Digital healthcare, digital medicine and digital therapeutics are not legal terms defined in People’s Republic of China (PRC) laws and regulations, but are frequently referred to in commercial contexts and industry policies.
Digital healthcare usually refers to healthcare technologies developed based on information technologies used by and for the public in general, including:
Digital medicine usually refers to the application of information technology in the process of diagnosis and treatment, which can only be performed by qualified medical institutions.
Digital therapeutics usually refers to the software-based products that are used for therapeutic interventions, either as monotherapy or in combination with other conventional medical therapies. Such products usually fall within the category of medical devices, and therefore are subject to regulatory administration to ensure their safety and efficacy.
As previously stated, digital healthcare, digital medicine and digital therapeutics are not legal terms defined in PRC laws and regulations, but are frequently referred to in commercial contexts and industry policies. Nevertheless, should any service or product in the fields of digital healthcare and digital medicine fall within the category of pharmaceuticals or medical devices, or be used for the diagnosis and treatment of human diseases, administrative regulations would correspondingly apply.
Given the broad application scope of key technologies and the fact that digital healthcare and digital medicine are sometimes used interchangeably in practice, it is sometimes difficult to accurately distinguish between the two fields.
For digital healthcare, key technologies may include:
For digital medicine, key technologies may include artificial intelligence (AI) and machine learning used for assisted diagnosis and treatment, medical imaging, etc.
Key emerging legal issues in digital health may include the following.
Regulatory Framework
Digital healthcare activities, based on different scenarios, are governed by:
However, a unified and systematic law or regulation to specifically govern the digital healthcare industry is still under development.
Cybersecurity and Data Protection
As digital health involves a large amount of personal data, especially that of a sensitive nature, the design and implementation of life-cycle protection of such data needs to be carefully considered, under the cybersecurity and privacy protection laws and regulations – particularly the regulations of the PRC Personal Information Protection Law (PIPL), which came into effect on 1 November 2021.
Liability
As AI technologies are more frequently used in diagnosis and treatment by healthcare institutions, in circumstances where personal damages are caused to patients due to the application of such technologies, which party should assume responsibility needs to be further analysed.
The authorities involved in the regulation of digital healthcare technologies mainly include the following, at a national level, and their subordinate branches as applicable.
The National Medical Products Administration (NMPA)
The NMPA regulates drugs, medical devices and cosmetics in China, and is responsible for their safety, supervision, and management, from registration and manufacturing to post-market risk management. Technologies and devices, including software that falls within the category of pharmaceuticals or medical devices, are also subject to regulation and supervision by the NMPA and its subordinate branches.
The National Health Commission (NHC)
The NHC primarily formulates and enforces national health policies and regulations pertaining to healthcare institutions, healthcare services, and healthcare professionals (HCPs). Internet-based diagnosis and treatment (including internet hospitals) and remote consultations between healthcare institutions and patients are both supervised by the NHC.
The clinical application of medical technologies for the purpose of diagnosis and treatment (including AI-assisted diagnosis and treatment) by healthcare institutions and professionals is also under the supervision of the NHC.
The National Healthcare Security Administration (NHSA)
The NHSA is primarily responsible for implementing policies related to basic medical insurance (BMI), such as reimbursement, pricing and the procurement of drugs, medical consumables and healthcare services.
Regulatory Developments on Telemedicine
“Internet Plus Healthcare” – ie, healthcare in combination with application of the internet – is now a key national strategy in China. To regulate diagnosis and treatment provided remotely – ie, teleconsultation by HCPs or internet-based diagnosis – in July 2018 the NHC and the National Administration of Traditional Chinese Medicine (NATCM) issued:
Furthermore, the NHC and the NATCM released the Rules for the Regulation of Internet-based Diagnosis (for Trial Implementation).
These measures clarify how technical support on internet-based diagnosis and treatment should be conducted and set forth the regulatory requirements thereof.
In addition, the growth of internet-based diagnosis also boosted the demand for internet sales of medicine. The Provisions for Supervision and Administration of Online Drug Sales and the Circular on Regulating the Display of Online Sales Information of Prescription Drugs enacted in recent years stipulated that, except for medicinal products subject to special administration, internet sales of both over-the-counter drugs and prescription drugs are allowed. Nevertheless, it is crucial for third-party platforms and enterprises engaging in online drug sales to comply with relevant requirements for display information on the online sales of prescription drugs.
Regulatory Developments on Electronic Medical Insurance
In August 2019, the NHSA issued the “Internet Plus” Medical Service Prices and Medical Insurance Payment Policy and launched the electronic medical insurance system, which regulates prices and insurance policies to allow for internet-based healthcare services to be covered by China’s medical insurance system. Implementation policies were further issued in 2020 and local enforcement rules have been gradually issued by local authorities since 2021.
Regulatory Developments on AI-Assisted Diagnosis and Treatment
In February 2017, the NHC issued updated administration regulations on both AI-assisted diagnosis technology and AI-assisted treatment technology, together with the applicable quality control criteria for clinical application, reflecting the most recent regulatory position of the NHC to encourage, while strictly regulating, the development and cybersecurity application of AI-assisted diagnosis and treatment for safety considerations.
In 2019, the NMPA issued the Key Considerations for Review of Medical Device Software Using Deep Learning Technology for Assisted Decision-Making, laying out its concerns for registration review of the relevant medical device software, including software development, software updates and related technical considerations. In 2021 and 2022 respectively, the NMPA issued the Guiding Principles for the Classification and Definition of AI Medical Devices, and the Guiding Principles for Registration Review of AI Medical Devices, the latter laying out the application requirements and technical review standard of AI medical devices. In 2022, the NMPA issued a series of industry standards related to the quality requirements and evaluation of AI medical devices.
