Digital Healthcare 2026 Comparisons

Overview

Digital health is generally understood as a modern model of healthcare that integrates the Internet of Things (IoT), big data, artificial intelligence (AI) and other advanced information technologies into medical processes, making health and medical services more digital, more standardised and more intelligent. In practice, the main categories of digital healthcare seen in the Chinese market are as follows.

Telemedicine and online medical consultation services

Two regulated channels exist:

• telemedicine co-operation between licensed medical institutions, where the inviting institution remains the primary treating institution; and
• internet diagnosis and treatment, allowing licensed physicians to provide follow-up consultations and prescribe drugs for certain common and chronic diseases through online platforms.

Both channels are governed by the Administrative Measures for Internet Diagnosis and Treatment (Trial), effective 17 July 2018.

Internet hospitals

This includes a separately licensed mode of medical practice where a brick-and-mortar hospital, alone or with a technology partner, obtains a dedicated internet hospital practising licence to provide online diagnosis, prescription, drug delivery and follow-up services, under the Administrative Measures for Internet Hospitals (Trial), effective 17 July 2018.

Mobile health (mHealth) and consumer wellness applications

This includes patient-facing apps run by hospitals, third-party platforms, and wellness or fitness apps that fall outside the medical device perimeter unless they make medical claims.

Software as a Medical Device (SaMD) and AI-assisted clinical decision support

Standalone software intended for diagnosis, treatment, monitoring, prediction or rehabilitation is regulated as a medical device by the National Medical Products Administration (NMPA). A growing number of AI-aided radiology and pathology products has received Class III approvals.

Wearables, remote patient monitoring (RPM) and IoT-based medical devices

This includes continuous glucose monitors, ECG patches, smart inhalers and connected blood-pressure devices, some of which qualify as medical devices and some of which remain consumer products.

Digital therapeutics (DTx)

This is a still-emerging category in China; certain DTx products have been registered as Class II or Class III medical devices, and pilot programmes are running in Hainan, Beijing, Shanghai and Jiangsu.

The various forms above are typically distinguished by, among other things, their use case (for example, telemedicine is confined to diagnosis and treatment within medical institutions, whereas SaMD and RPM applications can be used in daily life and chronic-disease management) and whether AI is employed, as many digital medical devices now incorporate AI as an auxiliary diagnostic tool. The categories may nonetheless overlap: a single product, such as an AI-enabled symptom-checker built into an internet hospital, may simultaneously engage the SaMD regime, the internet diagnosis and treatment regime, the personal information protection regime and the algorithmic recommendation regime.

Digital Healthcare Across Multiple Levels

Digital healthcare in China is now broadly mainstreamed across multiple settings, with common applications spanning the provider, patient, payer and life science industry levels, as described below.

From pilot to mainstream

Digital healthcare in China has moved from policy experimentation (2015–2018) and pandemic-driven acceleration (2020–2022) to a phase of mainstreaming and consolidation (2023–2026). The State Council Opinions on Promoting the Development of “Internet + Medical and Health” (Guo Ban Fa [2018] No 26) set the overall direction, and the subsequent 14th Five-Year Plan for National Health Informatisation made hospital-level digital transformation a national priority.

Use at the provider level

According to data published by the National Health Commission (NHC), there were more than 3,300 internet hospitals nationwide by the end of 2024, with most of them operated by or affiliated with public tertiary hospitals. Practically all tertiary public hospitals now offer online appointment booking, electronic prescriptions, online follow-up consultations, online payment, mobile delivery of test results and home delivery of medicines. Many leading hospitals also run hospital-level AI platforms for medical imaging, pathology, antimicrobial stewardship and clinical decision support. The NHC’s “Five Ones” service initiative has driven uniform roll-out across regions of one electronic health record, one electronic medical record, one health card, one health code and one health information platform.

Use at the patient level

Patient adoption is high in tier-one and tier-two cities. Common consumer-facing services include WeChat- and Alipay-based hospital mini-programmes, third-party chronic disease management platforms, online pharmacy services, AI-assisted symptom triage and integrated insurance claim submission. NHC and provincial materials indicate that online medical service volumes continued to grow in 2024 and 2025, although the figures are not always reported on a single, comparable national basis.

Use at the regulator and payer level

The National Healthcare Security Administration (NHSA) has progressively brought online consultations and online medicine purchases into basic medical insurance reimbursement in most provinces. This includes dedicated price categories such as “Internet + Medical Service”, and AI-assisted radiology reading items, which were introduced into the NHSA’s 2024 pricing guideline for radiology services. Real-time settlement, electronic medical insurance certificates and DRG/DIP payment reform are increasingly digital by default.

Life science industry use

Multinational and domestic pharmaceutical and medical device companies use digital tools for marketing, omni-channel engagement with healthcare professionals, decentralised clinical trials, patient support programmes and real-world evidence generation. The Pharmaceutical Industry Digital and Intelligent Transformation Implementation Plan, issued in April 2025 by the Ministry of Industry and Information Technology (MIIT), the NHC and other authorities, has elevated this transformation to a national industrial-policy objective.

Access and Equity

The most visible benefit of digital healthcare is improved access. Online appointment booking, internet hospitals and telemedicine have cut travel and waiting times, particularly for patients in remote or under-served areas and for those with chronic conditions who need repeat prescriptions. Multi-tier teleconsultation, linked to the “Tightly-knit County Medical Community” initiative led by the NHC, allows county and township institutions to draw on the diagnostic expertise of urban tertiary centres.

