Promulgated by: National Health Commission of the People’s Republic of China. Document No.: 国卫规划发〔2018〕23号. Adopted and promulgated on July 12, 2018. Effective July 12, 2018.
Chapter I: General Provisions
Article 1. These Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China and other laws, regulations, and relevant State Council documents, in order to strengthen the administration of health and medical big data services, promote the development of “Internet Plus Healthcare,” and give full play to the role of health and medical big data as an important foundational strategic resource of the State.
Article 2. In respect of the health and medical data generated within the territory of the People’s Republic of China by Chinese citizens, the State shall, on the basis of safeguarding citizens’ right to know, right to use, and right to privacy, administer, develop, and utilise such data in a regulated manner in accordance with requirements of national strategic security and the life safety of the people.
Article 3. Adherence to the principles of people-centeredness and innovation-driven development, orderly regulation and security with controllability, openness and integration, co-building and sharing, in order to strengthen the standards management, security management, and service management of health and medical big data.
Article 4. For the purposes of these Measures, “health and medical big data” means data relating to health and medicine generated in the course of disease prevention and treatment, health management, and similar activities.
Article 5. These Measures apply to the administration of health and medical big data involving health administration authorities at the county level and above, medical and health institutions of all levels and types, and relevant entities and individuals.
Article 6. The National Health Commission, together with relevant departments, is responsible for the overall planning, guidance, assessment, and supervision of the standards management, security management, and service management of health and medical big data nationally. Health administration authorities at the county level and above, together with relevant departments, are responsible for the administration of health and medical big data within their respective administrative regions. Medical and health institutions and relevant enterprises and public institutions at all levels and of all types are the responsible units for the security and application management of health and medical big data.
Chapter II: Standards Management
Article 7. The standards management of health and medical big data shall follow the principles of policy guidance, enhanced supervision, classified guidance, and graded administration.
Article 8. The National Health Commission is responsible for the overall planning and organisation of national health and medical big data standards, and for organising the formulation of a planning framework for health and medical big data standards on the basis of existing foundational and general big data standards. Provincial health administration authorities are responsible for supervising, guiding, and evaluating the application of health and medical big data standards in their respective regions.
Article 9. The National Health Commission encourages medical and health institutions, research and educational entities, relevant enterprises, industry associations, and social organisations to participate in the formulation of health and medical big data standards. Citizens, legal persons, and other organisations may put forward proposals for the formulation or revision of standards.
Article 10. The National Health Commission is responsible for unified organisation and implementation, for the merit-based selection of drafting units and persons responsible for health and medical big data standards, and for promoting a multi-party participation and collaboration mechanism.
Article 11. The procedures and requirements for the drafting, review, and publication of health and medical big data standards shall be carried out in accordance with relevant national and industry rules.
Article 12. Health administration authorities shall strengthen the guidance and supervision of the implementation of health and medical big data standards, and establish long-term management mechanisms that incentivise and promote the application and implementation of standards.
Article 13. Health administration authorities shall establish incentive and constraint mechanisms for the production and procurement of standardised health and medical big data products, shall actively advance standardisation and assessment work, and shall link assessment results to the accreditation and evaluation of medical and health institutions.
Article 14. The National Health Commission shall strengthen the standards system and institutional development for health and medical big data technology products and service models, shall organise assessments of the effectiveness of standards application, and shall organise revision or repeal of standards according to the results of assessments.
Article 15. The National Health Commission shall, on the basis of the health standards management platform, dynamically manage the development and application of health and medical big data standards and shall conduct dynamic monitoring of the application of standards by medical and health institutions and enterprises and public institutions at all levels and of all types.
Chapter III: Security Management
Article 16. The security management of health and medical big data refers to security and management work in the multiple phases of data collection, storage, mining, application, operation, and transmission, encompassing the management of responsibilities and rights with respect to national strategic security, the life safety of the people, and the security of personal information.
Article 17. Responsible units shall establish and improve relevant security management systems, operating procedures, and technical specifications, shall implement the “first responsibility” (yibashou) system, and shall strengthen the development of a security-protection regime. The security, management, and use of health and medical big data involving State secrets shall be carried out in accordance with relevant national secrecy regulations.
Article 18. Responsible units shall adopt measures such as data classification, backup of important data, and encryption and authentication to ensure the security of health and medical big data, and shall establish a reliable data disaster-recovery and backup mechanism.
Article 19. Responsible units shall, in accordance with the requirements of the national Multi-Level Protection Scheme (MLPS) for cybersecurity, construct a trustworthy cybersecurity environment. Health and medical big data centres and relevant information systems shall carry out grading, filing, assessment, and other required work.
Article 20. Providers of products and services for systems related to health and medical big data shall comply with the State’s cybersecurity review system and shall not interrupt or effectively interrupt reasonable technical support and services.
