of Medical Institutions as Designated Medical Insurance Institutions

    医疗机构医疗保障定点管理暂行办法

    Issued as Order No. 2 of the National Healthcare Security Administration, these Interim Measures govern how medical institutions become and remain designated providers under China's basic medical insurance scheme. For data-compliance purposes, designation is conditioned on the institution's hospital information system meeting the technical and interface standards required to interface effectively with the medical-insurance information system and transmit all patient (treatment) data to it for direct online settlement (Articles 6 and 9). Designated institutions must report settlement statements and full settlement data—diagnoses, procedures, drug/consumable/service itemized costs, and physician/nurse identifiers—and bear responsibility for their authenticity (Article 21), while safeguarding the security of the medical-insurance-linked information system, complying with data-security rules, and protecting the privacy of insured persons (Article 24). The handling agency, in turn, publishes the medical-insurance information-system data sets and interface standards and is likewise bound by data-security and privacy obligations (Articles 34 and 35).

    National Healthcare Security Administration Effective 2021-02-01
  • § 12

    Measures for the Supervision and Administration of the Quality of Medical Device Use

    医疗器械使用质量监督管理办法

    This CFDA rule (Order No. 18) governs the quality management of medical devices at the point of use by hospitals and other using entities, covering procurement, acceptance, storage, use, maintenance, and transfer. It imposes detailed record-keeping and traceability obligations: incoming-inspection records, implantable-device usage records, and original records for Class III devices must be retained (in some cases permanently) to ensure information is traceable. The data-compliance touchpoints are the mandated traceability and recordkeeping systems, the encouragement of informatized (IT-based) quality management, and the requirement to monitor and log storage-environment data such as temperature and humidity.

    China Food and Drug Administration Effective 2016-02-01
  • § 13

    Measures for the Administration of Medical Device Recall

    医疗器械召回管理办法

    This CFDA rule (Order No. 29) establishes the recall regime for marketed medical devices, defining defective products, classifying recalls into three grades by severity of health hazard, and setting out both voluntary and ordered (mandatory) recall procedures. Manufacturers must build a recall management system, collect device-safety information, investigate and assess potential defects, and keep detailed recall-handling records (retained for five years after the registration certificate expires). The data-compliance touchpoints are the mandated safety-information collection and adverse-event monitoring systems, the investigation/assessment recordkeeping, and the public disclosure of defect and recall information.

    China Food and Drug Administration Effective 2017-05-01
  • § 14 · Large Medical Equipment Measures

    Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial)

    大型医用设备配置与使用管理办法(试行)

    Issued jointly on 22 May 2018 by the National Health Commission and the National Medical Products Administration (document no. 国卫规划发〔2018〕12号) under the Regulation on the Supervision and Administration of Medical Devices and the Administrative Licensing Law, these trial Measures govern the configuration (allocation) licensing and use of 'large medical equipment' — technically complex, high-cost devices placed on a managed catalogue. They establish a Class-A / Class-B catalogue with national versus provincial licensing, five-year configuration planning, a configuration-licence (one machine, one licence) regime, use-management obligations, and supervision through a configuration-and-use supervision information system. The data touchpoints are narrow but real: the configuration-management information system that operators must file equipment data into, the use/quality records and use archives that operators must maintain, and Article 33's requirement that operators build information-security safeguards for large-equipment use to ensure the security of the relevant information systems and of medical data. Credit-record (信用档案) consequences attach to misreporting and to certain licence lapses.

    National Health Commission Effective 2018-05-22
§ NATIONAL STANDARDS

National Standards .

