Compliance of foreign investments in Chinese healthcare big data

This column analyzes briefly, but comprehensively, the issue of compliance in foreign investments in Chinese healthcare big data from three major aspects – investment access, investment method and engagement in business.

Compliance in investment access. Pursuant to current Chinese laws, the healthcare big data analysis industry is open to foreign investments. As this industry is not listed in the 2018 version of the Special Administrative Measures for Access by Foreign Investors (Negative List), there are no marked system obstacles to foreign investments in the healthcare big data sector, unless otherwise prohibited. In fact, under China’s current legal framework, there is no legislation that expressly forbids foreign investments in the healthcare big data analysis industry.

Compliance of investment method. Notwithstanding the feasibility at the level of laws, domestic policymakers have consistently taken a relatively conservative stance on the selection of partners. Foreign-invested enterprises and enterprises with a foreign background may, in practice, be excluded from cooperation with public hospitals. However, foreign capital may take indirect means to realize investments in the Chinese healthcare big data industry. Through publicly available information, it is clear that certain domestic oncology data platforms have absorbed foreign investment in online platforms engaged in oncology big data collection and processing by using a VIE structure.

Compliance in gathering, managing and applying healthcare big data during business operation. In 2016, the State Council issued the Healthy China 2030 Blueprint, which sets forth general requirements for the development of a system of regulations and standards relating to healthcare big data. Consistent with the blueprint, current legislation relating to healthcare big data also aims to establish a system of rules for the gathering and use of healthcare big data from several key perspectives, such as national interests, public safety, patient privacy and personal information protection, and protection of trade secrets.

These laws, regulations and policy documents include the Cybersecurity Law, the Guiding Opinions of the General Office of the State Council on Promoting and Regulating the Development of the Application of Healthcare Big Data, the Administrative Measures for Population Health Information (for Trial Implementation), the Administrative Provisions for the Patient Files of Medical Institutions (2013 version), the Administrative Code for the Application of Electronic Patient Files (for Trial Implementation), the Specifications for Electronic Patient File System Functions (for Trial Implementation), the Administrative Measures for Prescriptions, the Administrative Measures for Online Information Services (as amended in 2011), the Guiding Opinions for the Classified Protection of Hygiene Industry Information Security, the Administrative Measures for Online Diagnostics (for Trial Implementation) (Draft for Comment), the General Provisions of the Civil Code, the Criminal Law, the Tort Liability Law, etc.

Pursuant to these laws, regulations and policy guidelines, when a foreign entity invests in the healthcare big data sector and engages in business, it is required to satisfy the following basic requirements:

Firstly, the healthcare big data analysis industry, as a for-profit online information service, is required to have a business development plan and the relevant security technology support capabilities, while taking sound network and information security safeguards, including website security safeguards, information security and confidentiality management system and user information security management system. These are to meet the regulator’s testing, assessment and review of the reliability, controllability and security of healthcare big data platforms and service providers.

Secondly, as healthcare big data involves the security of national or regional population health information, when a foreign entity invests in this sector, it is required, in accordance with the requirements of the state’s system for the classified protection of information security, to strengthen development of system security safeguard systems relating to population health information, formulate security management systems, operational rules and technical specifications, and establish a trace management system. Any user that creates, revises or accesses population health information is required to pass strict real-name identity authentication and authorization control, in a way that such user’s acts are manageable, controllable and traceable.

Thirdly, enterprises possessing healthcare big data have both the right and the obligation to protect their data assets effectively. Current Chinese laws are not clear on the issue of the ownership of healthcare big data, but enterprises investing in healthcare big data may still consider three major existing means to protect their data assets, namely protecting their rights in accordance with laws on copyright in databases, on trade secrets and on unfair competition.

Fourthly, a foreign entity that wishes to invest in healthcare big data may be subject to certain restrictions on internet business models, e.g., restrictions related to value-added telecommunication service permits.

Lastly, as non-medical institutions may not review or borrow medical records (including electronic records), a foreign-invested enterprise that wishes to obtain healthcare big data may need to enter into a cooperation deal with a medical institution. Considering that medical data provided by medical institutions must have been processed, anonymized and not be capable of restoration, when investing in this sector a foreign entity should actively participate in the work of de-identification and anonymization of healthcare big data.

Something else that should be noted: According to the Information Security Technology, Personal Information Security Specification, the information after anonymization does not belong to Personal Information; however, given such specification’s legal effect, there may still be restrictions under Chinese laws on such information, regarding the transmission of such data abroad. Also, if a Chinese party cooperates with a foreign entity in collecting human genetic resources (including related information) or transmitting such resources (including related information) abroad, it must secure the approval of the Human Genetic Resource Administration of China to do so.

As one possible means of circumventing the cross-border transmission of data, consideration may be given to not transmitting the data themselves, but, instead, permit the remote transmission of search instructions, followed by the reporting abroad of the search results on completion of the domestic database search. This practice exists in the foreign healthcare big data sector.

Amy Ye is a senior partner and Brian Dong is an associate at AllBright Law Offices. Hu Qiuyin, a legal assistant at AllBright, also contributed to this article