Regulatory Developments on Data Protection
In July 2018, the NHC issued the Administrative Measures on the Standards, Security and Services regarding National Healthcare Big Data (the “Measures on Healthcare Big Data”), announcing the direction of regulating the use and application of the healthcare-related data from a compliance perspective, and implementing industry-specific data protection requirements. In December 2020, a recommended national standard, the Information Security Technology – Guide for Healthcare Data Security was released to provide comprehensive guidelines in protecting healthcare data, particularly considering the rapid development of digital healthcare.
Additionally, in April 2021, the NHSA issued the Guiding Opinions on Strengthening Network Security and Data Protection, which requires the establishment of a more solid foundation for network security and data protection mechanisms in digital medical insurance and digital healthcare.
From a general perspective, following two important data protection laws which took effect in 2021, the PIPL and the PRC Data Security Law, a series of measures and guides have been promulgated since 2022 regarding detailed regulations on data protection, security assessment measures and the execution of standard contracts for cross-border data transfer.
Especially, human genetic resources samples and data (HGR) are primarily governed by the Biosecurity Law, the Administrative Regulation on Human Genetic Resources (the “HGR Regulation”), along with its implementation rules newly issued in 2023. Notably, foreign parties with its PRC established or controlled entities are only permitted to use Chinese HGR upon filing/approved by the HGR authority and are prohibited from collection, storage, and cross-border transfer of the HGR.
Currently, the key areas of regulatory enforcement in digital healthcare include cybersecurity, personal data protection, and internet-based diagnosis and treatment (including internet hospitals).
In terms of cybersecurity, the implementation of the Multi-Level Protection Scheme (MLPS), which is a compulsory legal obligation under the PRC Cybersecurity Law and relevant regulations, is now becoming an enforcement focus for most industries involving sensitive information - particularly healthcare.
The MLPS is composed of a series of technical and organisational standards and requirements that need to be fulfilled by all network operators in China. As the development and operation of digital healthcare heavily relies on networks and IT infrastructure, it is critical for digital healthcare providers to enforce and complete the MLPS grading process. Pursuant to the IDM and the Internet Hospital Measures, healthcare institutions providing internet-based diagnosis services and internet hospitals shall be graded and protected as Grade III under the MLPS regime. Failure to complete the MLPS would lead to administrative penalties including warnings and fines issued by the Public Security Bureau (PSB).
In terms of personal data protection, relevant data protection authorities such as the Cyberspace Administration of China (CAC), the Ministry for Industry and Information Technology (MIIT) and the PSB have been actively enforcing personal data protection requirements across industries, including healthcare. Industry supervision authorities such as the NHC and the NHSA are also involved in those enforcement actions on healthcare institutions.
The Cyberspace Administration of China
The CAC is responsible for the overall planning and co-ordination of network security and relevant supervision and administration. In terms of digital healthcare, the CAC’s involvement may include regulating the collection and utilisation of personal information, cross-border transfer of healthcare data, and the cybersecurity review of internet hospitals, etc.
The Public Security Bureau
In terms of cybersecurity, the PSB is mainly responsible for enforcing the MLPS and investigating cybercrimes. With respect to digital healthcare, the PSB’s involvement includes:
Ministry for Industry and Information Technology
The MIIT is responsible for:
In terms of digital healthcare, the MIIT’s involvement may include regulating related technology development, such as the development of and security requirements for AI technology. In addition, the MIIT actively leads personal data protection campaigns on mobile applications, including apps used in the healthcare industry.
National Data Bureau
It is noteworthy that the National Data Bureau (NDB) was officially inaugurated on 23 October 2023 to co-ordinate the improvement of data infrastructure systems - including the development, utilisation and interaction of data resources, and pushing forward the building of digital China. Therefore, it is expected that the NDB will play certain role in data protection enforcement regarding digital healthcare.
Preventative care is not a legal term defined in PRC laws and regulations and can be interpreted broadly. In practice, if a preventative care concerns general healthcare consulting, elder care, nursery, massage, fitness or wellness, without making judgement about diseases or giving targeted recommendations towards specific health issues or conditions, it may not fall within the definition of diagnosis and treatment and thus will not be subject to special regulation. On the other hand, if a preventative care falls within the area of diagnosis or treatment activities (eg, disease screening or vaccination), it can only be performed by a qualified doctor in a medical institution.
National polices have heightened the awareness around preventative care by enhancing disease prevention and control systems. These policies emphasise the interconnectedness of disease prevention and treatment, calling for relevant authorities to enhance health promotion and preventative healthcare services for maternity, infants, students, occupational groups, and the elderly. The government policies also focus on improving services, such as elder care, and supporting the revitalisation and development of traditional Chinese medicine (TCM), which will encourage awareness of preventative care.
Social trends also reveal the increased need for preventative care. On the one hand, with the rapid development of the national economy and the expansion of the middle class, more consumers have begun to pursue a better quality of life and are willing to pay for preventative care. On the other hand, the outbreak of COVID-19 and the stress of the ageing population with limited social endowment insurance has also contributed to public health awareness.
Under PRC law, there is no clear separation of personal health data and fitness and wellness information. If certain fitness and wellness information falls within the scope of personal information, information on HGR or healthcare big data, it will be regulated accordingly. The legal considerations can be reviewed in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information and 11.1 The Utilisation of AI and Machine Learning in Digital Healthcare.
Currently, there are no detailed regulations focusing on preventative healthcare. However, national policies have been addressing this topic. For example:
The Guidelines to Promote the High-quality Development of Disease Prevention and Control issued by the General Office of State Council in December 2023 sets the goal to build up a disease prevention and control system by 2030.
The healthcare industry is relatively strictly regulated in China. When a non-healthcare company enters the market by introducing new technologies and the application of existing technologies to healthcare, it must evaluate:
In either case, entrants into the relevant market must first obtain a licence.