国家标准 · GB/T, TC260

  • § 01 · EMR Application Specification

    Specification for the Application and Administration of Electronic Medical Records (Trial)

    电子病历应用管理规范(试行)

    Issued jointly by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in February 2017, this Specification sets out binding requirements for how healthcare institutions create, record, amend, use, store, and seal electronic medical records (EMRs) and the information systems that support them. It mandates unique patient identifiers, role-based access controls, reliable electronic signatures, full audit trails of every write and edit operation, minimum retention periods (15 years for outpatient records, 30 years for inpatient records), and a formal sealing procedure for litigation-related EMR preservation. As the principal companion to the paper-record rules and the Electronic Signature Law, it forms the baseline data-security and access-control framework for digitized health data — making it essential reading for overseas counsel advising on China health-data processing, clinical-trial data governance, and any cross-border transfer of patient records.

    National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine Effective 2017-04-01
  • § 02 · RWD Guiding Principles

    Guiding Principles for Real-World Data Used to Generate Real-World Evidence (Trial)

    用于产生真实世界证据的真实世界数据指导原则(试行)

    Issued by NMPA-CDE on 13 April 2021, these guiding principles establish the technical framework for assessing whether real-world data is fit for use in generating real-world evidence to support drug regulatory decisions in China. The principles catalogue the main sources of real-world data (hospital information systems, medical insurance claims, registry studies, pharmacovigilance data, cohort databases, and more), define a two-stage suitability assessment (source-data and post-curation stages), and impose detailed data governance, security, de-identification, and quality-management requirements. A dedicated chapter on personal information protection and data security requires de-identification of sensitive personal information and encryption across the full data lifecycle. For overseas pharmaceutical and medical-device regulatory counsel, the guidelines are the primary reference point when designing China real-world studies, because any real-world evidence submitted to NMPA must satisfy these standards, and non-compliance with the personal information and data-security provisions may jeopardise both study approval and data transfer out of China.

    Center for Drug Evaluation, National Medical Products Administration (NMPA-CDE) Effective 2021-04-13
  • § 03 · Hospital Informatization Standards

    National Standards and Norms for Hospital Informatization Construction (Trial)

    全国医院信息化建设标准与规范(试行)

    Issued on 2 April 2018 by the General Office of the National Health Commission (document no. 国卫办规划发〔2018〕4号), this trial standard defines the baseline build-out content and requirements for hospital informatization across China. It builds on the earlier 'Hospital Information Platform Application Function Guide' and 'Hospital Informatization Construction Application Technology Guide' and organizes 262 specific items into five chapters — business applications, information platform, infrastructure, security protection, and emerging technologies — with tiered requirements for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals. Chapter 4 (Security Protection) is the data-compliance core: it specifies functional requirements for data-center security, endpoint security, network security, and disaster-recovery backup, including firewalls, database audit and access control, intrusion detection/prevention, encryption gateways, data-leak prevention, and offsite backup. The full instrument is a large tabular technical standard; the page below translates the issuing notice in full and gives a structured English summary of the standard's security, network-security, and information-security functional requirements.

    National Health Commission; State Administration of Traditional Chinese Medicine Effective 2018-04-02
  • § 04 · Device GCP

    Good Clinical Practice for Medical Devices

    医疗器械临床试验质量管理规范

    Issued jointly by the NMPA and the National Health Commission (Announcement No. 28 of 2022) and effective May 1, 2022, this standard (Device GCP) governs the entire lifecycle of medical-device clinical trials (including in-vitro diagnostic reagents), from protocol design through monitoring, audit, inspection, and the collection, recording, retention, analysis, summarization and reporting of trial data. It places heavy emphasis on trial-data integrity — data must be authentic, accurate, complete and traceable, source data must be identifiable and changes tracked, and electronic data-capture systems must be validated with full permission management and audit trails. The data-compliance touchpoints are pervasive: subject-privacy protection and informed consent (with explicit confidentiality of subjects' personal data subject to defined access by regulators, the ethics committee, monitors and auditors), source-data/source-document traceability, electronic-records controls, and long-term retention of trial master files.