Quality of Care and Clinical Decision-Making

AI-assisted imaging, pathology and ECG analysis tools approved by the NMPA are widely used as second-reader aids in lung-nodule detection, diabetic retinopathy screening, fracture detection, stroke triage and pathology slide assessment. Clinical decision-support systems integrated with electronic medical records (EMRs) assist with antimicrobial stewardship, drug-interaction screening and clinical-pathway compliance. Several published studies and NHC pilot evaluations report measurable reductions in diagnostic time and missed-diagnosis rates when these tools are used as adjuncts, although the strength of the evidence varies by indication.

Patient Experience and Engagement

Mobile follow-up, electronic prescriptions, online payment, electronic medical insurance settlement, home delivery of medicines, and integrated patient education and reminders have together reduced friction across the patient journey. For oncology, rare disease and chronic disease patients, digital patient-support programmes run by pharmaceutical companies in partnership with hospitals and platforms help with medication adherence, symptom reporting and adverse-event capture.

Health System Efficiency and Cost

Digital tools also support more efficient use of medical resources. DRG/DIP payment reform, electronic invoicing, integrated insurance claim submission and real-time cost-transparency tools have begun to slow cost growth in pilot regions. AI-assisted radiology was added as a separate line item to the NHSA’s 2024 pricing guideline for radiology services. This suggests that policymakers see efficiency gains worth paying for, but are guarding against open-ended cost inflation by capping the reimbursement tightly.

Research, Innovation and Public Health

China’s large medical data pool, combined with national health data infrastructure, supports drug discovery, real-world evidence generation and population health surveillance. The NHC’s smart infectious disease early-warning system, accelerated after the COVID-19 pandemic, is a prominent example.

No Single Statutory Definition

There is no statute or administrative regulation in China that contains a binding definition of “digital healthcare” or “digital health” as a category. Instead, the framework regulates specific activities, including internet diagnosis and treatment, telemedicine, internet hospitals, online drug sales, medical device software, health data and AI services, under separate, activity-specific regimes.

Usage in Policy Documents

Central and provincial policy documents use several overlapping terms. “Internet + Medical and Health” is the umbrella term used by the State Council and the NHC since the 2018 Opinions (Guo Ban Fa [2018] No 26). “Smart Healthcare” appears in industrial-policy contexts, including the New Generation AI Development Plan (State Council, 2017). “Health informatisation” is the operative term in the NHC’s 14th Five-Year Plan for National Health Informatisation, and “digital therapeutics” is used in NMPA and provincial documents addressing software-based therapeutic products.

Industry Definitions and Common Understanding

Practitioners also rely on industry-led definitions. The Digital Healthcare Compliance Guidance published in 2023 by the RDPAC (R&D-based Pharmaceutical Association Committee, China Association of Enterprises with Foreign Investment) defines digital healthcare broadly, covering digital-technology-driven medical solutions, the use of digital data, telemedicine, and the delivery of health services and information through digital technology. Domestic White Papers, such as the Digital Healthcare Innovation Development Report published by Yuanyi Capital and the China Medical Education Association, define it as the integration of digital technology into healthcare across prevention, screening, diagnosis, treatment, rehabilitation and health management.

Use of International Definitions

Chinese regulators take note of, but do not formally adopt, definitions issued by the World Health Organization, the US Food and Drug Administration and the International Medical Device Regulators Forum (IMDRF). NMPA technical-review guidelines on SaMD, AI medical devices and the clinical evaluation of AI-aided diagnostic software have selectively aligned with IMDRF guidance, particularly on risk classification, change management and clinical-evaluation methodology.

Ongoing Work

The NHC, the NMPA, the MIIT and the National Data Administration (NDA, established October 2023) have been working on more detailed classifications, particularly for AI-enabled healthcare applications. In November 2024, the NHC, the National Administration of Traditional Chinese Medicine (NATCM) and the NDA jointly issued the AI Application Scenarios in Healthcare Reference Guide, which identifies 84 application scenarios across clinical services, patient services, hospital management, regional public-health services, drug R&D and traditional Chinese medicine. Although not a binding definition, the Guide is widely treated as the most authoritative taxonomy currently in use for AI-enabled digital healthcare.

The legal framework for digital healthcare in China is layered, fast-evolving and cross-sectoral. Key instruments fall into the following groups.

Foundational Health and Medical Laws

The Basic Medical and Health Care and Health Promotion Law (effective 1 June 2020) provides the high-level framework, including provisions on health information, telemedicine and electronic prescriptions. The Drug Administration Law (revised 2019, effective 1 December 2019) and the Regulation on the Supervision and Administration of Medical Devices (revised, effective 1 June 2021) provide the underlying regimes for pharmaceutical e-commerce, digital marketing of regulated products and medical device software. The Law on Practising Doctors (revised, effective 1 March 2022) underpins the licensing and multi-site-practice rules governing who may diagnose and prescribe online.

Sector-Specific Internet Healthcare Regulations

The 2018 “three pieces” issued by the NHC and the NATCM – the Administrative Measures for Internet Diagnosis and Treatment (Trial), the Administrative Measures for Internet Hospitals (Trial) and the Specifications for Telemedicine Services (Trial), all effective 17 July 2018 – remain the operative rules for internet-based delivery of clinical services. They were supplemented by the Detailed Rules for the Supervision of Internet Diagnosis and Treatment (Trial) (NHC, February 2022), which tightened rules on first-visit prohibition, AI-substituted prescribing, real-name registration and platform responsibility.