Article 21. Responsible units shall use information relating to health and medical big data in accordance with laws and regulations, shall provide secure channels for information query and copying, and shall ensure the protection of citizens’ privacy and data security.
Article 22. Responsible units shall strictly regulate the data-access and use permissions of users at different levels; no entity or individual may use or publish health and medical big data without authorisation or in excess of the scope of authorisation.
Article 23. Responsible units shall establish rigorous electronic real-name authentication and data access controls, shall standardise the management of audit trails for the processes of data access, use, and destruction, and shall ensure that data handling is “manageable, controllable, with full audit trails throughout the service management process, and queryable and traceable.”
Article 24. Sound mechanisms for the training of personnel responsible for the security management of health and medical big data shall be established and improved, to ensure that relevant practitioners possess the required knowledge and skills.
Article 25. Responsible units shall establish health and medical big data security monitoring and early-warning systems and shall establish a cybersecurity notification and emergency-response coordination mechanism. Where a major cybersecurity incident occurs, it shall be reported and handled in accordance with relevant laws, regulations, and requirements.
Chapter IV: Service Management
Article 26. The National Health Commission is responsible for formulating relevant norms and standards for the application of health and medical big data, and for establishing an application integrity mechanism and an exit mechanism.
Article 27. Responsible units implementing health and medical big data management and services shall, in accordance with laws, regulations, and relevant document provisions, adhere to the principles of medical ethics and protect personal privacy.
Article 28. Responsible units shall specify the relevant management departments and posts, shall implement a management system of “unified graded authorisation, classified application management, and consistency of powers and responsibilities,” and shall build corresponding health and medical big data information systems.
Article 29. When responsible units collect health and medical big data, they shall strictly comply with relevant national and industry standards and procedures so as to achieve “unified standards, standardised terminology, and accurate content,” and the information collected shall strictly undergo an information verification and final-review procedure.
Article 30. Responsible units shall possess data storage, disaster-recovery backup, and security management conditions that meet the requirements of relevant national regulations. Health and medical big data shall be stored on secure and trusted servers within the territory of the People’s Republic of China; where, due to business needs, it is genuinely necessary to provide such data to parties outside the territory, a security assessment and approval process shall be conducted.
Article 31. When responsible units select health and medical big data service providers, they shall ensure that such providers comply with national and industry regulations and requirements and possess the capability to fulfil relevant laws and regulations.
Article 32. Where responsible units entrust relevant organisations with the storage and operation of health and medical big data, the entrusting unit and the entrusted unit shall jointly bear management and security responsibilities. The entrusted unit shall carry out its work strictly in accordance with relevant laws and regulations and the entrustment agreement.
Article 33. Responsible units shall, in accordance with the needs of service and management work, promptly update, screen, optimise, and maintain health and medical big data so as to ensure that information remains in the most up-to-date, continuous, effective, high-quality, and secure state.
Article 34. Where a responsible unit undergoes changes, it shall transfer the health and medical big data under its administration in a complete and secure manner to the institution that assumes its functions, and shall not cause damage, loss, or leakage.
Article 35. When responsible units publicly disclose health and medical big data to society, they shall comply with relevant national regulations and shall not disclose State secrets, trade secrets, or personal privacy.
Article 36. Responsible units shall strengthen the use of and services relating to health and medical big data, and shall create the conditions for the standardised use thereof and promote online query of health and medical big data.
Article 37. The National Health Commission is responsible, in accordance with relevant national regulations on open sharing of information resources, for establishing a working mechanism for the open sharing of health and medical big data, and for coordinating the construction of reporting system platforms, information resource catalogue systems, and sharing and exchange systems.
Chapter V: Supervisory Administration
Article 38. Health administration authorities shall strengthen supervisory administration, shall conduct routine inspections of all responsible units within their administrative regions, and shall guide and supervise the comprehensive utilisation of data. Medical and health institutions at all levels and of all types shall connect to the corresponding regional population health information platform and shall transmit and back up data generated by medical and health services.
Article 39. Health administration authorities shall strengthen monitoring and assessment, shall regularly conduct stability and security assessments of health and medical big data platforms and service providers, and shall establish systems for evaluation and security review covering cybersecurity protection, system interconnection and sharing, and the protection of citizens’ privacy.
Article 40. Health administration authorities, together with relevant departments, shall establish a system of accountability for health and medical big data security management work. In respect of entities and individuals that violate the provisions of these Measures, the competent authorities shall, depending on the severity of the circumstances, conduct a regulatory interview (yuetan), order rectification, give a written admonishment, issue public criticism, or impose a sanction, or put forward a recommendation for a sanction to be imposed; where a violation constitutes a violation of law, the matter shall be referred to the judicial authorities for the pursuit of legal liability in accordance with law.
Chapter VI: Supplementary Provisions
Article 41. These Measures shall come into force from the date of promulgation.