Technology Developments Enabling the Enhanced Use of Connected Devices
Connected devices involve a wide range of technologies, including sensing technology, display technology, and wireless communication technology. The development of endurance technology also enables the enhanced use of connected devices.
With the above-mentioned technology, the telemedicine platform can automatically collect various vital signs data, upload the data to the hospital control centre and analyse the data in real time, to provide doctors with an early warning to facilitate the provision of telemedicine services.
If a telemedicine platform is aimed at providing health education or caring services rather than medical services, the user may claim for liability against the platform owner.
If a telemedicine platform is registered as a medical device and is used by physicians during their practice, the involved medical institution will be accountable for malpractice. Also, if such telemedicine platform is proved to be defective, the patient may also claim for product liability against the manufacturer.
In an on-premises or local computing environment, healthcare institutions need to set up and maintain an IT system with a solid foundation for network security and data protection mechanisms. Taking reference from the Administrative Measures for Cybersecurity of Medical and Health Institutions and a series of policies, guidelines and recommended national standards, the healthcare institutions should:
A connected device intended for medical purposes is deemed to be a medical device and is subject to the regulations of the NMPA on medical devices.
Due to the features of a connected device, a series of guiding principles have been formulated to address the cybersecurity and data security issues embedded in such devices. For example, in applying for the registration of the connected device as a medical device, the NMPA will ask the applicant to submit materials to prove its capability on cybersecurity, in accordance with the guiding principles. The NMPA also imposes requirements on the manufacturers to ensure the data security of medical device software – ie, to ensure the confidentiality, integrity and availability of the health data in the software.
Definition and Regulatory Authorities
Under applicable PRC laws and regulations, standalone software as a medical device (SaMD) refers to software which has one or more medical uses, does not require medical device hardware to accomplish the intended use, and runs on a common computing platform. A SaMD can be used in conjunction with multiple medical devices or a specific medical device.
As for a software product that uses AI, whether it is administrated as a SaMD depends on its intended use, processing object and core function, among other factors. When a software product processes medical device data and its core function is to manage, measure, model, calculate or analyse such data for medical purposes, the product falls within the scope of a SaMD.
SaMDs, like other medical devices, are regulated by the NMPA and its subordinate branches, including for development, registration, manufacturing, sales, post-market risk management and adverse event reporting, etc.
Classification of a SaMD
Under applicable PRC laws and regulations, medical devices are classified into three classes based on their risks:
For SaMDs, the main factor to be considered when rating the risks is their impact on diagnosis and treatment results. SaMDs having slight impact on diagnosis and treatment results are classified as Class II medical devices, and SaMDs having substantial impact on diagnosis and treatment results are classified as Class III medical devices.
Generally, SaMDs used for image processing, data processing and image file transmission are classified as Class II devices, while most of the SaMDs used for assisting treatment (eg, formulating a treatment plan) and diagnosis (eg, giving clinical diagnosis and treatment basis and/or advice) are classified as Class III devices.
Regulations on SaMDs
Registration and updates of SaMDs
Class II medical devices manufactured in China must register with provincial medical products administration (PMPA). Class III medical devices and the imported Class II medical devices must register with the NMPA.
Software updates of SaMDs can be divided into major updates and minor updates. Major updates refer to enhancement that affects the intended uses, environment of use or core function of medical devices. Minor updates refer to enhancement that does not affect the safety or effectiveness of medical devices as well as corrective updates.
Major updates are subject to technical review and prior approval from the authorities, while minor updates do not require approval in advance but should be reported in the next registration application for post-market change or renewal. In the case that software employs self-adaptive learning or continuous learning, users also assume the role of product developer and share the product quality responsibility and legal responsibility with the registration applicant.
Therefore, given the current law and regulation framework and technological capacities, the self-learning function of software designed with continuous learning or self-adaptive learning capacity should either be disabled, or if enabled, not utilised.
Manufacturing, sale and use of SaMDs
Manufacturing and sales of SaMDs are subject to corresponding licensing requirements, in particular the Appendix for SaMDs of Good Manufacturing Practice for Medical Devices. In addition, the clinical use of certain types of SaMDs may be subject to additional regulations – eg, using AI-assisted diagnostic technology is subject to self-assessment and filing with the relevant health commission, and must meet the specific rules applicable to the clinical use of such technology.
Internet Hospital
Under the Internet Hospital Measures, internet hospitals can be divided into two categories:
Under both categories, internet hospitals may provide internet-based diagnosis and treatment to patients, which are limited to the follow-up diagnoses of certain common and chronic diseases.
E-prescription shall contain the electronic signature of the physician issuing it. After being reviewed and verified by a pharmacist, the healthcare institution or pharmacy may engage an eligible third party to deliver the relevant drugs to the patient.
Family Doctor Contracting Services
Family doctor contracting services are mainly provided by community healthcare institutions. After signing a family doctor service agreement with residents, family doctors provide relevant services according to the requirements of the agreement, which may include health management services, health consultation services, outpatient services, rehabilitation, smart-aided therapeutics and medication guidance services, etc. The residents can execute service agreements, make appointments, and accept health consultation and follow-up visit of chronic diseases through online channels such as websites and apps.
Cross-Border Telemedicine
Currently, there is no clear restriction on provision of internet-based diagnostic services by healthcare institutions or healthcare professionals located outside China made to patients located in China; though in practice the platform providing such services may be exposed to regulatory risks as physicians and nurses permitted to provide internet-based diagnostic services under IDM shall register in the national electronic registration system in China.
Consulting services provided online regarding health status or diseases by healthcare professionals to patients, to the extent such services are provided without giving diagnosis or prescriptions, are not internet-based diagnoses regulated by IDM.