Medical Device Software (SaMD) Regulations

The NMPA classifies medical device software under the Catalogue of Medical Device Classification (2017, with supplements), guided by the Guidelines on Classification of AI Medical Software Products (NMPA, July 2021) and the Guidelines for Registration Review of AI Medical Devices (NMPA, March 2022). Cybersecurity registration requirements follow the Guidelines for Registration Review of Medical Device Cybersecurity.

Health Data and Personal Information Laws

The three foundational data laws are the Cybersecurity Law (CSL, effective 1 June 2017), the Data Security Law (DSL, effective 1 September 2021) and the Personal Information Protection Law (PIPL, effective 1 November 2021). Health information is sensitive personal information under the PIPL, requiring separate consent and a heightened necessity standard.

Health-data-specific rules include the Administrative Measures for the Standards, Security and Services of National Health and Medical Big Data (Trial) (NHC, July 2018). Cross-border transfer is governed by the Provisions on Promoting and Regulating Cross-border Data Flow (CAC, effective 22 March 2024) and the Measures on Standard Contract for Outbound Cross-border Transfer of Personal Information (CAC, effective 1 June 2023). For human genetic resources, the Regulation on the Administration of Human Genetic Resources (State Council, effective 1 July 2019) and the Detailed Implementing Rules (MOST, effective 1 July 2023) apply.

AI-Specific Rules

The Provisions on Administration of Algorithm Recommendation of Internet-based Information Services (CAC et al, effective 1 March 2022), the Provisions on Administration of Deep Synthesis of Internet-based Information Services (CAC et al, effective 10 January 2023), the Interim Measures for the Management of Generative AI Services (CAC et al, effective 15 August 2023) and the Measures for Labelling of AI-Generated and Synthetic Content (CAC et al, effective 1 September 2025) form the horizontal AI baseline applicable to digital healthcare actors using algorithmic decision-making or generative AI.

Pharmaceutical E-Commerce

The Administrative Measures for Online Drug Sales (effective 1 December 2022) and the Provisions on the Administration of Online Drug Information Services (with amendments) govern third-party platforms, prescription drugs and special drugs.

Legislative Pace

Chinese policymakers have responded to the rapid evolution of digital health with an unusual mix of national strategy documents, ministerial measures, technical guidelines and pilot programmes. The pattern, particularly visible since 2017, is one of “policy first, then pilots, then formal regulations”. This sequencing lets regulators gather practical experience before locking in rules in formal regulation or legislation.

National Strategy Documents

The Outline of the “Healthy China 2030” Plan (CPC Central Committee and State Council, October 2016) and the New Generation AI Development Plan (State Council, July 2017) set the long-term direction. The 14th Five-Year Plan and 2035 Vision (March 2021), and the 14th Five-Year Plan for National Health Informatisation (NHC, November 2022), translated this direction into implementation milestones. The 2025 CPC Central Committee Suggestions on Formulating the 15th Five-Year Plan (October 2025) introduced the “AI Plus” national action, calling for comprehensive deployment of AI in healthcare and other sectors and signalling that this will remain a high political priority through 2030.

Multi-Agency Co-Ordination

Substantive rule-making is led by the NHC (clinical services, health information), the NMPA (medical device software and AI medical devices), the CAC (Cyberspace Administration of China; data and AI), the NHSA (pricing and reimbursement), the MIIT (technology and industrial policy), the SAMR (State Administration for Market Regulation; advertising, antitrust, e-commerce platforms) and, since 2023, the NDA (data resources).

Cross-agency working groups are now standard for rules that span several sectors, such as the Interim Measures for the Management of Generative AI Services (jointly issued by seven authorities) and the AI Application Scenarios in Healthcare Reference Guide (jointly issued by the NHC, NATCM and NDA).

Pilot Programmes

Pilots are central to the Chinese regulatory approach in this area. Examples include the Hainan digital therapeutics pilot (launched 2022), reimbursement pilots for telemedicine and AI-assisted radiology reading in selected provinces, cross-border data-flow pilots in the free trade zones (Beijing, Shanghai, Hainan, Tianjin) and AI-enabled drug-discovery pilots in the Boao Lecheng International Medical Tourism Pilot Zone. Lessons from these pilots typically feed into later national rules.

Nature and Weight

Technical standards in China are issued in three layers: mandatory national standards (GB), recommended national standards (GB/T) and industry standards (including WS for the health industry, YY for medical devices and YD for telecommunications). For digital healthcare, recommended national standards play an outsized role: although nominally non-mandatory, they are routinely referenced by regulators in licensing, registration and supervision processes, which makes compliance a practical necessity.

Key Standards

The most cited standards in digital healthcare practice include:

• the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020), which sets the operational baseline for personal information processing including the handling of health information;
• the Information Security Technology – Guide for Health Care Data Security (GB/T 39725-2020), which provides health-data-specific classification and life cycle controls;
• the Information Security Technology – Implementation Guide for Cybersecurity Classified Protection (GB/T 25058-2019) and related Multi-Level Protection Scheme 2.0 standards, under which internet hospital and EMR systems are typically rated at Level 3; and
• the basic safety requirements for generative AI services issued by TC260, the Basic Safety Requirements for Generative AI Services (TC260, finalised in February 2024), which is referenced in CAC registration of generative AI services.

