Promulgated by: National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration. Document No.: 国卫规划发〔2026〕6号. Issued on February 12, 2026. Effective on the date of issuance.
Chapter I General Provisions
Article 1. These Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Law of the People’s Republic of China on Basic Healthcare and Health Promotion, the Regulation on Network Data Security Management, and other laws and administrative regulations, in order to regulate the administration of data security and personal information protection of healthcare institutions, promote the development of data and the reasonable utilization of personal information by healthcare institutions, protect the lawful rights and interests of individuals and organizations, and coordinate development and security.
Article 2. These Measures apply to the administration of data security and personal information protection by healthcare institutions.
“Data” as used in these Measures means any recording of information in electronic or other form.
“Healthcare institution data” as used in these Measures means various data collected and generated by healthcare institutions, including but not limited to clinical, scientific research, management, and other operational data, as well as data generated by medical equipment.
“Data processing activities” as used in these Measures include the collection, storage, use, processing, transmission, provision, and disclosure of data.
Personal information is a particularly important category of data; when personal information reaches a certain degree of precision or scale, it shall be managed in accordance with the requirements for data classification and grading and incorporated into the national catalogue of important data for priority protection.
Article 3. Under the unified deployment of the national data security work coordination mechanism, the National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration are responsible for the overall planning, guidance, assessment, and supervision of the administration of data security and personal information protection of healthcare institutions. Local health administrative authorities at or above the county level (including traditional Chinese medicine and disease control authorities, the same below) are responsible for the administration of data security and personal information protection of healthcare institutions within their administrative regions. Healthcare institutions are subject to supervision by health administrative authorities in accordance with the principle of territorial administration.
Article 4. A healthcare institution bears primary responsibility for the administration of data security and personal information protection in its own institution. Healthcare institutions at or above the county level shall establish a leading group for cybersecurity and informatization work, with the institution’s principal leader serving as the group head, and shall convene a data security and personal information protection meeting at least once per year to deploy data security and personal information protection work and to study and formulate relevant institutional norms.
The principal leader of a healthcare institution is the first person responsible for data security and personal information protection administration of the institution; the deputy leader in charge is the directly responsible person. In accordance with the principle of “whoever administers a business must administer security” and the principle of “whoever is in charge is responsible, whoever operates is responsible, whoever uses is responsible,” the respective duties of business departments and informatization departments within the institution shall be clarified, and the administration of data security and personal information protection of healthcare institutions shall be strengthened.
Chapter II Data Classification and Grading Protection
Article 5. In accordance with relevant laws and the requirements for data classification and grading in the healthcare sector, healthcare institution data is classified into core data, important data, and general data, and the classified and hierarchical protection system shall be implemented. Where data of different categories or grades are processed simultaneously and it is difficult to separately apply protective measures, protection shall be implemented in accordance with the requirements for the highest grade among them.
Article 6. Provincial-level health administrative authorities shall, in accordance with the requirements for data classification and grading in the healthcare sector, organize the classification and grading of healthcare institution data within their provinces, put forward proposals for specific catalogues of important data and core data, and report them to the National Health Commission; where the catalogue changes, it shall be updated and reported in a timely manner. Where health administrative authorities at each level confirm data as important data, they shall promptly notify healthcare institutions thereof.
Healthcare institutions shall periodically review their data, determine data categories, identify important data, and report to the local health administrative authority. The content of such reports shall include, but not be limited to, basic information such as the data source, category, grade, scale, purpose and method of processing, responsible party, cross-border transmission, and security protection measures, but shall not include the data content itself.
Article 7. After the grade of healthcare institution data has been determined, the grade shall be promptly changed if any of the following circumstances arises:
(1) a material change in the content of the healthcare institution data;
(2) no material change in the content of the healthcare institution data, but a material change in the scale, currency, application scenarios, or processing methods of the healthcare institution data; or
(3) any other circumstance requiring a change in the grade of the healthcare institution data.
Article 8. Derived data generated from healthcare institution data through de-identification, labeling, statistical analysis, aggregation, or other processing activities shall have its data grade re-assessed and determined on the basis of the grading of the original data.