The NHC issued a series of notices and opinions in 2020 to encourage healthcare institutions to leverage telemedicine and release the pressure of offline delivery of healthcare services. Expanding the coverage of telemedicine and establishing a telemedicine collaboration network are also parts of the requirements to further improve the medical and health service system according to the General Office of the CPC Central Committee and the General Office of the State Council’s opinions in March 2023. Although there has been a rapid acceleration of telemedicine, some gaps and issues remain to be resolved and clarified from a national policy perspective, such as the expansion of the scope of internet-based diagnosis and treatment, the application of internet-based diagnosis and treatment on first diagnoses, the protection of patients’ privacy and the enhancement of data security.
During COVID-19, the NHSA and the NHC issued further guiding opinions promoting implementation of BMI reimbursement for internet-based diagnosis. In October 2020, the NHSA issued further detailed opinions on the scope of reimbursement and the requirements for application thereof, laying down the regulation framework for the BMI reimbursement of internet-based diagnosis. Under these opinions, qualified offline healthcare institutions providing internet-based diagnosis may apply for an establishing reimbursement arrangement for their internet-based diagnosis services via the BMI agencies. BMI reimbursement for internet-based diagnosis services may cover both medical consultation fees and drugs.
Typical Application Scenarios of the Internet of Medical Things (IoMT)
Life cycle monitoring of medical devices
The use of radio frequency identification (RFID), infrared sensors, GPS and other information sensors could help to achieve real-time intelligent identification, tracking, supervision, and management of medical devices to enhance hospital management.
Intelligent operating rooms
The operating room is a core department of hospital business operation. With the development of the IoMT, intelligent operating rooms can effectively enhance the integration of modern medical technologies and information technologies. Surgeons can obtain and share information through the IoMT, which helps to significantly improve the efficiency of an operating room and allows for more efficient and focused operations.
Connected and Smart Devices
The integration of connected and smart devices such as nurses’ and patients’ wristbands, electronic bed cards, hand hygiene monitoring with electronic devices not only makes it convenient for entrance control, but also monitors patients’ status such as falls or hand hygiene.
Wearable health monitoring devices
Wearable health monitoring devices refer to devices using wearable biosensors for measuring or collecting data on an individual’s movement and physiological parameters for health management purposes. A wearable health monitoring system is an integrated system with non-invasive detection of human physiological information, wireless data transmission and real-time processing functions.
Technological Developments That Drive the Internet of Medical Things
5G networks
The application of 5G networks has greatly facilitated the IoMT. 5G networks are able to provide more stable and efficient connectivity for loMT devices through their high speed, low latency and large capacity, which could significantly support various functionalities and data requirements of loMT devices.
NB-IoT
The Narrow Band Internet of Things (NB-IoT) network helps the healthcare industry to accelerate the upgrading of its information technology. NB-IoT cellular technology, as a global unified mobile IoT standard, relies on the cellular network to build a network with wide coverage, low power consumption, large links, low cost and high security, and can meet a variety of application scenarios for low-rate services.
Sensors
Sensors are the basic components of various medical devices. The IoMT is an intelligent service system that connects things, people, systems and information resources according to agreed protocols through sensing devices such as RFID tags, wristbands and wearable devices, to process information and react to the physical and virtual world. Currently, the most common applications of IoMT are sensor-based monitoring applications.
Regulatory issues for the IoMT
Currently, regulators in China are still developing the applicable laws and regulations for the IoMT. The main issues under discussion include cybersecurity and personal data protection, especially for handling security risks such as network vulnerabilities.
The Impact of 5G Networks
For digital healthcare development, one of the biggest challenges is the transmission of bulk data, especially for application scenarios such as emergency treatment, where the need for transmission of bulk data in a secured and stable manner is in high demand. A typical scenario is where doctors in an ambulance could use 5G medical devices to complete a series of examinations such as blood tests, electrocardiograms (ECGs) and ultrasounds, and transmit a large amount of data such as images and condition records back to the hospital in real time through the 5G networks, thus substantially enhancing the management and efficiency of emergency treatment.
In areas such as remote monitoring, remote analysis, remote consultation, remote control and remote diagnosis, where data is collected from various sources in disorder format, 5G networks also help to solve the issues of data sharing and cleaning to support the development and application of AI technologies. In addition, 5G networks have been deployed to provide “smart” service for patients, such as appointment making, information inquiries, payments, and hospital navigation. In relation to the above areas, from 2019 and led by the NHC, several sub-standards of Hospital Network Construction Standards Based on 5G Technology were compiled and released to guide the construction of a new generation of 5G network infrastructure of hospitals.
The Commercial and Contractual Considerations of Healthcare Institutions
Key commercial and contractual considerations faced by healthcare institutions in entering arrangements with telecommunications providers to deploy and manage 5G networks may include the following:
Key Legal Issues in Using and Sharing Personal Health Data
The PRC data protection framework comprised of the PRC Civil Code, PRC Cybersecurity Law and PIPL regulates the protection of personal data and set up the fundamental principles and general requirements, while the healthcare regulation of personal health information provides more specific protection requirements on healthcare data.
Broad data requirements
Informed consent, under general circumstances, is the pre-condition for any collection, storage, use, processing, transfer, provision, disclosure and deletion of personal health data. In terms of scientific research and clinical settings, the general requirement of consent would also apply for the collection, use and sharing of personal health data.
The possibility of re-identification is addressed through other technical and organisational protection measures, such as strengthening the internal control process by limiting the data access on a need-to-know basis.
Nevertheless, if de-identification is applied to the extent that the specific individual cannot be re-identified or affiliated, and the de-identified information cannot be rehabilitated, the data would then not be deemed as personal health data, but as general health data, subject to a relatively low level of protection. As for data aggregation, this would not change the nature of personal heath data unless the aggregated data does not contain any personally identifiable information that could be used to identify a specific natural person.
