Digital health apps and telemedicine in China

  1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) If yes, please indicate these.
    3. 3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 
    4. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    5. 5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 
    6. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software contained in digital health apps. What are the legal consequences for non-compliance?
    7. 7. Are you aware of any future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    6. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    7. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.
    8. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

Digital health apps/software can be considered a medical device in China if it is used for medical purposes

According to Article 76 of the Regulations on Supervision and Administration of Medical Devices (2017), medical devices refer to instruments, equipment, appliances, in vitro diagnostic reagents and calibrators, materials, and other similar or related items used directly or indirectly on the human body, including the required computer software; their utility is mainly obtained through physical methods, etc. It is not obtained through pharmacology, immunology or metabolism, although these methods are involved but only play a supporting role; its purpose is:

  • Diagnosis, prevention, monitoring, treatment or alleviation of diseases;
  • Injury diagnosis, monitoring, treatment, mitigation or functional compensation;
  • Inspection, substitution, adjustment or support of physiological structure or physiological process;
  • Life support or maintenance;
  • Pregnancy control;
  • Provide information for medical or diagnostic purposes by examining samples from the human body.

Under the Rules for Medical Device Classification (2015), the independent software is classified as “active non-contact medical device”. The definition of independent software is software designed to achieve one or more medical purposes, that can accomplish its intended purpose without the need for medical device hardware, and that run on a general computing platform. 

According to Guidelines for Technical Review of Mobile Medical Device Registration (2017) (“Guidelines”), mobile medical devices refers to equipment and/or software that uses non-invasive mobile computing terminals to achieve one or more medical purposes. According to the Guidelines, mobile medical devices can include handheld (such as tablet computers, portable computers, smart phones, etc.), wearable (such as smart glasses, smart watches, etc.), and hybrid (combination of handheld and wearable) devices.

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

See above. Only when the app/software is used for one or more medical purposes, liability of medical device will attach to the app/software. 

Yes. An exemplary list of laws and regulations is as follows.

Because the app/software is considered a medical device, laws and regulations concerning medical devices may be relevant, such as the following:

  • Administrative Measures for the Registration of Medical Devices (2014);
  • Administrative Measures for Medical Device-Related Adverse Event Monitoring and Re-evaluation (2019);
  • Measures for the Supervision and Administration of Online Sales of Medical Devices (2018);
  • Measures for the Supervision and Administration of Medical Device Production (2017);
  • Measures for the Supervision and Administration of Medical Device Operation (2017);
  • Medical Device Standards Management Measures (2017);
  • Medical Device Recall Management Measures (2017);
  • Medical Device Clinical Trial Quality Management Specifications (2016);
  • General Nomenclature Rules for Medical Device (2016);
  • Measures for the Supervision and Administration of the Use of Medical Devices (2016);
  • Medical device instructions and label management regulations (2014);
  • Measures for the Administration of Medical Device Advertising (1992);
  • Interim Administrative Measures for Censorship of Advertisements for Drugs, Medical Devices, Dietary Supplements and Foods for Special Medical Purpose (2020);
  • Measures for the Administration of Inspection and Supervision of the Imported Medical Instruments (2007);
  • The Catalogue of Medical Device Classification (2018);
  • Appendix on Standalone Software to the Good Manufacturing Practice for Medical Devices (2020);
  • Guidelines for Technical Review of Medical Device Network Security Registration (2018).

Other laws and regulations concerning cybersecurity and data protection include the following:

  • Announcement on launching a special governance for the collection and use of personal information in violation of laws and regulations by Apps (2019);
  • The Practical Guide to Cyber Security Standards: Guide to Self-evaluation of Collection and Use of Personal Information by Mobile Internet Applications (Apps) (2020);
  • The Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information (2019);
  • Population Health Information Management Measures (For Trial Implementation) (2014);
  • Cybersecurity Law (2017);
  • Information security technology-Personal information security specification (2017);
  • National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018);
  • Guidelines for the Security Protection of Internet Personal Information (2019);
  • Cyber Security Review Measures (2020);
  • Civil Code (going to be effective in 2021) (especially Articles 1032, 1034, and 1226 concerning privacy).   

3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

No, as long as the collection of personal data occurs within the territory of mainland China. 

If the personal data are collected online, the “collection” occurs where the servers of the health app are located. 