Chapter III Full-Lifecycle Data Security Administration
Article 9. When conducting data and personal information processing activities, healthcare institutions shall comply with laws and regulations, fulfill their corresponding data security protection obligations, adhere to the principle of equal emphasis on data security and development, and through management and technical means ensure an effective balance between data security and data application of healthcare institutions. Through carrying out the following work, among other things, healthcare institutions shall ensure that their data is continuously in a state of effective protection and lawful and compliant utilization, and shall prevent unauthorized access and the leakage, tampering, or loss of personal information:
(1) Strengthening institutional safeguards. Healthcare institutions shall establish data security management systems, operating procedures, and technical norms, and shall, for data of different categories and grades, clarify specific protection requirements for each stage of collection, storage, use, processing, transmission, provision, and disclosure.
(2) Strengthening personnel safeguards. Healthcare institutions shall strengthen the development of their data security management personnel team, regularly carry out data security education and training, and raise all personnel’s awareness and capacity for data security and personal information protection.
(3) Strengthening management safeguards. Healthcare institutions shall strictly manage day-to-day data and personal information processing activities and clarify processing permissions. They shall, by themselves or by engaging a third-party assessment agency, regularly conduct security risk assessments of the institution’s data, promptly identify data security status, promptly rectify risk issues and eliminate hazards, and submit risk assessment reports to the local health administrative authority.
(4) Strengthening technical safeguards. In the stages of collection, storage, use, processing, transmission, provision, disclosure, and deletion of data, healthcare institutions shall, according to different scenarios, comprehensively employ technical means such as encryption, authentication, access control, de-identification, digital watermarking, verification, and auditing to provide security protection.
(5) Strengthening emergency safeguards. According to actual work conditions and the need to respond to data security incidents, healthcare institutions shall formulate and improve emergency response plans and regularly conduct drills.
(6) Other measures required by laws, administrative regulations, and other provisions.
Article 10. Healthcare institutions that process important data shall designate a person in charge of data security and a management body, implement data security protection responsibilities, conduct an annual risk assessment of their data processing activities, and submit risk assessment reports to health administrative authorities at the provincial level or above. Health administrative authorities shall promptly notify the cybersecurity authority and public security organs at the same level. Before providing, entrusting the processing of, or jointly processing important data, healthcare institutions shall conduct a risk assessment, except where such activities are carried out in performance of a statutory duty or a statutory obligation.
Where a healthcare institution provides important data to, or entrusts processing of important data to, another data handler, it shall, through a contract or other means, agree with the recipient on the purpose, method, and scope of processing, as well as security protection obligations, and shall supervise the recipient’s performance of its obligations.
Article 11. When storing and processing important data, healthcare institutions shall fulfill the requirements for Multi-Level Protection Scheme (MLPS) protection at Level 3 or above. When storing and processing core data, healthcare institutions that involve critical information infrastructure (CII) shall, on the basis of the MLPS system, fulfill the requirements for the protection of critical information infrastructure; those that do not involve critical information infrastructure shall fulfill MLPS Level 4 protection requirements. Where the content of healthcare institution data changes materially and requires a change in the data grade, the institution shall promptly conduct a re-grading and re-filing of MLPS protection as appropriate. Where laws, regulations, and national provisions require the use of commercial cryptography for protection, the relevant provisions on commercial cryptography protection shall be observed.
For activities involving the provision, transfer, or sharing of core data across different legal person entities, necessary security protection measures shall be taken, and the data recipient shall be informed to apply classified and hierarchical protection at the corresponding grade. Where the cumulative total from January 1 of the current year may reach 30% or more of the static total volume of such core data at the end of the previous year, a risk assessment organized by the relevant department shall be applied for through the National Health Commission. Activities involving the lawful performance of duties by state organs or internal flows within state organs or enterprises and public institutions are excepted.
When processing core data, healthcare institutions shall, on the basis of the requirements for important data protection:
(1) give priority to using commercial cryptography for protection;
(2) give priority to using secure and trusted products and services;
(3) give priority to engaging third-party assessment agencies to conduct risk assessments;
(4) retain logs related to the handling and tracing of core data security incidents for no less than three years; and
(5) submit personnel in key positions related to core data, and entities engaged in the construction and operation and maintenance of information systems involving core data, to national security background checks by public security organs and state security organs.