Standardisation Work in Progress

National standards on the safety, security and trustworthiness of AI medical software are being drafted under the joint co-ordination of TC260, the China Communications Standards Association and the NMPA-affiliated medical device standardisation technical committees. The NHC continues to update industry standards in the WS series for hospital information systems, EMR datasets and interoperability. Practitioners should expect a continued tightening and expansion of standards through 2026 and beyond.

SaMD

Software whose intended use falls within the statutory definition of a medical device is regulated by the NMPA as SaMD. The Catalogue of Medical Device Classification (2017, as supplemented), read with the 2021 AI Medical Software Classification Guidelines, sorts products by risk into Class I (filing only), Class II (provincial registration) and Class III (NMPA registration). AI-aided diagnostic software for high-risk indications, such as oncology imaging, pathology and retinal imaging, is generally Class III. Post-market updates that change algorithm performance usually require change registration, while minor updates may proceed by reporting after the event. The NMPA’s Innovative Medical Device Special Examination Procedure offers a fast track for breakthrough AI medical devices.

Self-Care, Wellness and Fitness IT Products (IoT and Wearables)

Products that make no medical claims and fall outside the statutory definition of a medical device are treated as consumer electronics, subject to general product-safety and consumer-protection rules and to SAMR enforcement against misleading marketing. The line between a regulated SaMD and an unregulated wellness product turns on the manufacturer’s intended use, and where this is unclear the NMPA’s classification-confirmation procedure can resolve it. The 2022 NMPA Opinions on Standardising the Classification and Definition of Medical Devices address borderline products such as continuous glucose monitors, smart inhalers and ECG-enabled wearables.

Cybersecurity and Data Protection

The governing regime is the layered combination of the CSL, the DSL and the PIPL, supplemented by the Regulation on the Protection of Critical Information Infrastructure (State Council, effective 1 September 2021), the Regulation on Network Data Security Management (State Council, effective 1 January 2025) and the cross-border transfer rules described in 2.2 Laws and Regulations. Internet hospitals, large EMR platforms and hospital-operated big-data platforms are commonly identified as critical information infrastructure operators or important-data processors, triggering data-localisation, security-assessment and CAC notification obligations. Sensitive-personal-information processing under the PIPL requires separate consent, a personal-information-protection impact assessment (PIPIA) and additional accountability measures.

AI and Machine Learning

The horizontal AI rules described in 2.2 Laws and Regulations apply: the Algorithm Recommendation Provisions (2022), the Deep Synthesis Provisions (2023), the Generative AI Interim Measures (2023) and the AI-Generated Content Labelling Measures (effective 1 September 2025). In addition, AI used in clinical settings falls within the SaMD regime if it makes diagnostic, therapeutic or monitoring claims, and within the 2022 Detailed Rules for the Supervision of Internet Diagnosis and Treatment, which expressly prohibit AI from replacing physicians in issuing diagnoses or prescriptions. Algorithm filing with the CAC is required for algorithm-recommendation services that can shape public opinion or mobilise the public.

ESG

There is no ESG regime specific to digital healthcare. ESG obligations arise from rules of general application, principally the sustainability-disclosure guidelines issued by the Shanghai, Shenzhen and Beijing stock exchanges for listed companies, alongside generally applicable environmental, labour and data-ethics requirements. For digital health businesses, the ESG themes that matter most in practice are data ethics, algorithmic fairness and equitable access to care.

Telehealth

Telemedicine, internet diagnosis and treatment, and internet hospitals are regulated by the 2018 “three pieces” and the 2022 Detailed Rules. Key constraints include the following:

• prohibition of first-visit online consultations;
• internet hospitals must operate through or with a brick-and-mortar medical institution;
• online prescriptions require pharmacist review and traceability;
• online prescription of controlled drugs is generally prohibited; and
• AI must not replace physicians’ clinical judgement.

Overall Assessment

China’s digital healthcare legal framework has expanded rapidly since 2018 and is broadly fit for purpose for today’s most common activities. The main legislative, regulatory and data protection elements are in place, and for most enterprise clients the principal challenge is implementation rather than the absence of rules.

Gaps and Grey Areas

Despite the foregoing, several gaps and grey areas remain – the most important being the following.

Integration of horizontal AI rules with the SaMD regime

The interface between the CAC’s horizontal AI rules and the NMPA’s SaMD regime is still being worked out, particularly for generative AI used to draft clinical notes, summarise patient records, support diagnosis or generate patient education content. Whether a hospital-deployed large language model (LLM) assistant is a “medical device” depends on its intended use, but classification and risk management for such products remain underdeveloped.

Liability allocation in AI-assisted clinical decisions

Existing rules do not clearly allocate liability among the medical institution, the treating physician, the AI software manufacturer and the platform when AI is used as an adjunct. The courts have yet to produce authoritative precedent on the point.

Digital therapeutics

DTx products span a spectrum, from clearly device-like prescription software to lifestyle-coaching apps that carry therapeutic claims. The NMPA’s 2025 Guidelines on the Classification of Rehabilitation-Category Digital Therapeutics Software provide the first national classification anchor for rehabilitation DTx, but pricing, reimbursement, prescription-channel rules and post-market monitoring remain largely local or pilot-driven.

