Digital health apps and telemedicine in China

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

Depending on the purpose of the digital health app, it could be considered as a medical device or a product.

(a) If the relevant digital health app is used for medical purposes, then it can be considered a medical device in China. 

To be specific, according to Article 103 of the Regulations on Supervision and Administration of Medical Devices (2021), medical devices refer to instruments, equipment, appliances, in vitro diagnostic reagents and calibrators, materials, and other similar or related items used directly or indirectly on the human body, including the required computer software; their utility is mainly obtained through physical methods, etc. It is not obtained through pharmacology, immunology or metabolism, although these methods are involved but only play a supporting role; its purpose is:

• Diagnosis, prevention, monitoring, treatment or alleviation of diseases;
• Injury diagnosis, monitoring, treatment, mitigation or functional compensation;
• Inspection, substitution, adjustment or support of physiological structure or physiological process;
• Life support or maintenance;
• Pregnancy control;
• Provide information for medical or diagnostic purposes by examining samples from the human body.

Under the Rules for Medical Device Classification (2015), the independent software is classified as “active non-contact medical device”. The definition of independent software is software designed to achieve one or more medical purposes, that can accomplish its intended purpose without the need for medical device hardware, and that run on a general computing platform. 

According to Guidelines for Technical Review of Mobile Medical Device Registration (2017) (“Mobile Medical Device Guidelines”), mobile medical devices refers to equipment and/or software that uses non-invasive mobile computing terminals to achieve one or more medical purposes. According to the Guidelines, mobile medical devices can include handheld (such as tablet computers, portable computers, smart phones, etc.), wearable (such as smart glasses, smart watches, etc.), and hybrid (combination of handheld and wearable) devices.

(b) For those digital health apps that do not serve the medical purpose specified under Article 103 of the Regulations on Supervision and Administration of Medical Devices (2021) as detailed above, they may be regulated as general digital products.

To be specific, according to the Mobile Medical Device Guidelines, “mobile computing devices or software that are expected to be used for health management, targeting healthy people and recording statistical health information do not have a medical purpose are not considered as medical devices.”

(c) See above. Only when the app/software is used for one or more medical purposes, liability of medical device will attach to the app/software. 

Yes. An exemplary list of laws and regulations is as follows.

Because the app/software is considered a medical device, laws and regulations concerning medical devices may be relevant, such as the following:

• Administrative Measures for the Registration and Record-filing of Medical Devices (2021);
• Administrative Measures for Medical Device-Related Adverse Event Monitoring and Re-evaluation (2019);
• Measures for the Supervision and Administration of Online Sales of Medical Devices (2018);
• Measures for the Supervision and Administration of Medical Device Production (2022);
• Measures for the Supervision and Administration of Medical Device Operation (2022);
• Medical Device Standards Management Measures (2017);
• Medical Device Recall Management Measures (2017);
• Medical Device Clinical Trial Quality Management Specifications (2022);
• General Nomenclature Rules for Medical Device (2016);
• Measures for the Supervision and Administration of the Use of Medical Devices (2016);
• Medical device instructions and label management regulations (2014);
• Measures for the Administration of Medical Device Advertising (1992);
• Interim Administrative Measures for Censorship of Advertisements for Drugs, Medical Devices, Dietary Supplements and Foods for Special Medical Purpose (2020);
• Measures for the Administration of Inspection and Supervision of the Imported Medical Instruments (2007);
• The Catalogue of Medical Device Classification (2022);
• Appendix on Standalone Software to the Good Manufacturing Practice for Medical Devices (2020);
• Guidelines for Technical Review of Medical Device Network Security Registration (2022).

Other laws and regulations concerning cybersecurity and data protection include the following:

• Personal Information Protection Law of the People's Republic of China (2021)
• Data Security Law of the People's Republic of China (2021)
• Measures on Security Assessment for Cross-border Data Transfer (2022)
• Administrative Measures on Health Care Institutions Network Security (2022)
• Regulations on Supervision and Administration of Medical Devices (2021)
• Information Security Technology--Health and Medical Information Security Guidelines (2021)
• Announcement on launching a special governance for the collection and use of personal information in violation of laws and regulations by Apps (2019);
• The Practical Guide to Cyber Security Standards: Guide to Self-evaluation of Collection and Use of Personal Information by Mobile Internet Applications (Apps) (2020);
• The Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information (2019);
• Population Health Information Management Measures (For Trial Implementation) (2014);
• Cybersecurity Law (2017);
• Information security technology-Personal information security specification (2020);
• National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018);
• Guidelines for the Security Protection of Internet Personal Information (2019);
• Cyber Security Review Measures (2020);
• Civil Code (going to be effective in 2021) (especially Articles 1032, 1034, and 1226 concerning privacy).   

