Notice on the Promulgation of the Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)

Effective Date: 07-12-2018

Source: Cyberspace Administration of China (CAC) website

Chinese Title: 关于印发《国家健康医疗大数据标准、安全和服务管理办法（试行）》的通知

Guo Wei Gui Hua Fa [2018] No. 23

Health and family planning commissions of various provinces, autonomous regions and centrally-administered municipalities, and all subordinate bureaus of, and all departments directly under and affiliated with the National Health Commission, and the State Administration of Traditional Chinese Medicine,

In order to strengthen healthcare big data service management, promote the development of “Internet plus healthcare”, and give full play to the role of healthcare big data as an important, fundamental and strategic resource of the State, we have formulated the Administrative Measures for National Healthcare Big Data Standards, Security and Services (for Trial Implementation) (which may be downloaded from the official website of the National Health Commission) according to the relevant laws and regulations, which are hereby promulgated for your implementation.

National Health Commission

July 12, 2018

Chapter I General Provisions

Article 1 In order to strengthen healthcare big data service management, promote the development of “Internet plus healthcare”, and give full play to the role of healthcare big data as an important, fundamental and strategic resource of the State, these Measures are formulated in respect of standards, security and services management of healthcare big data in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and regulations, as well as the Action Outline of the State Council on Promoting the Development of Big Data, the Guiding Opinions on Promoting and Regulating the Development of the Application of Healthcare Big Data, the Opinions of the General Office of the State Council on Promoting the Development of “Internet plus Healthcare” and other documents.

Article 2 The healthcare and medical data of Chinese citizens generated within the territory of China will be regulated and utilized in light of the needs of the State’s strategic security and the people’s life safety on the basis of guaranteeing citizens’ right to know, right to use and personal privacy.

Article 3 We shall adhere to the principles of people orientation, innovation driving, standardization, orderly development, controllable security, openness and integration, co-construction and sharing, strengthen the standards management, security management and services management of healthcare big data, and promote the application of healthcare big data for the benefit of the people, so as promote the development of the healthcare big data industry.

Article 4 For the purpose of these Measures, “healthcare big data” refers to the data relating to healthcare generated in the course of disease prevention and control as well as health management.

Article 5 These Measures are applicable to the management of healthcare big data involved in healthcare administrative departments at or above county level (including traditional Chinese medicine authorities, the same below), various types of medical institutions at all levels, relevant entities and individuals.

Article 6 The National Health Commission (including the State Administration of Traditional Chinese Medicine) shall, in concert with other relevant authorities, make overall plans, guide, evaluate and supervise the standards management, security management and services management of national healthcare big data. The healthcare administrative departments at or above county level shall, in concert with other relevant departments, be responsible for healthcare big data management within their respective jurisdictions, and act as supervisors for the security and application management of healthcare big data within their respective jurisdictions.Various healthcare institutions at all levels and relevant entities and public institutions are responsible for the security and application management of healthcare big data.

Chapter II Standards Management

Article 7 Standards management of healthcare big data shall follow the principles of policy guidance, strengthened supervision, classified guidance and hierarchical management.

Article 8 The National Health Commission shall be responsible for making overall plans, organizing the preparation of national healthcare big data standards, supervising the application of evaluation criteria, organizing the planning for a healthcare big data standard system based on existing fundamental and general big data standards, as well as formulating and organizing the implementation of annual healthcare big data standards. Provincial health administrative departments (including provincial competent departments of traditional Chinese medicine) shall be responsible for supervising, guiding and evaluating the application of healthcare big data standards within their respective jurisdictions, as well as guiding and supervising the implementation of healthcare big data standards system within their respective provinces (autonomous regions and centrally-administered municipalities) based on the national healthcare big data standards system plan and in light of their actual local situation.

Article 9 The National Health Commission encourages medical institutions, research and education organizations, related enterprises or industrial associations, and social groups to participate in the formulation of healthcare big data standards. Citizens, corporate entities and other organizations may give advices on the formulation and revision of healthcare big data standards and submit corresponding standards project proposals.

Article 10 The National Health Commission is responsible for coordination in the implementation in a unified manner, selecting entities and persons-in-charge for drafting healthcare big data standards, and advocating the mechanism of multi-party participation and collaboration. The relevant entities shall form a collaborative group to participate in standards drafting.