Consent
In terms of consent, digital healthcare has not yet substantially changed the nature of patient consent; instead, it could provide more alternative means for obtaining consent. Informed consent requires a data controller to provide a holistic view regarding the scope and purpose of data collection, use, share, transfer and retention, based on which the data subject could provide a voluntary consent through active conduct. In practice, consent is frequently obtained through:
Legal Considerations in Sharing Personal Health Data
Key legal considerations in sharing personal health data with healthcare institutions or non-healthcare institutions would usually include the following.
Liabilities
As personal health data largely falls within the category of personal sensitive data under PRC laws, the scope of liability for data breach or unauthorised use of or access to personal health data in use and sharing are currently the same as for personal data, and are regulated under the PRC Criminal Law, the PRC Civil Code, the PRC Cybersecurity Law, and the PIPL, which include criminal liabilities, administrative liabilities and civil liabilities as follows:
AI, Machine Learning and Data Security Concerns
AI in healthcare is developing rapidly in China and has been playing a robust and growing role in the healthcare industry. Since 2016, with the strong support of national policies, China’s giant technology companies have entered into this field and launched different types of AI products.
From the legislative perspective, the NMPA issued the Guiding Principles for the Review of Registration of AI Medical Devices in 2022, to regulate the registration of AI products as medical devices. As the most common form of AI, machine learning is widely applied in various aspects such as AI-assisted diagnostics and treatment, medical imaging, precision medicine, pharmaceutical research, followed by data security concerns with respect to the protection of large-scale personal sensitive data and cyber-attacks.
For example, in April 2020, the server of a Chinese healthcare AI company in medical imaging related to COVID-19 diagnostics was hacked, and the research results, source codes and user data were posted on the dark web for sale. The implications of this incident have already exceeded the scope of commercial or business considerations, and from a broader perspective, would even endanger public security and public interests given the involvement of personal sensitive data and important research results for public health.
There are strengths and weaknesses of a centralised electronic health record computer system. Strengths include better integration of healthcare resources and more efficient and effective delivery of healthcare services, while the weaknesses would still include data security concerns, especially when the centralised nature of the electronic health record computer system makes the whole system and data more vulnerable to cyber-incidents or cyber-attacks.
Data Use and Data Sharing in the Machine Learning Context
Like other application scenarios, data use and sharing in the machine learning context are subject to the requirements of informed consent and data security under the relevant laws and regulations, such as the PRC Cybersecurity Law, the PRC Civil Code and the PRC Personal Information Protection Law.
Additionally, as a sizeable amount of data from various data sources is required in the machine learning context, the aggregated data may be deemed as healthcare big data and subject to special rules of data localisation, strict electronic real-name authentication and data access control, data classification, important data back-up and data encryption, etc, under the Measures on Healthcare Big Data.
Natural Language Processing
Natural language processing is now widely used in scenarios such as healthcare data mining, converting unstructured healthcare data to structured data, electronic medical records, and medical imaging. As for the regulatory scheme, China is in the process of establishing laws and regulations, ethical norms and policy systems in AI development and application.
As addressed in 11.1 The Utilisation of AI and Machine Learning in Digital Healthcare, companies engaging in new digital healthcare technologies should be aware of the relevant regulatory and legal issues, including cybersecurity and data protection, and that they are subject to the same requirements.
Unlike traditional medical devices, the development of an AI medical device may need a tremendous amount of data for machine learning and training. According to the national recommended standard on Information Security Technology – Guide for Health Data Security, the development and validation phase of a product where data relating to patients and related populations is required is essentially a clinical study. Collecting and processing personal information in a clinical study is also subject to the informed consent of the data subjects. In practice, as the digital companies may not need such data to be identifiable, they may choose to use a “limited data set” subject to a certain degree of de-identification which will not be deemed as personal information.
The draft of the Artificial Intelligence Law is ready to submit to the Standing Committee of the National People’s Congress (NPC).
It is required by the Measures for the Review of Sci-tech Ethics (for Trial Implementation)( “SE Review Measures”), effective as of 1 December 2023, that the entities engaged in the life sciences, medicine, artificial intelligence and other sci-tech activities shall set up a sci-tech ethics (review) committee if their research involves sensitive fields of sci-tech ethics.
As addressed in 4.5 Challenges Created by the Role of Non-healthcare Companies, new market players developing new digital healthcare technologies must first decide:
In either case, entrants to the relevant market should first obtain a licence to operate and continuously follow the regulations of the healthcare industry.
Due to the evolving nature of digital healthcare technology and the need for constant updates, any update of an algorithm due to increased amounts of data may require a change of registration of the medical device, which will need to be submitted to regulatory authorities for re-approval.
Cybersecurity and Data Protection
As addressed in 10. Data Use and Data Sharing and 11. AI and Machine Learning, companies engaging in new digital healthcare technologies should pay attention to the legal requirements for cybersecurity and data protection.
IT infrastructure of healthcare includes four main categories: chip, cloud computing, communication services and data services, which are also called the new infrastructures.
Pursuant to the requirements of the NHC on the construction of information platforms, the IT infrastructure of a healthcare institution should have:
Looking forward, a solid foundation for digital healthcare or “Internet Plus Healthcare” could be established through:
This would aim to achieve the goals of:
From a cybersecurity and data protection perspective, any IT infrastructure needs to complete the MLPS, which is a compulsory legal obligation under the PRC Cybersecurity Law and relevant regulations. The MLPS includes a series of technical and organisational standards and requirements that need to be fulfilled by the operators of the IT infrastructure.
In 2018, the NHC issued the Standards and Norms for Hospital Information Construction in China (Trial), which provides detailed requirements and standards for various levels of medical institutions regarding software and hardware construction, security protection and application of emerging technologies, with IT upgrades as one of the requirements.