Real-world data and secondary use

Rules on the secondary use of real-world data for AI training, model validation and post-market surveillance (covering IRB review, broad consent, de-identification standards and platform governance) remain fragmented across the CSL, DSL and PIPL, the human-subjects research ethics rules and the NHC’s medical data measures. Industry practice therefore varies widely, particularly for cross-institutional federated learning and multi-centre AI development.

Cross-border data transfer

The 2024 Provisions on Promoting and Regulating Cross-border Data Flow eased many requirements for ordinary personal information, but health and genetic data still attract close scrutiny. Multinational pharma and medical device clients continue to find that transferring clinical-trial and pharmacovigilance data is more uncertain in practice than the regulatory texts suggest.

Enforcement consistency

Sector regulators, particularly at provincial and municipal levels, can take different views on novel applications. Lawyers should expect inconsistencies and budget time for pre-clearance consultations with local NHC, NMPA and CAC counterparts, especially for first-of-its-kind products.

Direction of reform

Over the next couple of years, the authors expect the framework to be built on rather than replaced, through more detailed AI healthcare guidelines, dedicated DTx rules, and the codification of accountability, transparency and human-oversight principles for clinical AI.

Multi-Regulator Landscape

There is no single regulator for digital healthcare in China. Oversight is shared among several authorities, each with a defined remit. The structure has been described informally as “horizontal regulation by domain, vertical regulation by sector”.

The National Health Commission (NHC) and the National Administration of Traditional Chinese Medicine (NATCM)

The NHC is the lead regulator for clinical services and medical institutions, including internet hospitals, internet diagnosis and treatment, telemedicine, EMR use, hospital informatisation and health data governance. The NATCM holds parallel authority for TCM-related services. The NHC also leads on health-AI policy in clinical settings, including the AI Application Scenarios in Healthcare Reference Guide (2024) and ongoing ethical-governance work.

The National Medical Products Administration (NMPA)

The NMPA is the lead regulator for medical device software, AI medical devices, IVDs and pharmaceuticals, covering pre-market registration, post-market surveillance and inspection. The NMPA’s affiliated Center for Medical Device Evaluation (CMDE) handles technical review of registration applications.

The Cyberspace Administration of China (CAC)

The CAC is the lead regulator for cybersecurity, network data security, personal information protection, cross-border data flow, algorithm filing, generative AI registration and content moderation. The CAC’s local offices (provincial cyberspace administrations) handle field enforcement.

The National Healthcare Security Administration (NHSA)

The NHSA oversees medical-insurance coverage, payment standards, price-project guidance and anti-fraud enforcement. Decisions on whether and how digital health services are reimbursed (internet diagnosis and treatment, AI-aided radiology) sit with the NHSA and its provincial counterparts.

The Ministry of Industry and Information Technology (MIIT)

The MIIT supports the digital health industry through industrial policy, telecommunications licensing (including ICP licensing for online platforms), software industry support and standards work.

The State Administration for Market Regulation (SAMR)

The SAMR oversees market entry, advertising (medical, drug, device), anti-unfair competition, antitrust and consumer protection, with a particularly important role in digital marketing of pharmaceuticals and medical devices.

The Ministry of Public Security (MPS)

The MPS administers the Multi-Level Protection Scheme, oversees critical information infrastructure protection with the CAC and investigates cyber-crime affecting digital-health data.

The Ministry of Science and Technology (MOST)

MOST regulates human-genetic-resource activities and human-subjects research ethics, including AI research using clinical samples.

Many aspects of digital healthcare fall within the remit of regulators whose primary mandate is not healthcare, reflecting the cross-cutting nature of digital services.

CAC and MPS – Cybersecurity and Data

The CAC has broad authority over cybersecurity, data security, personal information protection and AI services; the MPS supervises implementation of the Multi-Level Protection Scheme. Digital healthcare operators interact with these regulators because their platforms process sensitive personal information at scale and frequently meet the definition of a critical information infrastructure operator or important-data processor. The CAC has primary jurisdiction over algorithm filing and the generative AI service registration regime.

SAMR – Advertising and Platform Conduct

The SAMR enforces the Advertising Law (revised, effective 1 November 2018), the Anti-Unfair Competition Law (revised, effective 23 April 2019), the E-Commerce Law (effective 1 January 2019) and the Anti-Monopoly Law (revised, effective 1 August 2022). Medical, pharmaceutical and medical device advertising on any online channel must comply with strict pre-approval and content requirements; platform algorithms driving recommendations or pricing are subject to anti-unfair-competition scrutiny, and the largest platforms face antitrust risks from preferential treatment or self-preferencing.

MIIT – Telecommunications and ICP

Operating an online medical platform requires either an ICP filing or an ICP licence. Cloud and value-added telecommunication services underpinning digital healthcare platforms require MIIT licensing.

NHSA – Insurance and Pricing

The NHSA shapes whether and how digital services and AI tools generate revenue, through internet medical service price projects and DRG/DIP payment reform.

Financial Regulators

Where digital healthcare platforms offer integrated payment, insurance or financing services, the People’s Bank of China, the National Financial Regulatory Administration (NFRA) and the China Securities Regulatory Commission become relevant. Digital health-insurance products are subject to NFRA approval.

MOFCOM, NDRC and SAFE

Cross-border investments and outbound licensing transactions are subject to MOFCOM and NDRC foreign-investment review and SAFE foreign-exchange controls. The Foreign Investment Negative List restricts certain digital healthcare activities (such as internet medical and medical-data activities) for foreign investors.