Article 11 The procedures and requirements for drafting, reviewing and publishing healthcare big data standards shall be consistent with relevant national and industrial regulations.

Article 12 Health administrative departments shall strengthen the guidance and supervision on the implementation of healthcare big data standards, give full play the enthusiasm and initiative of various medical institutions at all levels, related enterprises and other market participants in applying and implementing standards, and establish a long-term management mechanism for encouraging and promoting standards application and implementation.

Article 13 Healthcare administrative departments shall establish corresponding incentive and restraint mechanisms for the production and procurement of standardized products of healthcare big data, actively promote the standardization and evaluation of healthcare big data standards, and connect their evaluation results with the review and evaluation of medical institutions. .

Article 14 The National Health Commission shall advance the standards system for technology products and service models of healthcare big data, organize the evaluation of application effects of healthcare big data standards, and organize revision or abolition of relevant standards according to evaluation results.

Article 15 The National Health Commission shall dynamically manage the development and application of healthcare big data standards based on the healthcare standards management platform, conducting dynamic monitoring for standards application of various types of medical institutions at all levels and enterprises and public institutions.

Chapter III Security Management

Article 16 Security management of healthcare big data refers to the security management in the course of data collection, storage, mining, application, operation and transmission, including the management of powers and responsibilities in national strategic security, life safety of the people, and personal information security.

Article 17 A responsible entity shall establish and improve relevant security management system, operational procedures and technical specifications, implement the “top leader” responsibility system, advance the security guarantee system, strengthen overall management and coordinated supervision, and ensure the security of healthcare big data.Security, management and use of the healthcare big data involving state secrets shall be consistent with relevant national regulations on confidentiality. A responsible entity shall establish and improve the system for management and use of the healthcare big data involving state secrets, and carry out strict management during data generation, review, registration, copy, transmission and destruction.

Article 18 A responsible entity shall take measures such as data classification, important data backup, and encryption authentication to ensure the security of healthcare big data. A responsible entity shall establish a reliable data disaster recovery and backup mechanism, conduct regular backup and recovery testing to ensure timely, complete and accurate data recovery, and achieve long-term preservation and archival management of historical data.

Article 19 A responsible entity shall, according to the requirements of the national multi-level network security protection scheme, build a reliable and safe network environment, advance the security guarantee system for healthcare big data, enhance the security protection capabilities of key information infrastructure and important information systems, and guarantee secure and controllable critical information infrastructure and core systems of healthcare big data. Healthcare medical big data centers and related information systems shall carry out rating, filing, evaluation, etc.

Article 20 Product and service providers of healthcare big data-related systems shall observe the relevant network security review system of the State, and shall not interrupt, directly or disguisedly, reasonable technical support and services. They shall also provide security and convenience for the interaction, sharing and operation of healthcare big data among different systems.

Article 21 A responsible entity shall use the relevant information of healthcare big data according to laws and regulations, provide safe information inquiry and duplication channels, and ensure citizen privacy protection and data security.

Article 22 A responsible entity shall, in accordance with the Cybersecurity Law of the People’s Republic of China, strictly control the authorization of data access and use by users of different levels, and ensure data use within the authorized scope. No entity or individual may use or distribute any healthcare big data without authorization or beyond the scope of authorization, or obtain any data by illegal means.

Article 23 A responsible entity shall establish strict electronic real-name authentication and data access control, standardize the traces management in the process of data access, use and destruction, and ensure that the access to healthcare big data is manageable and controllable and that the service management has traces in the entire process, which can be inquired and traceable. Any data leakage accidents and risks can be traced back to the relevant responsible entities and individuals.

Article 24 Security management talent training mechanism for healthcare big data shall be established and improved to ensure that relevant persons in the industry have the knowledge and skills needed for healthcare big data security management.

Article 25 A responsible entity shall establish a healthcare big data security monitoring and early warning system, establish a network security notification and emergency response linkage mechanism, do the research on data security rules and technical specifications, constantly enrich the standards and norms system relating to network security, and give priority to preventing the aggregation of data resources and potential risks of new technology applications. Major network security events shall be reported and dealt with according to relevant laws, regulations and rules.