As for regulations on data management practices, other than the oversight of personal health information, as addressed in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information, patient information and other sensitive data should be stored within the PRC. A medical institution is required to enhance the informatisation level of clinical diagnosis and treatment and the use of electronic medical records, including:
Scope of Protection of Intellectual Property Rights
Technologies involved in digital health technologies or products may be protected by patent rights, copyright, or as trade secrets.
Patents
The PRC Patent Law protects inventions, utility models or designs that possess novelty, creativity and practicality. Under the PRC Patent Law:
There are certain exceptions not protectable by the PRC Patent Law due to a lack of technical features or public interest, including diagnosis and treatment methods for diseases, rules and methods of intellectual activities, etc. AI technology can be protected as a patent to the extent such technology meets the requirements, for which purpose it should not only be in the form of algorithms, but also have certain technical features. The terms of protection, commencing from the application date, are:
Copyright
The PRC Copyright Law protects works in the fields of literature, art and science which can be expressed in a certain form, including, without limitation, written works, oral works, photographic works, audio-visual works, graphic works and model works (such as engineering design plans, product design plans, maps and schematic diagrams), computer software, etc. Therefore, with respect to technologies and products in the field of digital health, computer software and product designs, among others, can be protected by copyright.
The duration of a copyright depends on the type of author and type of such work – ie, the protection term of right of authorship, right of revision and right to preserve the integrity of the work of an author is eternal, whereas the protection term for the right to publish the works of an entity is 50 years from the completion of the works.
Trade Secrets
Under PRC laws, trade secrets refer to commercial information such as technical information and business operation information not known to the public, which has commercial value and for which the rights holder has adopted the corresponding confidentiality measures. Non-public information related to AI technologies, such as certain know-how, can be protected as a trade secret, provided the appropriate confidentiality measures are adopted.
Protection of Data
If data is expressed and exhibits originality, hence constituting a work, such data may be protected by copyright. Data can also be protected as a trade secret in China. With respect to a database, if the selection or compilation of its content shows originality, it may be protected as a compilation work under the PRC Copyright Law. In addition, if utilisation of the data or database obstructs the competition order of the market and constitutes unfair competition, the PRC Anti-unfair Competition Law may also apply.
AI Inventorship and Authorship
Whether AI can be regarded as an inventor of invention developed by AI has not yet been clarified under the PRC Patent Law. Currently, work generated with the assistance of AI (ie, an article written by AI but with the input of data, template and writing style determined by the employees of a company) is eligible for copyright protection with such work deemed work-for-hire and with the company regarded as the author.
To decide which form of intellectual property protection applies to certain technology, the characteristics of the technology – ie, whether it satisfies the requisite elements of a specific form of intellectual property – need to be considered.
If the technology satisfies the features of more than one form of intellectual property, commonly between a patent and a trade secret, the technology owner needs to be aware of the advantages and disadvantages of different types of protection.
A patent right can be better claimed, proved and valued as it is reviewed and granted by the Patent Office and officially registered. Such protection is granted on the condition that the technology is reviewed, publicised and the protection duration is limited under the law.
Trade secret protections, on the other hand, require the owner to take relevant measures to keep such technology confidential and the protection does not have a time limit as long as the technology remains unknown to the public. However, in the case of a trade secret infringement, the owner will have to prove the existence of the trade secret, their rightful ownership, the occurrence of the infringement and its value.
The licensing arrangement of intellectual property could be different, depending on the commercial needs.
Provision of Services or Sale of Products
The provision of services or sale of products will not include a proprietary transfer of the intellectual property embedded in the services or products to the purchaser of the services or products. Similarly, the purchasers are not automatically granted a licence regarding the intellectual property except for the use of services or products they purchased for their intended use.
Licence Deal on Digital Healthcare Products or Technology
In a typical licence deal, the licensor will grant a licence to the licensee to develop, utilise, upgrade, improve and commercialise the digital healthcare products or technology. Such collaboration will generally include a licence of intellectual property rights and the consideration for such a licence, under which the licensee can use the intellectual property for agreed purposes and retain interest generated therefrom. Sometimes, the licensor will also ask for a right of grant-back to enjoy the improved technology and a right of reference of the data generated from the licensee’s use of the licensed products or technology.
Co-development
For digital healthcare services and products that are at an early stage of development, the parties may agree on a co-development of such technology or product and co-own the intellectual property rights derived therefrom.
Copyright Allocation
With respect to works created by a physician employed by a hospital or a researcher employed by a university while performing their work, unless otherwise agreed, the copyright of the work shall be owned by the physician or researcher, provided that the hospital or university as employer shall be entitled to use such work within the scope of its operation. However, for works created primarily using material and tools of the employer – ie, the hospital or the university – the copyright shall be owned by the hospital or the university (except that the right of authorship belongs to the employee) unless otherwise agreed.
The copyright of a work jointly created by two or more persons shall be co-owned by the co-authors. Attribution of copyright of a commissioned work shall be agreed between the principal and the commissioned party via a contractual arrangement. Where the contract is not clear or where there is no contract, the copyright shall belong to the commissioned party.
Patent Right Allocation
If an invention is developed by a physician employed by a hospital or a researcher employed by a university while performing their work or mainly utilising materials and tools of the hospital or university, the patent right of such invention belongs to the hospital or the university unless otherwise agreed between the parties.
Where two or more entities or individuals co-operate in the development of an invention, or if an entity or individual has been engaged by another entity or individual to develop an invention, unless otherwise agreed, the entities or individuals that have completed or jointly completed the invention shall own or co-own the patent application right and patent right (if granted).
It should be noted that, with respect to patent applications for work products generated from international co-operative research (eg, between a Chinese hospital and a foreign sponsor) utilising Chinese HGR, at least as regards clinical trials for non-registration purposes, such patent application should be submitted and the patent rights owned by both parties of the co-operation.