Article 12. Healthcare institutions are supported in strengthening the security administration of data sharing and invocation, taking technical measures to periodically monitor data sharing and invocation, conducting audit analysis of operation logs for querying, downloading, modifying, and deleting data, promptly identifying non-compliant or abnormal behavior, taking corresponding response measures, and deploying authentication, threat alerting, and other security protection measures, on the premise of ensuring data security and in accordance with laws and regulations.
Article 13. Healthcare institutions are supported in strengthening the development and utilization of data elements, on the premise of ensuring data and personal information security and in accordance with laws and regulations.
Healthcare institutions shall establish and improve procedures for applications and approvals for data use, adhering to the principle of “whoever administers reviews,” and shall adhere to the principle of prior application and approval, in-process supervision, and post-event review, strictly following the work procedure of approval by the business department, verification by the institution’s leadership, and implementation support by the information technology department; where external provision of healthcare institution data is involved, approval shall be applied for in accordance with the relevant requirements to ensure that data activities are lawful and compliant. Healthcare institutions shall supervise the performance of security management responsibilities by data recipients.
Healthcare institutions are encouraged to promote the lawful, reasonable, and effective utilization of healthcare institution data through approaches such as “raw data does not leave the domain, data is usable but invisible, and data is controllable and measurable.”
Article 14. Healthcare institutions shall, in accordance with national provisions on the development and utilization of public data resources and the specifications for authorized operation of public data resources, explore the establishment of a mechanism for classified and graded authorized operation of data, incorporate authorized operation within the scope of collective decision-making by the institution’s leadership, clarify authorization conditions, operation modes, operation periods, exit mechanisms, and security management responsibilities, and authorize qualified operating institutions to carry out development, product operation, and technical services related to public data resources.
Article 15. Where health administrative authorities and other state organs collect and use data in performing their statutory duties, they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by laws and administrative regulations. Where laws, administrative regulations, and national provisions expressly permit healthcare institutions to refuse the repeated collection of healthcare institution data by other administrative departments, healthcare institutions may refuse the relevant organization or individual from collecting healthcare institution data beyond the scope and limits necessary for the performance of statutory duties.
Health administrative authorities at each level shall, in accordance with the Data Security Law of the People’s Republic of China and other laws, administrative regulations, and national provisions, genuinely fulfill their sector supervision duties, strengthen centralized administration of data collection from healthcare institutions, establish and improve mechanisms for the sharing and joint use of healthcare institution data, and strengthen inter-departmental data sharing; healthcare institution data already collected by national and local health information platforms and infectious disease monitoring, warning, and emergency command platforms at each level shall, as a rule, be shared through cross-departmental sharing and exchange.
Healthcare institutions shall promptly report to the local health administrative authority on the external provision of healthcare institution data. Local health administrative authorities shall, in accordance with laws and regulations, strengthen the administration of data submission by healthcare institutions, and focus on managing circumstances that violate relevant provisions, such as the repeated collection and over-scope collection of healthcare institution data.
Article 16. Where a healthcare institution entrusts others to process, or jointly processes with others, healthcare institution data, data security responsibilities shall not change as a result of entrustment. Healthcare institutions shall, through strict approval procedures, clarify the data processing permissions and protection responsibilities of the entrusted party, and supervise the entrusted party’s performance of data security protection obligations.
Where cloud computing services are used to process healthcare institution data, a cloud computing service that has passed the cloud computing service security assessment shall be selected, and the requirements of these Measures shall simultaneously be observed.
As a rule, health administrative authorities shall not entrust academic societies or associations with collecting data from healthcare institutions; where genuinely necessary, it shall pass the comprehensive deliberation of the data management body of the health administrative authority and be reviewed and approved by the leading group for cybersecurity and informatization work of the health administrative authority at the same level.
Article 17. Healthcare institutions shall, in writing, agree with relevant entities involved in the construction, operation, and maintenance of their information systems, and with relevant medical equipment manufacturing and business enterprises that store healthcare institution data, on the obligations and responsibilities of each party, and shall implement a system of accountability.
Article 18. Healthcare institutions shall, in accordance with business work needs and the principle of minimum authorization, set data processing permissions according to job responsibilities, control the range of persons who may access data, and promptly adjust permissions when personnel changes occur.