General Approach

Digital healthcare laws are enforced through sectoral inspections, special enforcement campaigns, complaint-driven investigations and, increasingly, data-driven supervision drawing on interconnected information systems.

NHC and Local Health Commissions

The NHC conducts targeted inspections of internet hospitals and internet diagnosis and treatment platforms, with a particular focus on prohibited “first-visit” online consultations, the use of AI in place of physicians, prescription-drug compliance and EMR data security. The 2022 Detailed Rules for the Supervision of Internet Diagnosis and Treatment introduced specific supervision tools, including online verification of physician identity, retention of consultation records for at least 15 years, electronic-signature verification for prescriptions and review of prescriptions by registered pharmacists. Provincial health commissions have suspended or revoked licences in well-publicised cases involving repeat violations.

NMPA

The NMPA conducts unannounced inspections of registered medical device software manufacturers, including makers of AI medical devices, focusing on quality systems, change management, algorithm version control, post-market surveillance and adverse-event reporting. Misclassifying regulated software as an unregulated wellness app is a common enforcement target, particularly for products with diagnostic or therapeutic claims marketed online.

CAC

The CAC’s enforcement has accelerated. On personal information protection, it has fined large platforms and ordered corrective action, including in cases connected with healthcare. On algorithm recommendation, the CAC checks whether algorithms that can shape public opinion or mobilise the public have been registered. For generative AI, it requires registration and a security assessment for many services, and unregistered services aimed at the Chinese public are routinely taken down. The CAC has also been active in detecting unauthorised transfers of health data overseas.

SAMR

The SAMR enforces advertising, anti-unfair-competition and antitrust rules. Illegal medical and drug advertising on social media, livestreaming and content platforms is a perennial focus, with penalties imposed on advertisers, agents and platforms. Misleading AI claims, such as “AI doctor” or “AI diagnosis with 99% accuracy”, have been targeted in recent years.

NHSA

Anti-fraud enforcement is a continuing focus, targeting misuse of medical insurance through internet diagnosis and treatment, including phantom consultations and prescription gaming. Provincial NHSA branches conduct regular audits.

Criminal and Civil Enforcement

Criminal exposure under criminal law arises for illegal practice of medicine, illegal sale of drugs, unauthorised access to computer systems, infringement of citizens’ personal information, organised production or sale of counterfeit medical devices and, more recently, certain misuses of generative AI. Civil class actions for personal-information violations are now possible under the PIPL, and the Procuratorate has standing to bring public-interest litigation.

In the authors’ view, the current framework is broadly adequate for the most common activities but is being stretched in three respects.

First, the speed of technological change – particularly the arrival of LLMs and multimodal AI in clinical settings – is testing regulators’ capacity to develop technical-review standards, train inspectors and respond to non-compliance. The NMPA and the CAC have invested in technical capability, but practitioners report that registration timelines for novel AI products remain difficult to predict.

Second, fragmentation across regulators creates an administrative burden and a risk of inconsistent treatment. A typical AI-enabled internet hospital interacts with the NHC (internet hospital licence and clinical-practice supervision), the NMPA (any embedded SaMD), the CAC (algorithm filing, generative AI registration, PIPL compliance), the Ministry of Public Security (cybersecurity grading), the NHSA (reimbursement) and the SAMR (advertising and platform conduct), each with its own filings, audits and inspection cycles. A single inter-ministerial co-ordination mechanism for digital health would reduce duplication.

Third, the regulator-led pilot approach, while pragmatic, can leave businesses uncertain about how a successful pilot will be rolled out more widely. Hainan’s digital therapeutics pilot is an example: operators in the pilot zone enjoy preferential treatment, but the rules for nationwide commercialisation are not yet settled.

Reforms on the Horizon

A future statute is expected to consolidate the algorithm, generative AI, deep-synthesis and labelling rules, with healthcare treated as a higher-risk area. The NHC is likely to issue more detailed rules on the ethical governance of health AI and on clinical AI safety, and the NMPA further technical guidance on generative AI medical software, federated learning, software updates and post-market change management. Updates to the 2018 internet hospital and internet diagnosis and treatment measures have been put out for public comment and tested in local pilots, including Beijing’s 2026 first-visit pilot, and may be merged with the 2022 Detailed Rules into a single instrument.

Non-Compliance With Healthcare Sector Rules

Common breaches include:

• operating without, or beyond the scope of, the required licences;
• allowing AI to issue diagnoses or prescriptions in breach of the 2022 Detailed Rules;
• physicians practising online without multi-site registration;
• inadequate retention of records;
• illegal online sale of prescription or controlled drugs; and
• misclassification of SaMD or AI products to avoid NMPA registration.

Consequences range from corrective orders and licence suspension or revocation to fines, blacklisting and criminal liability.

Non-Compliance With Data, Cybersecurity and AI Rules

Key risks include:

• processing health-related sensitive personal information without separate consent;
• inadequate PIPIA or Multi-Level Protection Scheme (MLPS) compliance;
• unauthorised cross-border transfer of health;
• clinical-trial or genetic data; and
• failure to complete the CAC’s algorithm or generative-AI filings or to apply AI-content labels under the 2025 Measures.

PIPL penalties can reach CNY50 million or 5% of the previous year’s turnover, with personal liability of up to CNY1 million, and DSL and CSL penalties are also substantial.