Where multiple parties are involved in the creation of a work or in the development of technologies, subject to applicable laws and regulations, the parties should clearly agree on the ownership of the intellectual property rights of the relevant work product and, to the extent necessary, make detailed and clear arrangements on the exercise of the rights and restrictions thereon, such as rights and restrictions on use, licensing, transfer and profit distribution. Specifically, in clinical trial agreements involving international co-operative research utilising Chinese HGR, appropriate IP provisions must be included to comply with applicable regulations and protect the legitimate interest of the parties involved.
Generally, with respect to the determination of liabilities in the event injury is incurred by a patient using a SaMD, provisions on product liability and tort would apply – ie, the patient can claim compensation from either the manufacturer or the seller if the injury is caused by a defect in the product. Where the party compensating the patient (either the manufacturer or the seller) is not liable for the defect, such party may recover its losses from the other.
If the defective SaMD was being used by a healthcare institution, including a SaMD using AI technology (to the extent the AI technology is not providing a diagnosis and treatment solely on its own), the patient may also elect to claim for compensation from the healthcare institution, which itself may seek to recover its losses from the manufacturer liable for the defect.
If the healthcare institution is at fault when conducting diagnosis and treatment activities, it shall also be held liable. The question of whether AI can conduct medical treatment independently and the related liability issues are to be further clarified by relevant laws and regulations.
In terms of the potential bias issue of AI, as bias would likely be deemed an ethical issue, this is to be further clarified by enforcement practice.
Contractually, if the supply chain disruption or the cause thereof constitutes a breach of the agreement between the vendor and the healthcare institution, such as a failure of the vendor to perform certain obligations, the vendor shall bear contractual liabilities as agreed by the parties. If such failure constitutes violation of applicable laws and regulations, the vendor may also be subject to punishment by the relevant authorities.
35th & 36th Floor
Shanghai One ICC
No.999 Middle Huai Hai Road
Xuhui District
Shanghai 200031
China
+86 21 2310 8200
+86 21 2310 8299
Alanzhou@glo.com.cn www.glo.com.cnChina’s Digital Healthcare: Sophistication in Business Models and Compliance Challenges
The internet and mobile applications have profoundly reshaped the habits of Chinese patients in seeking healthcare services, and have significantly expanded the access to the relatively limited quality medical resources in China. In addition to booking medical appointments online, Chinese patients now receive diagnoses and medical advice remotely and can purchase a great variety of pharmaceutical products without leaving their homes. This transformation follows the active integration of internet-based solutions into China’s healthcare sector over the past five years, a collective effort of both the government and industry innovators.
With the rapid expansion of the digital healthcare industry, the government is also constructing a holistic regulatory framework to ensure its smooth development. While some of the regulatory concerns are novel, most of them are traditional but expressed in industrial-specific terms.
In particular, in 2023, China launched another wave of anti-corruption enforcement campaigns targeting the entire healthcare sector, with the digital healthcare industry also in its outreach. Applying anti-corruption doctrines in the digital healthcare industry may raise many interesting questions, particularly given the new development in this industry, but the Chinese law has yet to provide specific answers to these questions.
Typical Business Models in the Digital Healthcare Industry in China
“Digital healthcare” is a hybrid concept in China and encompasses a broad range of business models. If we limit “digital healthcare” to internet-based medical solutions, the typical business models are as follows.
Internet hospitals
Internet hospitals are online platforms of medical institutions. They may be operated solely by the medical institutions or jointly by medical institutions and third-party entities. Qualified enterprises may apply for medical institution licences and then establish their internet hospitals.
Medical e-commerce platforms
Medical e-commerce platforms are online marketplaces where pharmaceutical products, medical devices, and other medical products are traded. These platforms can operate in O2O (Online-to-Offline), B2C (Business-to-Consumer), and B2B (Business-to-Business) modes.
Internet healthcare services
Such services are those provided online by various vendors. They typically include non-diagnosis services such as pre-diagnosis, health monitoring, and post diagnostic services. Non-diagnosis related services, online medical appointment reservations and patient education contents, are also part of the services.
Medical big-data services
Medical big data services focus on the collection, analyses, and application of data generated during the provision of medical services. Such data and analyses are often used to support diagnoses, scientific research, and product development.
In practice, it is increasingly common to see these business models, particularly internet hospitals and medical e-commerce platforms, commingle with one another. Major market players are fully incentivised to operate under multiple models simultaneously to take advantage of the synergies.
Status Quo of the Digital Healthcare Industry in China
Expanding total market
The Chinese government fully acknowledges the positive net social effect brought by digital healthcare and is encouraging the deployment of 5G, big-data and artificial intelligence technologies to boost its continuous growth. These favourable policies have resulted in an exponential market increase. Market intelligence estimates that the total market value of China’s digital healthcare industry could reach CNY419 billion by 2024.
The increase of the value is primarily driven by the expansion of users. As of June 2023, the number of digital healthcare users in China has reached approximately 363 million. Such growth is expected to continue, as 363 million only accounts for one-third of the total number of China’s internet users.
Fierce competition
A few years ago, when digital healthcare was still emergent, the Chinese market was primarily led by such pioneers as WeDoctor and Haodf, which impressed users with their convenience in making medical appointments and facilitating virtual medical consultations. Nowadays, while they are still viewed as mature internet hospitals and effective channels for patient education, the market has become significantly more crowded. Its rapid growth has attracted many internet giants, such as JD and Alibaba, to join the game. We-media platforms, such as Douyin (Chinese version of TikTok) and Xiaohongshu, are piercing into this area as well. These companies are developing capabilities by leveraging their existing comparative strengths (eg, sales channels and network traffic). While it may still take some time before the dust settles, it is not difficult to envision that the market may eventually be dominated by a limited number of winners.