Article 19. Important data processing activities shall record and maintain logs necessary for data security. For logs related to the handling and tracing of security incidents, the retention period shall be no less than one year; for logs related to the provision of important data to others, entrusted processing, or joint processing of important data, the retention period shall be no less than three years.
Article 20. When healthcare institutions use new technologies such as artificial intelligence (AI) to process healthcare institution data, they shall assess the security risks brought by the use of such new technologies and take necessary technical measures to strengthen data security protection.
Article 21. Where a healthcare institution needs to transfer or destroy healthcare institution data as a result of a merger, division, dissolution, or declaration of bankruptcy, it shall take necessary security protection measures and report the data disposal plan to the local health administrative authority in advance. Where the change causes a change in the catalogue of healthcare institution data, it shall promptly report to the local health administrative authority.
Article 22. Healthcare institutions shall strengthen the full-lifecycle administration of healthcare institution data. Healthcare institutions and their personnel shall not engage in any of the following acts:
(1) Unlawfully collecting healthcare institution data. Healthcare institutions shall strengthen the lawfulness administration of data collection, clarify the primary responsibilities of business departments and management departments in the lawfulness of data collection, and shall not collect data beyond the prescribed scope or steal or collect data through other unlawful means.
(2) Unlawfully storing healthcare institution data. Important data collected and generated by healthcare institutions within the territory of China shall be stored within the territory of China, and shall be subject to security measures such as backup and encryption to strengthen storage security.
(3) Unlawfully transmitting healthcare institution data. On the basis of data classification and grading, healthcare institutions shall further clarify the encrypted transmission requirements for data of different security grades, and shall not transmit core data, important data, or sensitive data through email, cloud storage, social software, or similar means. Interface security controls shall be strengthened during transmission, and preventive measures such as data de-identification, data encryption, and link encryption shall be applied to ensure security during transmission through interfaces and prevent data theft.
(4) Unlawfully providing healthcare institution data outside the territory of China. Where healthcare institution data genuinely needs to be provided outside the territory of China, and falls within one of the circumstances provided in Article 7 of the Provisions on Promoting and Regulating Cross-Border Data Flows of the Cyberspace Administration of China, the healthcare institution shall first conduct a self-assessment, obtain approval by the institution’s leading group for cybersecurity and informatization work or the leadership team, and report to the local health administrative authority for review and approval, after which the provincial-level cybersecurity authority shall apply to the national cybersecurity authority for a Data Export Security Assessment of healthcare institution data. Healthcare institution data collected and generated in academic cooperation activities that is provided outside the territory of China and does not contain personal information, sensitive data, or important data is exempt from the obligations to apply for a Data Export Security Assessment, enter into a Standard Contract for cross-border transfer of personal information, or obtain Personal Information Protection Certification.
(5) Using healthcare institution data beyond authorized scope. Healthcare institutions shall strictly define the permissions of different personnel, strengthen the administration of application and approval procedures in the course of data use, strengthen log retention and administration, and shall not tamper with or delete logs; they shall ensure that data is used within a controlled scope and prevent unauthorized data use. Data-using departments and data users shall strictly use data in accordance with the stated purpose and scope of application, and shall be responsible for data security. Non-institutional personnel shall not perform remote operation and maintenance of information systems or medical equipment without supervision.
(6) Processing healthcare institution data without authorization. Without authorization from the healthcare institution, personnel engaged in information system construction and operation and maintenance shall not process healthcare institution data. During the period of construction and operation and maintenance, data collected and generated shall not be used for other purposes without authorization; after services are completed, data shall be returned or destroyed in accordance with the agreement. Entities undertaking information system construction and operation and maintenance projects shall not subcontract or subdivide the work without approval.
(7) Providing healthcare institution data without approval. Without approval from the institution’s leading group for cybersecurity and informatization work or the leadership team, no department or individual may transmit undisclosed information and healthcare institution data outside the healthcare institution, or disclose it in any manner.
(8) Casually disclosing healthcare institution data. Before disclosing healthcare institution data, healthcare institutions shall analyze and assess the possible impact on national security, economic and social security, the public interest, personal information security, and healthcare institution operations; data that has a significant impact shall not be disclosed.