According to National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018) Article 30, health and medical big data (which according to Article 4 refers to health and medical related data generated during the process such as treating or preventing diseases and health management) should be stored on domestic servers. If it is really necessary to provide it overseas due to business needs, a safety assessment review shall be conducted in accordance with relevant laws, regulations and requirements. 

According to Population Health Information Management Measures (For Trial Implementation) (2014) Article 10, population health information must not be stored on overseas servers and must not be hosted or leased in servers outside the country

According to Cybersecurity Law (2017) Article 2, if the servers are located within the territory of mainland China, then Chinese data protection laws apply. Therefore, the location of the server of the app/software matters. The location of the users does not matter.

It is worth noting that according to the Draft Guidelines for Data Cross-Border Transfer Security Assessment (2017) Section 3.2, if the servers are located outside of the territory (e.g., an individual who is physically located in mainland China visited and provided some personal data to an app hosted in another country), then Chinese data protection laws do not apply, except if the Chinese language or currency is used during the operation, the operator of the app actively advertise or market the app in China, or if goods are delivered into China. 

However, the draft has not been finalized yet.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

It matters whether it is a “B2B” or “B2C” service in regard to the procedure for collecting personal information or sensitive personal information from the users. 

For the collection of medical data that constitutes personal information, in accordance with the requirements of the Information Security Technology--Personal Information Security Specifications (2017), the consent of the person being collected should be obtained when collecting it directly (“B2C”). If collecting personal sensitive information, explicit consent should also be obtained. In the case of indirect collection (“B2B”), the personal information provider shall be required to explain the source of the personal information and confirm its legality, and at the same time shall understand the scope of authorization and consent for processing the personal information that has been obtained. 

No. According to Information Security Technology--Personal Information Security Specifications (2017), such information is considered personal information. Therefore, only consent requirements for collecting personal information are needed.

5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 

Currently there is no clear answer. 

However, based on our understanding, according to the answer to Q1, an app/software is considered to be a medical device. Administrative Measures for Medical Quality (2016) Article 45 stipulates that a physician or nurse shall be punished according to Laws on Medical Practitioners and Regulations on Nurses and other relevant laws and regulations, or if applicable, Criminal Law, when “using, against regulations, medical technologies that are prohibited or restricted for clinical application, or unqualified or unapproved drugs, medical devices or consumables in carrying out diagnostic and treatment activities.

Therefore, it is likely that if the app/software is considered as an unqualified or unapproved medical device, physicians will be punished for using and relying on it.

The enforcement mechanism includes a check by the regulatory authority.

For non-compliance with the administrative regulations, an administrative penalty can be imposed including warning, fines, imprisonment, suspension of licence and revocation of licence, and enjoining from participation in the market.

There are presently many legal developments relevant to digital health apps/software that are in draft form or under consideration.

For example:

  • Information Security Technology--Data Outbound Security Assessment Guidelines (Draft for Comments) (2017);
  • Critical Information Infrastructure (Draft for Comments) (2017);
  • Information Security Technology--Health and Medical Information Security Guidelines (Draft for comments) (2018);
  • Administrative Measures for Data Security (Draft for Comments) (2019);
  • Specifications for Collecting Personal Information in Mobile Internet Applications (Draft for Comments) (2020).
  • It is particularly worth noting that the Data Security Law of People’s Republic of China (“PRC”) was drafted for comment on 3 July 2020.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

The health administration department of the State Council is in charge of the work of physicians nationwide. The health administrative department of the local people’s government at or above the county level is responsible for the management of the work of physicians in the administrative area.

9. What laws and/or regulations apply to physicians regarding telemedicine?

The relevant regulations are as follows:

  • Law of the People’s Republic of China on Medical Practitioners;
  • Opinions on Promoting Telemedicine Services in Medical Institutions;
  • Notice on Strengthening the Management of Telemedicine Consultation;
  • Strengthening the Support of Information Technology for the Prevention and Control of Pneumonia Outbreak Caused by Novel Coronavirus;
  • Telemedicine Service Management Specifications (For Trial Implementation);
  • Technical Guidelines for the Construction of Telemedicine Information System;
  • Internet Diagnosis and Treatment Management Measures (For Trial Implementation); and
  • The Interim Provisions on the Examination and Approval of Online Drug Transaction Services Internet Hospital Management Measures (For Trial Implementation).

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

Yes. 

10.1 What are the requirements?

Only licenced medical institutions can implement remote medical services, conduct remote consultation and remote diagnosis; practising physicians can only provide telemedicine services through the information technology platform or communication channels set by medical institutions, and the practising physicians who actually provide medical services should generally have more than three years of experience.