Race towards a “one-stop” solution
Internet giants and we-media platforms have brought in abundant resources to the competition, accelerating the integration of business models in a race towards creating a “one-stop” solution for patients and other broadly defined users. With a single application, patients may quickly locate and communicate with doctors most suitable to their needs, obtain diagnoses and prescriptions, purchase pharmaceutical products, and access patient educational materials; doctors may receive training and education, provide medical consultations, prescribe pharmaceutical products, and build their public profiles and credentials; pharmaceutical companies have more effective channels to sell their products and deepen their connections with patients and doctors. All stakeholders are expected to benefit from the integration and the resulting efficiency, but it is also foreseeable that the integration could introduce a highly complex compliance landscape to service providers.
Regulatory Regimes on the Digital Healthcare Industry
During 2017 to 2022, China introduced a series of ministerial regulations specifically designed for the digital healthcare industry. These regulations, listed below, focus on permits, licences, and other regulatory requirements for the establishment of internet hospitals and medical e-commerce platforms, the provision of online diagnoses and prescriptions, and sales of pharmaceutical products:
Permits and licences
Internet hospitals and medical e-commerce platforms must obtain the relevant permits and licences before carrying out their activities. In order to obtain these permits and licences, they must meet all legal requirements concerning organisations, personnel, infrastructure, and internal policies.
Provision of online diagnoses and prescriptions
The regulations impose several limitations on online diagnoses and prescriptions: (1) online diagnosis and prescriptions can currently only be provided via internet hospitals (but not other digital healthcare providers); (2) initial diagnoses must be provided offline, with online diagnoses limited to follow-up consultations on confirmed diseases; and (3) the diseases eligible for online diagnoses are restricted to common and chronic conditions.
The regulations provide detailed rules on (1) the registration and qualifications of healthcare professionals (HCPs) providing online diagnoses and prescriptions; (2) the contract terms related to online diagnoses and prescriptions; (3) dos and don’ts during the diagnosis and prescription activities; (4) the qualifications of medical logistics service providers; and (5) preservation and retention of electronic medical records.
Sales of pharmaceutical products
Entities selling medicines and medical devices are required to obtain the relevant permits or complete the necessary filings for their trading activities. Depending on the business models, the responsible parties could be the platforms themselves, or the trading companies making sales via the platforms.
Safety management, risk controls, storage, delivery, adverse effect reporting, document retention, and other aspects related to the sales of medicines and medical devices are subject to the regulations or the policies to be promulgated by the selling entities pursuant to the regulations. The regulations also prohibit or restrict the online sales of certain substances or types of medicines.
Others
In addition to these industry-specific regulatory rules, stakeholders in the digital healthcare industry are also subject to the general requirements stipulated in other laws and regulations, such as those concerning anti-corruption, anti-unfair competition, medical advertisements, and data privacy and protection.
Anti-corruption Regime on Digital Healthcare Industry
In 2023, China initiated another wave of anti-corruption campaign in the healthcare sector. This campaign focused on “medical bribery,” a special type of commercial bribery that involves the offering or acceptance of values intended to influence the procurement or prescription of pharmaceutical products.
Unlike ordinary commercial bribery, which is usually not found where the value is paid to the nominal transaction counterparty, Chinese regulators are more likely to find medical bribery even when pharmaceutical companies pay value not to individual HCPs, but to hospitals as entities. This is because regulators tend to perceive the actual transactions as occurring between pharmaceutical companies and patients, with HCPs and hospitals being “parties having influence over the transactions”. This special treatment is intended to protect patients and reflects the government’s long-standing understanding that HCPs and hospitals owe a special duty to patients and must prioritise patients’ interests over their own. Consistent with this view, medical bribery is always subject to more aggressive enforcement actions of regulators.
The anti-corruption compliance risks in the digital healthcare industry are more complex. Depending on their business models, some digital healthcare companies are pharmaceutical trading companies interacting with business enterprises, hospitals, and HCPs, and are therefore exposed to both medical bribery and ordinary commercial bribery risks. Others are medical institutions themselves. In different roles, digital healthcare companies may face different passive and active bribery risks, including, typically, the following:
The risk profiles of digital healthcare companies acting as hybrids (ie, pharmaceutical trading companies and medical institutions simultaneously) can be even more complex. The extent to which their financial interactions with external parties depend on their roles, and interactions between their business units internally could both be potential sources of risks.
To illustrate, if a digital healthcare company purely acts as a pharmaceutical company, it may receive entity-to-entity sales rebates from its upstream suppliers, provided that such rebates follow the accurate documentation requirement under the Chinese law. Such rebates are considered legitimate discounts on the sales prices. However, where a digital healthcare company acts as a hybrid, it would be difficult to distinguish the rebates to it as a pharmaceutical trading company, from the values transferred as “incentives” to it as an internet hospital.
In another scenario, a digital healthcare company acting as a hybrid may encounter a dilemma in deciding whether they can incentivise their HCPs for prescribing pharmaceutical products sold on their platforms. While this may appear to be a sound business model, as the combination of the internet hospital and the e-commerce platform is to generate business for each other, such incentive may not withstand scrutiny under the Chinese anti-bribery laws. Chinese law requires HCPs to base their prescription decisions purely on the best interest of patients, and any economic incentives that undermine the impartiality of such decisions may constitute medical bribery.
One may argue that digital healthcare companies operating as hybrids could address these issues by operating as two independent legal entities. However, Chinese law has yet to determine whether the separation alone is sufficient or if other safeguards are necessary. We are inclined to believe that separated legal entities alone are insufficient, and these digital healthcare companies may need to develop a rather complex internal compliance controls programme to prevent the channelling of questionable values among their business units and subsidiaries. This programme may implement against the economic notion of optimal efficiency, which drives the integration of business models, but it seems to be a cost that these companies need to assume.
8/F, Aurora Plaza
99 Fucheng Road
Pudong New District
Shanghai 200120
PR China
+86 21 2043 7550
luj@shihuilaw.com https://www.shihuilaw.com/