Contractual, Tort and Product-Liability Claims Are All Available

Internet hospitals may face medical-malpractice claims under the Tort Liability chapter of the Civil Code; SaMD and AI-device manufacturers face product-liability exposure, often with the medical institution joined as co-defendant, and platforms bear obligations under the E-Commerce Law and internet-platform rules. The courts are beginning to consider how AI outputs affect the standard of care and the burden of proof.

Advertising, Claims and Competition Exposures

Misleading or absolute claims in medical, drug, device and AI marketing attract heavy penalties from the SAMR. Anti-unfair-competition risks have also grown, including algorithmic price discrimination, platforms controlling which doctors are visible, and self-preferencing.

Foreign-Investment and National-Security Exposures

Foreign investment in certain internet-medical, medical-data and human-genetic-resource activities is restricted or prohibited, and cross-border data transfer in particular can trigger national security review.

Reputational Exposure

Patient data breaches, AI misdiagnosis or platform-conduct incidents can cause lasting reputational damage and trigger broader regulatory scrutiny.

Medical Malpractice and Personal Injury Liability

The medical malpractice chapter in the Tort Liability Book of the Civil Code, together with the Regulation on the Handling of Medical Disputes (State Council, effective 1 October 2018), forms the principal civil liability framework for clinical errors, including those involving AI tools. The treating medical institution generally bears primary liability and may seek indemnity from the AI software manufacturer where the product was defective.

Product Liability

The Product Quality Law (revised, effective 5 July 2018) and the Tort Liability Book of the Civil Code govern product liability for defective SaMD and AI medical devices. Manufacturers may be jointly and severally liable with sellers. In healthcare, the medical institution is generally treated as the user rather than the seller, but may bear secondary liability for using an unauthorised or unregistered device.

Consumer Protection

The Law on the Protection of Consumer Rights and Interests (revised, effective 15 March 2014) provides remedies for consumers of wellness apps and digital health subscriptions, including punitive damages of three times the price for fraud.

Data and Personal Information Liability

The PIPL provides for civil liability, including a statutory presumption of fault on personal-information processors, alongside the administrative penalties set out in 4.1 Legal Risks of Digital Healthcare. It also expressly authorises Procuratorate-led civil public-interest litigation, and the Supreme People’s Procuratorate has been active in this area.

E-Commerce and Platform Liability

Under the E-Commerce Law and the Civil Code, platform operators may be jointly liable with merchants in certain circumstances, particularly where the platform fails to verify qualifications, act against known infringers or keep the platform secure. Online drug-sales platforms have specific responsibilities under the 2022 Online Drug Sales Measures.

Administrative and Criminal Mechanisms

Administrative penalties apply across all the regimes described above. Criminal liability is available for serious violations, including:

• illegal medical practice (Article 336 of the Criminal Law);
• production or sale of fake or substandard drugs (Articles 141 and 142);
• production or sale of substandard medical devices (Article 145);
• infringement of citizens’ personal information (Article 253-1);
• refusal to perform information-network security-management obligations (Article 286-1); and
• more recently, certain misuses of AI involving deepfakes and fraud.

Mechanisms for Redress

Patients and consumers can seek redress through:

• mediation by medical-dispute mediation committees;
• civil litigation, including before the specialist internet courts in Beijing, Hangzhou and Guangzhou, which have published several digital health decisions;
• class-style consumer claims supported by the local consumer association;
• Procuratorate-led public-interest litigation for personal information matters; and
• administrative complaints to the relevant regulator.

Compliance-Led Defences

The most effective defence is a documented, auditable compliance programme covering the heads of liability in 4.1 Legal Risks of Digital Healthcare, in particular activity-specific licensing, SaMD registration, a PIPL programme (separate consent, PIPIAs, a data-protection officer, data-subject rights), MLPS grading, compliant cross-border data transfer, algorithm and generative-AI filings, advertising-law review, and staff training with audit logs.

Contractual Allocation

Carefully drafted contracts can shift or share risk among medical institutions, AI vendors, platform operators and patients and users, through compliance-allocation clauses, data-lawfulness warranties, tailored liability caps and indemnities, insurance and audit obligations, and enforcement-triggered termination rights. Mandatory rules cannot be contracted away, however. PIPL controllers retain their statutory obligations, and clinical institutions cannot disclaim professional medical liability.

Procedural and Evidential Defences

Disputed cases turn largely on documentation. Institutions and platforms that can produce contemporaneous records (consultation transcripts, prescription audit trails, software-decision logs, consent records) are better placed in both administrative and civil proceedings. AI vendors should likewise retain training-data provenance, model-validation and adverse-event records.

Available Substantive Defences

In civil disputes, defences include lack of causation, assumption of risk through informed consent, intervening physician decision-making (AI must not replace professional judgement), expiry of the statutory limitation period and force majeure.

In administrative matters, they include a correct classification as a wellness product (confirmed by the NMPA), good-faith corrective action, and timely self-reporting under the leniency provisions of the PIPL, DSL and SAMR.

Generative and Large-Model AI in Clinical Settings

The most prominent emerging issue is the use of generative AI (LLMs, multimodal models and domain-tuned models) in clinical workflows, including automated medical-record drafting, clinical-decision support, patient-facing chatbots, image and text summarisation, and AI-assisted radiology and pathology reading. Regulatory questions include:

• whether and when a generative model becomes a SaMD;
• how to register and update such models under existing NMPA frameworks designed for more deterministic software;
• labelling and content-moderation duties under the 2023 Generative AI Interim Measures and the 2025 AI-Generated Content Labelling Measures;
• ethics-committee review under hospital ethics rules; and
• how liability is allocated when the model produces a clinically erroneous output.