Chapter IV Services Management

Article 26 The National Health Commission shall formulate the relevant rules and standards on the application of healthcare big data, establish the integrity mechanism and withdrawal mechanism for application of healthcare big data, and set up the security and management rules for healthcare big data mining and application.

Article 27 In respect of healthcare big data management and services, a responsible entity shall follow medical ethic principles and protect personal privacy according to laws and regulations and relevant documents.

Article 28 A responsible entity shall clarify the corresponding management departments and posts according to its needs of healthcare big data management, implement the management system of “unified hierarchical authorization, classified application management, consistent power and responsibility” according to the authorization of the State, and build the corresponding healthcare big data information system as a technical and management support.

Article 29 When collecting healthcare big data, a responsible entity shall fully implement the relevant standards and procedures of the State and the industry, and conform to the technical standards and management standards for business application, achieve unified standards, standardized terminology and accurate content, and ensure unique identity marking and consistent basic data of service and management targets in its information system. For the information collected, efforts shall be made to fully carry out information review and final examination procedures and to conduct data quality management.

Article 30 A responsible entity shall be qualified for data storage, disaster recovery and backup and security management as required by the State, and strengthen the storage management of healthcare big data. Healthcare big data shall be stored in the secure and reliable servers within the territory of China, and shall undergo security assessment and review according to relevant laws, regulations and requirements if it is necessary to provide such data abroad for business concern.

Article 31 When selecting a service provider of healthcare big data, a responsible entity shall ensure that the provider comply with national and industrial regulations and rules, is competent in carrying out the relevant regulations, systems and standards, and guaranteeing data security, and has established the systems for data security management, personal privacy protection and emergency response management.

Article 32 When a responsible entity entrusts a relevant institution to store and operate healthcare big data, the trustor and trustees shall be jointly liable for the management and security of healthcare big data. A trustee shall store, manage and operate healthcare big data according to relevant laws and regulations as well as its entrustment agreement.

Article 33 A responsible entity shall, in light of its service and management needs, update, identify, optimize and maintain healthcare big data in a timely manner to ensure the information is up-to-date, continuous, effective, high-quality and secure.

Article 34 When a responsible entity is modified, it shall transfer the healthcare big data under its management completely and safely to the institution that continues to perform its functions or the health administrative department within its jurisdiction, and shall not cause the damage, loss or leakage of healthcare big data.

Article 35 When publicizing healthcare big data, a responsible entity shall observe relevant national regulations, and shall not divulge state secrets, business secrets or personal privacy, or infringe upon the interests of the State or the public, or the legitimate rights and interests of citizens, corporate entities or other organizations.

Article 36 A responsible entity shall strengthen the use and services of healthcare big data, facilitate the standardized use of healthcare big data, and promote online inquiry of certain healthcare big data.

Article 37 The National Health Commission shall, according to national regulations on information resource sharing, establish a mechanism for openness and sharing of healthcare big data, strengthen the sharing and exchange of healthcare big data, and build a reporting system platform, an information resources catalogue system and a sharing and exchange system of healthcare big data.

Chapter V Supervision and Administration

Article 38 A health administrative department shall strengthen supervision and management, carry out routine inspections on the security management of healthcare big data of the responsible entities within its jurisdiction, guide and supervise the comprehensive use of data by the responsible entities within its jurisdiction, improve the quality of data services and ensure security. All kinds of medical institutions at all levels shall connect with the corresponding regional platforms of national health information, transmit and backup the data generated during healthcare services, and provide the monitoring ports to the health administrative departments.

Article 39 A health administrative department shall strengthen monitoring and evaluation, regularly carry out the stability and security assessment for healthcare big data platforms and service providers, and the security monitoring and assessment for healthcare big data application, as well as establish software assessment and security review and confidentiality systems such as network security protection, system interconnection and sharing, and citizen privacy protection.

Article 40 A health administrative department shall, in concert with other relevant departments, establish an accountability system for security management of healthcare big data. Entities and individuals that have violated these Measures will be subject to regulatory talks, supervised rectification, warning, publicized criticism, penalties or penalty suggestions by competent authorities in light of the seriousness of the circumstances. If it constitutes an illegal act, it shall be transferred to the judicial authority for legal liability according to law.

Chapter VI Supplementary Provisions

Article 41 These Measures shall take effect as of the date of promulgation.