(9) Disposing of or repurposing equipment without destroying healthcare institution data. Before equipment is scrapped or repurposed, healthcare institutions shall completely erase data in accordance with the technical requirements for clearing information from electronic products; equipment shall not be directly scrapped or transferred to other use without processing.
(10) Concealing healthcare institution data security incidents. When a healthcare institution experiences a data security incident, it shall immediately activate its emergency response plan, take measures to prevent the harm from expanding, eliminate security hazards, and report to the local health administrative authority and other competent authorities in accordance with prescribed requirements.
Chapter IV Data Security Monitoring, Early Warning, and Emergency Response
Article 23. The National Health Commission shall establish and improve a risk monitoring and early warning mechanism for data security of healthcare institutions, organize the formulation of standards and norms for monitoring and early warning of healthcare institution data security, make integrated use of technical means for monitoring and early warning of healthcare institution data security, possess capabilities for monitoring, early warning, response, and tracing, and strengthen information sharing with relevant departments.
Local health administrative authorities shall establish and improve a risk monitoring and early warning mechanism for data security of healthcare institutions in their regions, organize the monitoring of data security risks in healthcare institutions, release early warning information in a timely manner in accordance with relevant provisions, and guide healthcare institutions to take responsive measures in a timely manner.
Healthcare institutions shall establish mechanisms for risk monitoring, early warning, and emergency response regarding data security, obtain information on application vulnerabilities in information systems in a timely manner through channels such as the national information security vulnerability sharing platform, and prevent security risks such as the tampering, leakage, or loss of healthcare institution data through technical measures such as patch upgrades, configuration updates, and system hardening.
Article 24. The National Health Commission shall establish and improve a mechanism for reporting and sharing information on healthcare institution data security risks, uniformly collect, analyze, assess, and report information on healthcare institution data security risks and hazards, and encourage industry organizations, security service agencies, research institutes, and others to report and share healthcare institution data security risk information.
Local health administrative authorities shall promptly aggregate and analyze data security risks and hazards of healthcare institutions in their regions, and shall report to the National Health Commission risks and hazards that may cause important data or core data security incidents.
Healthcare institutions shall promptly report to the local health administrative authority risks and hazards that may cause important data or core data security incidents.
Article 25. The National Health Commission shall formulate emergency plans for data security incidents in the healthcare sector and conduct emergency drills, and shall guide emergency response work for security incidents involving important data and core data.
Local health administrative authorities shall respectively organize emergency response work for healthcare institution data security incidents in their regions. Security incidents involving important data and core data shall be immediately reported to the National Health Commission, and the development of the incident and the status of response work shall be reported in a timely manner.
Healthcare institutions shall formulate emergency plans for data security incidents and regularly organize drills. After a healthcare institution data security incident occurs, emergency response shall be promptly conducted in accordance with the emergency plan; security incidents involving important data and core data shall be promptly reported to the local health administrative authority, and a summary report shall be promptly prepared after the security incident has been handled. When a healthcare institution data security incident occurs, users shall be promptly notified, measures shall be taken to avoid or mitigate harm, and the local health administrative authority shall simultaneously be informed.
Chapter V Personal Information Protection
Article 26. Healthcare institutions shall, in accordance with the requirements of the Administrative Measures for Personal Information Protection Compliance Audits, conduct personal information protection compliance audits regularly, either by themselves or by engaging a specialized agency.
Article 27. When a healthcare institution entrusts the processing of personal information, it shall conduct a Personal Information Protection Impact Assessment (PIPIA) in advance and enter into an entrustment agreement and a confidentiality agreement with the entrusted party, specifying the scope, purpose, duration, and method of the entrusted processing, the categories of personal information, protective measures, and the rights and obligations of both parties, and shall supervise the performance of the agreement. The entrusted party shall process personal information in accordance with the agreement and shall not process personal information beyond the agreed purpose and method of processing. Where a commission agreement does not take effect, is void, is rescinded, or is terminated, the entrusted party shall return the personal information to the healthcare institution or delete it, and shall not retain it. Without the consent of the personal information handler, the entrusted party shall not sub-entrust the processing of personal information to others. The entrusted party shall conduct pre-employment training and departure reviews for its personnel.
Article 28. Where a healthcare institution uses new technologies such as artificial intelligence in the course of operations, and patient medical records and other personal information are involved, it must ensure the security of that personal information.
Article 29. Healthcare institutions shall strengthen the protection of personal information. Healthcare institutions and their personnel shall not engage in any of the following acts:
(1) Unlawfully processing personal information. Healthcare institutions and their personnel shall not unlawfully collect, store, use, process, transmit, provide, disclose, or delete personal information, shall not illegally buy, sell, provide, or publicly disseminate personal information, and shall not engage in personal information processing activities that endanger national security or the public interest.
(2) Unlawfully collecting personal information. Healthcare institutions shall, in collecting personal information, follow the principles of lawfulness, legitimacy, necessity, and good faith, and shall not collect personal information through deceptive, fraudulent, or coercive means.
(3) Collecting personal information beyond the prescribed scope. Healthcare institutions shall, in collecting personal information, have a clear and reasonable purpose, which shall be limited to the minimum scope necessary to achieve the processing purpose, and shall not excessively collect personal information.
(4) Accessing personal information beyond authorized scope. Healthcare institutions shall adopt effective measures and technical means, implement strict identity authentication, and prevent the unlawful querying or retrieval of patient personal information by unrelated persons. They shall formulate authorization rules and, through a combination of scenario management and personnel management, clarify the lawful access situations in healthcare, teaching, scientific research, and public health emergencies, and shall not unlawfully access personal information; they shall strengthen the management of personal information of special groups such as pregnant and parturient women, newborns, HIV/AIDS patients, persons with mental disorders, deceased persons and their survivors, and public figures. Dynamic authorization management shall be implemented by distinguishing different positions and personnel, and the permissions of personnel who have left their positions or been transferred shall be promptly revoked. Promotion of authorization management, log archiving, digital watermarks, and other technologies for managing access permissions shall be encouraged to ensure that personal information operation traces, the time of marking operations, and the information of operating personnel are queryable and traceable.
(5) Unlawfully providing personal information. Without the consent of the individual or the individual’s guardian, healthcare institutions and their personnel shall not provide personal information such as an individual’s name, date of birth, identity document number, biometric information, address, telephone number, or location trajectory “beyond what is necessary for work,” except as otherwise provided by laws or administrative regulations, such as for responding to public health emergencies or for purposes necessary to protect the life and health of a natural person in an emergency. Information provided in the course of state organs performing their statutory duties shall not exceed the scope and limits necessary for the performance of such statutory duties.
(6) Unlawfully disclosing personal information. Healthcare institutions “shall not display patients’ personal names, identity document numbers, telephone numbers, or other personal information in public areas such as electronic display screens”; where genuinely necessary for business purposes, de-identification display shall be used. Without the consent of the individual, patient personal information shall not be disclosed in news reports, public lectures, social media, academic papers, scientific research, or similar contexts. Patient personal information shall not be transmitted through messaging software, social media, or similar means, and patient personal information shall not be disclosed through photography, screenshots, or similar means.
(7) Unlawfully providing personal information outside the territory of China. Where a healthcare institution genuinely needs to provide personal information outside the territory of China for business or other reasons, it shall meet the conditions prescribed in Article 38 of the Personal Information Protection Law of the People’s Republic of China, and shall inform the individual of the name or full name, contact information, purpose of processing, method of processing, categories of personal information, and the method and procedure for the individual to exercise relevant rights against the overseas recipient, and shall obtain the separate consent of the individual.
(8) Misusing facial information. When applying facial recognition technology to verify personal identity or identify specific individuals, priority use of channels such as the national population basic information database and the national network identity authentication public service is encouraged. Where there are other non-facial-recognition technical means to achieve the same purpose or meet the same business requirements, healthcare institutions shall not use facial recognition technology as the sole verification method. Where an individual does not consent to identity verification through facial information, the healthcare institution shall provide other reasonable and convenient methods. Except as otherwise provided by laws and regulations or with the individual’s separate consent, facial information shall be stored within facial recognition devices and shall not be transmitted externally via the internet.
Chapter VI Supervision and Administration
Article 30. Where health administrative authorities at each level discover that healthcare institution data processing activities pose significant security risks or that data security incidents have occurred, they shall urge and guide healthcare institutions to promptly handle and rectify the situation.