According to the Telemedicine Service Management Specifications (For Trial Implementation), there are only two modes of “telemedicine” that belong to legal “telemedicine”: 

  • the first mode, medical institution A directly sends an invitation to medical institution B. Medical institution B uses information technology such as communication, computer and network technology to provide technical support to medical activities for the diagnosis and treatment of patients in medical institution A; or
  • in the second mode, medical institution A or a third-party platform establishes an information technology platform (“information platform”). After other medical institutions register on these information platforms, medical institution A publishes their needs on the information platforms. Other medical institutions need to proactively respond to medical activities that provide technical support for patients in medical institution A. 

The scope of telemedicine service items is limited by law. According to the Opinions on Promoting Telemedicine Services in Medical Institutions, telemedicine service items include remote pathological diagnosis, remote medical imaging (including imaging, ultrasound, nuclear medicine, electrocardiogram, electromyography, electroencephalogram, etc.) diagnosis, remote monitoring, remote consultation, remote outpatient, remote case discussion, and other items specified by the above provincial level health and family planning administrative department. In other words, in addition to the above seven types of medical services, any other medical-related activities must not be carried out remotely, such as remote medical teaching or remote surgery.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Yes, the following notices have been published during the pandemic period to encourage the relevant authorities and medical institutions to better utilise telemedicine to treat patients (however, these notices have not relaxed the regulations and restrictions on telemedicine):

  • Notice on Doing a Good Job in Internet Diagnosis and Treatment Consultation Services in the Prevention and Control of the Epidemic;
  • Notice on the National Telemedicine and Internet Medical Center to Carry Out the National Remote Consultation of Severe and Critical Patients with New Coronary Pneumonia;
  • Notice on Launching Online Services to Further Strengthen Hubei Epidemic Prevention and Control Work; and
  • Guiding Opinions on Promoting the Development of “Internet +” Medical Insurance Services During the Period of Prevention and Control of the New Coronary Pneumonia Epidemic. 

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

Yes.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

Yes. The use of telemedicine is limited to some common diseases and chronic diseases after the first diagnosis and treatment. To be more specific, the patient’s first diagnosis and treatment shall be carried out by a physical consultation in a medical institution. Telemedicine can only be conducted during the follow-up visit. When a patient’s condition changes and requires medical personnel to perform an in-person examination, the medical institution and its medical personnel shall immediately terminate the internet diagnosis and treatment activities and refer the patient to a physical medical institution for treatment.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

Telemedicine Service Management Specifications (For Trial Implementation) clearly stipulates that if a patient raises a claim due to telemedicine services, the inviting party’s medical institution shall bear the corresponding legal responsibilities in the remote consultation; if it is a remote diagnosis, the inviting party and the invited party jointly assume corresponding legal responsibilities.

However, the Telemedicine Service Management Specifications (For Trial Implementation) does not mention whether third-party platforms need to be held responsible for “misdiagnosis” caused by information platforms, such as cases where patients are harmed due to technical errors in the transmission of pathological information.

The rights and responsibilities, procedures, and responsibilities in the service process of “remote consultation” and “remote diagnosis” are subject to the cooperation agreement of all parties involved in telemedicine services.

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

Yes. Medical institutions shall strictly abide by the “Prescription Management Measures” and other prescription management regulations when conducting internet diagnosis and shall not issue prescriptions for special management drugs such as narcotic drugs and psychotropic drugs. Physicians can make online prescriptions for patients with common and chronic diseases and can entrust qualified third-party agencies to deliver them. 

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

This is unclear. The existing regulations do not make clear and unified regulations on the charges for telemedicine services; however, it is expected that, in the future, the cost for telemedicine services will be covered by the state’s medical insurance.

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.

Yes. The Technical Guidelines for the Construction of Telemedicine Information System requires that the telemedicine service network should have at least two network providers to provide the network to maintain network security and data security.

In July 2020, the Chinese government has issued the Administrative Measures for Medical Alliances (for Trial Implementation) for implementation as of 1 August 2020. Among others, this piece of legislation requires local government to coordinate and help set up the telemedicine collaboration networks between different medical institutions. It is expected that more detailed legislation will be issued in the near future on the management of such telemedicine collaboration networks. 

Picture of Nick Beckett
Nick Beckett
Managing Partner
Beijing
Roxie Meng
Associate
Beijing
Fan Wu
Associate and Patent Attorney
Beijing