    National Medical Products Administration; National Health Commission Effective 2022-05-01
  • § 05 · Drug GCP

    Good Clinical Practice for Drugs (2020 Revision)

    药物临床试验质量管理规范(2020修订)

    Issued jointly by the NMPA and the National Health Commission (Announcement No. 57 of 2020) and effective July 1, 2020, this revised standard (Drug GCP) is the quality benchmark for the entire process of drug clinical trials — protocol design, organization and implementation, monitoring, audit, recording, analysis, summarization and reporting. It contains detailed requirements for trial-data management and integrity: source data must satisfy attributability, legibility, contemporaneousness, originality, accuracy, completeness, consistency and durability (ALCOA), changes must leave a trail, and electronic data-management/computerized systems must be validated with audit trails, access controls and data backup. The data-compliance touchpoints are extensive: protection of subject privacy and confidentiality of related information, use of a subject identification code in place of names, electronic-data and computerized-system controls, defined direct-access rights for monitors/auditors/the ethics committee/regulators, rules on transfer of data ownership, and long retention of essential documents.

    National Medical Products Administration; National Health Commission Effective 2020-07-01
  • § 06 · Telemedicine System Technical Guide

    Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition)

    远程医疗信息系统建设技术指南(2014年版)

    Issued in November 2014 by the National Health and Family Planning Commission, this technical guide is the normative reference document for designing, procuring, deploying, and accepting telemedicine information systems in China. Across eleven parts it sets out the principles, goals and tasks of telemedicine-system construction; a needs analysis covering user, business, functional, information, technical and information-security requirements; a four-layer design architecture (system, function, information, technical); a standards-and-security chapter; and detailed build-out specifications for national- and provincial-level telemedicine service and resource supervision centres and for service stations down to the township/community level. For data compliance, the relevant material is the information-security needs analysis (Part 3.6) and the information-security construction chapter (Part 5.2), which require patient-privacy protection, integrity and confidentiality of data in transmission and storage, local and offsite backup, security-domain isolation between hospital intranets and the telemedicine extranet, and an MLPS-aligned security architecture spanning physical, network, host, application, and data security plus five management domains. The document is a large technical guide; the page below is a structured English summary rather than a verbatim translation.

    National Health and Family Planning Commission Effective 2014-01-01
§ DRAFTS IN CONSULTATION

Drafts in Consultation .

征求意见稿

  • § 01 · Pharma-Data Supplier Credit-Compliance Rules (Draft) · DRAFT

    Implementing Rules for the Credit-Compliance Certification and Assessment of Pharmaceutical-Data Supplier Entities (Shenzhen Data Exchange — Draft / Redline)

    医药数据供方主体信用合规认证评估实施细则(深圳数据交易所·征求意见/红线稿)

    A DRAFT, self-regulatory certification rule from the Shenzhen Data Exchange (深圳数据交易所) — not a government regulation. The Exchange runs a 'supplier-entity credit-compliance certification' programme for participants in the data-element market; this instrument is the medical/health-data-specific implementing rule that sits beneath the Exchange's general certification guidance (《数据要素市场供方主体信用合规认证评估指引(通用)》). It applies to healthcare institutions seeking certification before they may supply medical-health data on the Exchange, and may be applied by reference by other entities that handle medical-health data. The rule layers medical-sector-specific requirements on top of the general guidance across three certification grades (A / AA / AAA): entity qualifications; a data-management-system build-out (governance, classification-grading into core/important/general data, physical and cryptographic security, storage and backup, monitoring and incident response, MLPS); and data-business compliance covering lawful sourcing, lawful internal processing (including dedicated EMR, medical-device, medical-insurance, clinical-trial, human-genetic-resources, and statistics rules), and lawful external circulation including cross-border transfer. The version translated below is the clean current text of a tracked-changes ('redline') V3 draft; each requirement carries a footnote citing the underlying Chinese law or rule. Because it is an Exchange certification standard rather than a binding legal instrument, it is a practical map of how the Shenzhen Data Exchange operationalizes China's health-data compliance regime for market participants, not a source of independent legal obligation.

    Shenzhen Data Exchange (深圳数据交易所)
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →