Digital health apps and telemedicine in China

Depending on the purpose and utility of the digital health app, it could be considered as a medical device or a product.

a. If the relevant digital health app is used for medical purposes, then it can be considered a medical device in China.

To be specific, according to Article 103 of the Regulations on Supervision and Administration of Medical Devices (2024), medical devices refer to instruments, equipment, appliances, in vitro diagnostic reagents and calibrators, materials, and other similar or related items used directly or indirectly on the human body, including the required computer software; their utility is mainly obtained through physical methods, etc.  It is not obtained through pharmacology, immunology or metabolism, although these methods are involved but only play a supporting role; its purpose is:

• Diagnosis, prevention, monitoring, treatment or alleviation of diseases;
• Injury diagnosis, monitoring, treatment, mitigation or functional compensation;
• Inspection, substitution, adjustment or support of physiological structure or physiological process;
• Life support or maintenance;
• Pregnancy control;
• Provide information for medical or diagnostic purposes by examining samples from the human body.

Under the Rules for Medical Device Classification (2015), the independent software is classified as “active non-contact medical device”.  The definition of independent software is software designed to achieve one or more medical purposes, that can accomplish its intended purpose without the need for medical device hardware, and that run on a general computing platform. According to Guidelines for Technical Review of Mobile Medical Device Registration (2017) (“Mobile Medical Device Guidelines”), mobile medical devices refer to equipment and/or software that uses non-invasive mobile computing terminals to achieve one or more medical purposes.  According to the Guidelines, mobile medical devices can include handheld (such as tablet computers, portable computers, smart phones, etc.), wearable (such as smart glasses, smart watches, etc.), and hybrid (combination of handheld and wearable) devices.

b. For those digital health apps that do not serve the medical purpose specified under Article 103 of the Regulations on Supervision and Administration of Medical Devices (2024) as detailed above, they may be regulated as general digital products.

To be specific, according to the Mobile Medical Device Guidelines, “mobile computing devices or software that are expected to be used for health management, targeting healthy people and recording statistical health information do not have a medical purpose are not considered as medical devices.”

Additionally, according to the Classification Catalogue of Medical Devices (2018), if the content managed by medical information management software is patient information and other content that is not related to medical diagnosis and/or treatment, and the software for the telemedicine consultation system does not contain medical images or data, they will not be regulated as medical devices. 

c. See above.  Only when the app/software is used for one or more medical purposes, liability of medical device will attach to the app/software.

Yes. An exemplary list of laws and regulations is as follows.

Because the app/software is considered a medical device, laws and regulations concerning medical devices may be relevant, such as the following:

• Administrative Measures for the Registration and Record-filing of Medical Devices (2021);
• Administrative Measures for Medical Device-Related Adverse Event Monitoring and Re-evaluation (2019);
• Measures for the Supervision and Administration of Online Sales of Medical Devices (2018);
• Measures for the Supervision and Administration of Medical Device Production (2022);
• Measures for the Supervision and Administration of Medical Device Operation (2022);
• Medical Device Standards Management Measures (2017);
• Medical Device Recall Management Measures (2017);
• Medical Device Clinical Trial Quality Management Specifications (2022);
• General Nomenclature Rules for Medical Device (2016);
• Measures for the Supervision and Administration of the Use of Medical Devices (2016);
• Medical device instructions and label management regulations (2014);
• Measures for the Administration of Medical Device Advertising (1992);
• Interim Administrative Measures for Censorship of Advertisements for Drugs, Medical Devices, Dietary Supplements and Foods for Special Medical Purpose (2020);
• Measures for the Administration of Inspection and Supervision of the Imported Medical Instruments (2007);
• The Catalogue of Medical Device Classification (revised in 2023);
• Appendix on Standalone Software to the Good Manufacturing Practice for Medical Devices (2020);
• Guidelines for Technical Review of Medical Device Network Security Registration (2022);
• Code for Information and Digital Construction of Traditional Chinese Medicine Hospitals (2024); and
• Regulations on Supervision and Administration of Medical Devices (revised in 2024).

Other laws and regulations concerning cybersecurity and data protection include the following:

• Personal Information Protection Law of the People's Republic of China (2021);
• Data Security Law of the People's Republic of China (2021);
• Measures on Security Assessment for Cross-border Data Transfer (2022);
• Regulation on Protecting the Security of Critical Information Infrastructure (2021);
• Measures for the Standard Contract for Cross-border Transfer of Personal Information (2023);
• Provisions on the Administration of Information Services of Mobile Internet Apps (2022);
• Provisions on Promoting and Regulating Cross-border Flow of Data;
• Regulation on Network Data Security Management (2024);
• Administrative Measures on Health Care Institutions Network Security (2022);
• Information Security Technology--Health and Medical Information Security Guidelines (2021);
• Announcement on launching a special governance for the collection and use of personal information in violation of laws and regulations by Apps (2019);
• The Practical Guide to Cyber Security Standards: Guide to Self-evaluation of Collection and Use of Personal Information by Mobile Internet Applications (Apps) (2020);
• The Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information (2019);
• Population Health Information Management Measures (For Trial Implementation) (2014);
• Cybersecurity Law (2017);
• Information security technology-Personal information security specification (2020);
• National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018);
• Guidelines for the Security Protection of Internet Personal Information (2019);
• Cyber Security Review Measures (2020); and
• Civil Code (2021) (especially Articles 1032-1039 related to Privacy and Personal Information Protection and Article 1226).

No, the current legal regime in China focuses on where the personal data is stored (i.e., where the servers are located) instead of whether the data subjects (i.e. residents using the software) are located within or outside of the jurisdiction.  This is because the current focus of the legal regime is the outbound transfer of personal data, and it emphasizes that servers storing certain types of health and medical data of an individual shall be located in China.

According to National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018) Article 30, health and medical big data (which according to Article 4 refers to health and medical related data generated during the process such as treating or preventing diseases and health management) should be stored on domestic servers.  If it is really necessary to provide it overseas due to business needs, a safety assessment review shall be conducted in accordance with relevant laws, regulations and requirements.

According to Population Health Information Management Measures (For Trial Implementation) (2014) Article 10, population health information must not be stored on overseas servers and must not be hosted or leased in servers outside the country.

Further Explanation

According to Cybersecurity Law (2017) Article 2, if the servers are located within the territory of mainland China, then Chinese data protection laws apply.  Therefore, insofar as data protection laws are concerned, the location of the server of the app/software matters, not the location of the users.

In addition, when personal data needs to be transferred outside of China, the Personal Information Protection Law (“PIPL”) mandates certain compliance measures.  Depending on the amount and sensitivity of personal data being transferred, before transferring personal data abroad, the data handler (i.e. the organisation or individual that independently decides the purposes and methods of data processing) shall be responsible for filing the standard contract signed with the foreign recipients or applying for the security assessment with the regulator.

It matters whether it is a “B2B” or “B2C” service in regard to the procedure for collecting personal information or sensitive personal information from the users.

For the collection of medical data that constitutes personal information, in accordance with the requirements of the PIPL the collection of personal information shall have lawful basis, such as consent, contractual necessity, HR management necessity, statutory obligations, etc.  If collecting personal sensitive information, separate consent should also be obtained where consent is the lawful basis instead of others.  Moreover, if the software is hosted on a server outside China but collects personal information from natural persons for the purpose of providing service to natural persons within China, it will be also subject to the PIPL even though it is hosted on the servers outside China.  In the case of indirect collection (“B2B”), the personal information provider shall be required to explain the source of the personal information and confirm its legality, and at the same time shall understand the scope of authorisation and consent for processing the personal information that has been obtained.

An additional requirement to obtain the consent from individual users for enabling this functionality may apply. The need to obtain consent from individual users for this functionality depends on whether the usage of such functionality is necessary for the performance of the contract that the app provider entered into with the users.  If it is necessary for contract performance, no additional consent is required.  However, if it is not necessary for contract performance, the app provider must obtain separate consent from the users.

The reason separate consent may be required is because trajectory information (i.e. continuous trajectory information formed by an individual due to the movement and changes in their specific geographical location, activity location, and activity trajectory over a certain period of time) is considered sensitive personal information.  Processing sensitive personal information requires obtaining separate consent from the data subject if consent is the only lawful basis for processing such information.  It should be noted that whilst there are other lawful bases other than consent for processing personal information under Article 13 of the PIPL, such as legal obligations or protecting the life of the individual, we believe that only contract necessity is relevant in this context.  Therefore, we do not address the other bases here.

In the above-mentioned situation, whether the physicians' liability can be limited or transferred depends on the following factors:

1. Whether physicians use digital health apps within the legal framework
   Currently, Chinese law imposes several restrictions on physicians relying on digital health apps for diagnosis and treatment.  For example, the use of artificial intelligence and automated prescription generation is strictly prohibited.  If a physician violates mandatory legal provisions and a medical accident occurs due to reliance on digital health apps, it may be considered malpractice under the Medical Accident Handling Regulations.  In this case, regardless of whether the accident was caused by the digital health app itself, the hospital will be held civilly liable to the patient.  In severe cases, the responsible hospital and medical personnel may bear administrative responsibility (such as suspension, revocation of medical licenses) or even criminal responsibility (such as the crime for medical malpractice).
2. In cases where physicians use digital health apps legally, there are no clear provisions in Chinese law regarding the limitation or transfer of physicians' liability.  Therefore, there is no definite answer.  However, the following are mainstream viewpoints that may influence future legislation:
   1. Currently, China still views digital health apps, including AI-based apps, as tools to assist medical staff in diagnosis and treatment activities.  As such, they do not have independent legal person status and are considered legal objects.  Therefore, in any case, liability will not be transferred to the app itself.
   2. If the damage is caused by a defect in the digital health app product itself, the producer or designer of the app should bear the liability for damages resulting from the product defect. Product defects may include manufacturing defects, design defects, or deficiencies in warnings and instructions.
   3. If the damage results from improper medical procedures, the medical institution will bear the liability for damages caused by the physician's fault in using the digital health app during diagnosis and treatment.  Improper medical procedures may include the physician issuing improper instructions or the medical institution failing to conduct regular maintenance or repairs.
   4. When a medical accident is caused by both improper medical procedures and a product defect, liability for damages will be determined based on the relative cause and contribution of each factor.
3. As for the allocation of liability between producers and designers in product liability cases, Chinese law does not provide clear provisions.  However, the mainstream view is that since software designers play a key role in the creation of digital health apps, they should be included as responsible parties in product liability cases and should have the same legal standing as traditional producers.

The enforcement mechanism includes a check by the regulatory authority.

For non-compliance with the administrative regulations, an administrative penalty can be imposed including warnings, fines, imprisonment, suspension of licences and revocation of licences, and enjoining from participation in the market.

There are presently many legal developments relevant to digital health apps/software that are in draft form or under consideration.

For example:

At the national level:

• Guidelines for Definition and Classification of Digital Therapeutic Software Products in the Rehabilitation Category (Draft for Comments) (2025);
• Code of Practice for the Quality Management of Medical Device Manufacturing (Draft Revision for Comment). 

Furthermore, the General Office of the State Council has published Opinions on Comprehensively Deepening the Reform of Drug and Medical Device Regulation to Promote the High-Quality Development of the Pharmaceutical Industry (No.53 [2024] of the General Office of the State Council), in which the General Office of the State Council emphasise the establishment of research groups on the standardisation of cutting-edge medical devices such as artificial intelligence and medical robots, promote the usage of innovative drugs and medical devices.  We believe that these opinions will soon be reflected in legislative plans or drafts. 

At the provincial level:

• Full Chain of Initiatives in Support of the High-quality Development of Innovative Medical Devices (Zhejiang Province, 2024):  authorization of public healthcare data applications, strengthen AI-driven drug and medical device R&D, and the opening of public data related to new drugs.
• Several Measures to Support the High-Quality Development of Innovative Medicine (Beijing, 2025):  carry out training on a large model of medicine and health based on scenarios like Internet medical care; and explore the underlying architecture of the blockchain and smart contract technology to support the convenient flow of data across borders.
• Several Measures of Shanghai Municipality to Further Improve the Multiple Payment Mechanism to Support the Development of Innovative Medicines and Devices (Shanghai, 2024):  relying on the city’s big data centre platform, exploring information sharing, and the application of big data in health insurance.

The Health Administration Department of the State Council, also known as the National Health Commission (NHC), is in charge of the regulation and oversight of physicians in China, with the assistance of relevant departments of the State Council such as education, human resources and social security, and traditional Chinese medicine (TCM).  The health administrative department of the local people’s government at or above the county level is responsible for the management of the work of physicians in the administrative area.

The relevant regulations are as follows:

• Law of the People’s Republic of China on Medical Practitioners (2022);
• Opinions on Promoting Telemedicine Services in Medical Institutions (2014);
• Notice on Strengthening the Management of Telemedicine Consultation (1999);
• Telemedicine Service Management Specifications (For Trial Implementation) (2018);
• Technical Guidelines for the Construction of Telemedicine Information System (2014);
• Internet Diagnosis and Treatment Management Measures (For Trial Implementation) (2018);
• Regulation of Internet-based Diagnosis and Medical Treatment (2022);
• Internet Hospital Management Measures (For Trial Implementation) (2018);
• Administrative Measures for Online Drug Information Service (2017);
• Administrative Measures for Medical Alliances (for Trial Implementation) (2020);
• Interim Provisions on the Examination and Approval of Online Drug Transaction Services;
• Internet Hospital Management Measures (For Trial Implementation) (2005); and
• Civil Code (2021) (especially Articles 1218-1228 related to medical malpractice liability).

Yes. 

Only licenced medical institutions can implement remote medical services, conduct remote consultation and remote diagnosis; practising physicians can only provide telemedicine services through the information technology platform or communication channels set by medical institutions, and the practising physicians who actually provide medical services should generally have more than three years of experience.

According to the Telemedicine Service Management Specifications (For Trial Implementation), there are only two modes of “telemedicine” that belong to legal “telemedicine”: 

• the first mode, medical institution A directly sends an invitation to medical institution B. Medical institution B uses information technology such as communication, computer and network technology to provide technical support to medical activities for the diagnosis and treatment of patients in medical institution A; or
• in the second mode, medical institution A or a third-party platform establishes an information technology platform (“information platform”). After other medical institutions register on these information platforms, medical institution A publishes their needs on the information platforms. Other medical institutions need to proactively respond to medical activities that provide technical support for patients in medical institution A. 

The scope of telemedicine service items is limited by law. According to the Opinions on Promoting Telemedicine Services in Medical Institutions, telemedicine service items include remote pathological diagnosis, remote medical imaging (including imaging, ultrasound, nuclear medicine, electrocardiogram, electromyography, electroencephalogram, etc.) diagnosis, remote monitoring, remote consultation, remote outpatient, remote case discussion, and other items specified by the above provincial level health and family planning administrative department. In other words, in addition to the above seven types of medical services, any other medical-related activities must not be carried out remotely, such as remote medical teaching or remote surgery.

Yes.

Yes. The use of telemedicine is limited to some common diseases and chronic diseases after the first diagnosis and treatment. To be more specific, the patient’s first diagnosis and treatment shall be carried out by a physical consultation in a medical institution. Telemedicine can only be conducted during the follow-up visit. When a patient’s condition changes and requires medical personnel to perform an in-person examination, the medical institution and its medical personnel shall immediately terminate the internet diagnosis and treatment activities and refer the patient to a physical medical institution for treatment.

Physicians are required to explain the contents, expenses and other logistics of telemedicine, obtain the written consent of patients, and sign the letter of informed consent for telemedicine.

Telemedicine Service Management Specifications (For Trial Implementation) clearly stipulates that if a patient raises a claim due to telemedicine services, the inviting party’s medical institution shall bear the corresponding legal responsibilities in the remote consultation; if it is a remote diagnosis, the inviting party and the invited party jointly assume corresponding legal responsibilities.

However, the Telemedicine Service Management Specifications (For Trial Implementation) does not mention whether third-party platforms need to be held responsible for “misdiagnosis” caused by information platforms, such as cases where patients are harmed due to technical errors in the transmission of pathological information.  It generally states that medical institutions shall enter into cooperation agreements with third-party platforms and agree on risks of medical damage and sharing of responsibilities.

The rights and responsibilities, procedures, and responsibilities in the service process of “remote consultation” and “remote diagnosis” are subject to the cooperation agreement of all parties involved in telemedicine services.

Yes. Medical institutions shall strictly abide by the “Prescription Management Measures” and other prescription management regulations when conducting internet diagnosis and shall not issue prescriptions for special management drugs such as narcotic drugs and psychotropic drugs. Physicians can make online prescriptions for patients with common and chronic diseases and can entrust qualified third-party agencies to deliver them. 

This is unclear. The existing regulations do not make clear and unified regulations on the charges for telemedicine services; however, it is expected that, in the future, the cost for telemedicine services will be covered by the state’s medical insurance.

Yes.  The Technical Guidelines for the Construction of Telemedicine Information System requires that the telemedicine service network should have at least two network providers to provide the network to maintain network security and data security.

In addition, the Telemedicine Service Management Specifications (For Trial Implementation) require all parties involved in the operation of telemedicine to strengthen information security and patient privacy protection, prevent illegal transmission and modification, prevent data loss, establish data security management protocols, and ensure network security, operational security, data security, and privacy security.

Considering that most regulations related to telemedicine have just been released in the past 5 years, there are no new regulations to be released for the time being. However, individual provinces are in the process of developing and implementing more detailed regulations based on national laws, and the development and implementation of these regulations is worth watching.