Healthcare institutions shall promptly carry out security rectification and reinforcement, close loopholes, and eliminate risks in response to security vulnerabilities and hazards notified by health administrative authorities.
Healthcare institutions shall cooperate with the investigation and verification of healthcare institution data security incidents conducted by cybersecurity authorities and public security organs.
Article 31. Where local health administrative authorities at each level fail to fulfill the data security and personal information protection obligations prescribed in these Measures, their superior authorities shall order corrections; the directly responsible supervisors and other directly responsible personnel shall be subject to disciplinary sanctions in accordance with laws and regulations.
Article 32. Where a healthcare institution violates the provisions of the Law of the People’s Republic of China on Basic Healthcare and Health Promotion, and medical information is leaked due to inadequate medical information security systems or protective measures, the health administrative authority and other competent authorities of the people’s government at or above the county level shall order corrections, issue a warning, and impose a fine; in serious cases, the relevant professional activities may be ordered to cease, and the directly responsible supervisors and other directly responsible personnel shall be held legally liable in accordance with law.
Where personnel of a healthcare institution disclose citizens’ personal information, the health administrative authority of the people’s government at or above the county level shall impose administrative penalties in accordance with relevant laws and administrative regulations on the administration of licensed physicians, nurses, and personal information protection; personnel who are in healthcare institutions established by the government shall be subject to disciplinary sanctions in accordance with law.
Where acts such as unlawfully collecting, using, processing, or transmitting citizens’ personal health information, or unlawfully buying, selling, providing, or publicly disclosing citizens’ personal health information, constitute a violation of public security administration, public security administration penalties shall be imposed in accordance with law.
Article 33. Where, in violation of the provisions of the Civil Code of the People’s Republic of China, a patient’s privacy and personal information are disclosed, or a patient’s medical records are disclosed without the patient’s consent, tortious liability shall be borne.
Article 34. In accordance with the provisions of the Data Security Law of the People’s Republic of China, where health administrative authorities at each level discover, in performing their supervisory duties over healthcare institution data security, that data processing activities pose significant security risks, they may, in accordance with the prescribed authority and procedures, conduct a regulatory interview (yuetan) with the relevant healthcare institution and require the healthcare institution to take measures to rectify the situation and eliminate the hazard.
Where a healthcare institution violates the Data Security Law of the People’s Republic of China by failing to fulfill its prescribed data security protection obligations, or by providing important data outside the territory of China, it shall be handled pursuant to the relevant provisions of that Law.
Article 35. In accordance with the provisions of the Personal Information Protection Law of the People’s Republic of China, where health administrative authorities at each level, cybersecurity authorities, and public security organs discover, in performing their duties, that healthcare institutions pose significant risks or that personal information security incidents have occurred, they may, in accordance with the prescribed authority and procedures, conduct a regulatory interview (yuetan) with the legal representative or principal leader of the healthcare institution, or require the healthcare institution to engage a specialized agency to conduct a compliance audit of its personal information processing activities. Healthcare institutions shall take measures to rectify the situation and eliminate the hazard in accordance with the requirements. Where authorities performing duties of personal information protection, including health administrative authorities, discover violations of the Personal Information Protection Law of the People’s Republic of China in performing their duties, they shall handle the matter in accordance with the relevant provisions of the Personal Information Protection Law of the People’s Republic of China; where unlawful personal information processing activities are suspected to constitute a crime, the matter shall be promptly transferred to public security organs for handling in accordance with law.
Article 36. Any organization or individual has the right to lodge complaints and reports with authorities performing duties of personal information protection, including health administrative authorities, concerning unlawful personal information processing activities. Upon receiving complaints and reports, the authorities shall handle them in a timely manner in accordance with law and inform the complainant or reporting party of the outcome. Authorities performing duties of personal information protection, including health administrative authorities, shall publish their contact details for receiving complaints and reports.
Chapter VII Supplementary Provisions
Article 37. Data processing activities involving state secrets or work secrets shall be governed by the provisions of the Law of the People’s Republic of China on Guarding State Secrets and other relevant laws and administrative regulations.
Article 38. Healthcare institutions may formulate corresponding implementation rules in accordance with these Measures.
Article 39. These Measures shall be interpreted by the National Health Commission.
Article 40. These Measures shall come into force on the date of issuance.