AI-Generated Content Labelling

The Measures for Labelling of AI-Generated and Synthetic Content, effective 1 September 2025, require AI service providers and content-distribution platforms to display explicit and implicit labels on AI-generated content. For digital healthcare, this affects AI-generated patient summaries, marketing content, AI-drafted physician communications and AI-assisted diagnostic reports. Operators are adopting watermarking, metadata labelling and disclosure prompts, although questions remain about how the rules apply to clinical-grade outputs.

Cross-Border Data Transfer for Clinical-Trial and Real-World Data

The March 2024 Provisions on Promoting and Regulating Cross-border Data Flow simplified or exempted some transfers, but retained tighter scrutiny for health, genetic and “important” data. The standard contract route, the security-assessment route and the free trade zone negative-list mechanism (with several pilot lists published in late 2024 and 2025) are reshaping multinational practice. The Hainan Free Trade Port and the Boao Lecheng International Medical Tourism Pilot Zone have developed bespoke arrangements for clinical research data that serve as testing grounds for broader liberalisation.

Digital Therapeutics Commercialisation

Hainan, Beijing, Shanghai and Jiangsu have run DTx approval and reimbursement pilots. Registration of DTx with the NMPA as Class II or Class III medical devices is an established route, and the NMPA’s 2025 rehabilitation-category DTx classification guidance gives the category a national reference point, but national pricing, reimbursement and prescription-channel rules remain unsettled.

Algorithmic Fairness and Discrimination

Health-AI fairness across age, gender, region, ethnicity and disability is becoming a focus for regulators, supported by the New Generation AI Ethics Code (National Professional Committee for the Governance of New Generation AI, September 2021) and by the ethical-governance provisions in the algorithm and AI rules.

Platform Responsibility and Competition

The largest digital healthcare platforms attract antitrust scrutiny, including self-preferencing of in-house pharmacies, exclusive arrangements with hospitals and algorithmic control of which physicians are visible. Enforcement by the SAMR, recent court decisions and academic commentary point to a tightening of platform obligations.

Digital-Marketing Compliance for Pharma and Medtech

The compliance scope for digital marketing of regulated products has widened significantly, particularly for key opinion leader (KOL) livestreaming, scientific communications and patient communities. Anti-corruption inspections in the pharmaceutical industry since 2023 have brought digital-channel engagement with healthcare professionals under intense scrutiny.

NHC Internet Healthcare Update

Updates to the 2018 internet diagnosis and treatment, internet hospital and telemedicine measures have been put out for consultation and tested in provincial pilots. Expected substantive changes include clearer rules on AI-assisted services, electronic prescriptions (including extension to further drug categories, with safeguards), platform responsibility, multi-site practice and pharmacist review, and tougher penalties for repeat violations. The policy basis is to bring more than seven years of practical experience to bear on a maturing digital health market.

AI Law and AI Medical Device Follow-On

A national AI Law has been on the State Council’s legislative agenda, at the research stage, since 2023. Its timing and final structure are uncertain, but it is expected to consolidate the algorithm, generative AI, deep-synthesis and labelling rules and to treat healthcare as a higher-risk area. The NMPA is expected to publish further guidance on generative-AI medical software, federated learning, software updates and post-market change management. The policy basis is the need to combine innovation (reinforced by the State Council’s 2025 “AI Plus” action and the NHC-led 2025 “AI + Medical and Health” implementation opinions) with risk control in an area that directly affects patients.

Data Security and Cross-Border Data Flow

The Regulation on Network Data Security Management (effective 1 January 2025) and the 2024 Provisions on Promoting and Regulating Cross-border Data Flow are reshaping day-to-day compliance. Industry-specific guidance for health and genetic data, and a more harmonised approach across the CAC, MOST and the NHC, are expected. The Hainan Free Trade Port and other pilot zones will continue to test more liberal arrangements. The policy basis is the dual mandate of data security and developing the market for data as an economic resource.

Digital Therapeutics, Smart Hospitals and Integrated Care

Work streams at the NHC, NHSA and NMPA are converging on clearer rules for DTx, smart-hospital development, hospital-information-system interoperability and payment for digital health services. The NMPA’s 2025 rehabilitation-category DTx classification guidance gives the category a national classification reference point, while the 2026 Shanghai Health Work Key Points set out a regional roadmap, prioritising AI deployment, smart hospitals, regional health platforms and digital health applications.

Professional Liability and Ethical Governance

Reforms to medical malpractice rules to address AI-assisted clinical decisions are under discussion, including how to allocate liability among the institution, the physician and the software manufacturer. Ethics review for AI-enabled clinical applications has been strengthened by the joint NHC and MOST Measures for Ethical Review of Life Sciences and Medical Research Involving Human Subjects (effective 18 February 2023) and is expected to be refined further.

Foreign Investment Liberalisation

A 2024 cross-ministerial pilot, rather than a general relaxation of the Negative List, opened the way for wholly foreign-owned hospitals in selected cities and Hainan, subject to implementing rules. For digital healthcare, key restrictions remain in internet medical services, value-added telecoms and platform activities, medical-data processing and human-genetic-resource activities, so further openings are likely to be calibrated and pilot-based.