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

No, as long as the collection of personal data occurs within the territory of mainland China. 

If the personal data are collected online, the “collection” occurs where the servers of the health app are located. 

According to National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018) Article 30, health and medical big data (which according to Article 4 refers to health and medical related data generated during the process such as treating or preventing diseases and health management) should be stored on domestic servers. If it is really necessary to provide it overseas due to business needs, a safety assessment review shall be conducted in accordance with relevant laws, regulations and requirements. 

According to Population Health Information Management Measures (For Trial Implementation) (2014) Article 10, population health information must not be stored on overseas servers and must not be hosted or leased in servers outside the country. 

According to Cybersecurity Law (2017) Article 2, if the servers are located within the territory of mainland China, then Chinese data protection laws apply. Therefore, the location of the server of the app/software matters. The location of the users does not matter.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

It matters whether it is a “B2B” or “B2C” service in regard to the procedure for collecting personal information or sensitive personal information from the users. 

For the collection of medical data that constitutes personal information, in accordance with the requirements of the Personal Information Protection Law (“PIPL”) the collection of personal information shall have lawful basis, such as consent, contractual necessity, HR management necessity, statutory obligations, etc. If collecting personal sensitive information,  separate consent should also be obtained. Moreover, if the software is hosted on a server outside China but collects personal information from natural persons for the purpose of providing service to natural persons within China, it will be also subject to the PIPL even though it is hosted on the servers outside China. In the case of indirect collection (“B2B”), the personal information provider shall be required to explain the source of the personal information and confirm its legality, and at the same time shall understand the scope of authorisation and consent for processing the personal information that has been obtained. 

No. According to Personal Information Protection Law of the People's Republic of China (2021), such information is considered personal information. Therefore, only consent requirements for collecting personal information are needed.

Currently there is no clear answer. 

However, based on our understanding, according to the answer to Q1, an app/software is considered to be a medical device. Administrative Measures for Medical Quality (2016) Article 45 stipulates that a physician or nurse shall be punished according to Laws on Medical Practitioners and Regulations on Nurses and other relevant laws and regulations, or if applicable, Criminal Law, when “using, against regulations, medical technologies that are prohibited or restricted for clinical application, or unqualified or unapproved drugs, medical devices or consumables in carrying out diagnostic and treatment activities.”

Therefore, it is likely that if the app/software is considered as an unqualified or unapproved medical device, physicians will be punished for using and relying on it.

The enforcement mechanism includes a check by the regulatory authority.

For non-compliance with the administrative regulations, an administrative penalty can be imposed including warnings, fines, imprisonment, suspension of licences and revocation of licences, and enjoining from participation in the market.

There are presently many legal developments relevant to digital health apps/software that are in draft form or under consideration.

For example:

• Specifications for Collecting Personal Information in Mobile Internet Applications (Draft for Comments) (2022);
• Interim Administrative Provisions on Personal Information Protection by Mobile Internet Applications (Draft for Comments) (2021);
• Information Security Technology—Personal Information Processing Management Guide for Apps if Smart Mobile Terminals (Draft for Comments) (2022).

The health administration department of the State Council is in charge of the work of physicians nationwide. The health administrative department of the local people’s government at or above the county level is responsible for the management of the work of physicians in the administrative area.

The relevant regulations are as follows:

• Law of the People’s Republic of China on Medical Practitioners (2022);
• Opinions on Promoting Telemedicine Services in Medical Institutions (2014);
• Notice on Strengthening the Management of Telemedicine Consultation (1999);
• Telemedicine Service Management Specifications (For Trial Implementation) (2018);
• Technical Guidelines for the Construction of Telemedicine Information System (2014);
• Internet Diagnosis and Treatment Management Measures (For Trial Implementation) (2018);
• Regulation of Internet-based Diagnosis and Medical Treatment (2022);
• Internet Hospital Management Measures (For Trial Implementation) (2018);
• Administrative Measures for Online Drug Information Service (2017);
• Administrative Measures for Medical Alliances (for Trial Implementation) (2020); and
• Interim Provisions on the Examination and Approval of Online Drug Transaction Services Internet Hospital Management Measures (For Trial Implementation) (2005).

Yes. 

10.1 What are the requirements?

Only licenced medical institutions can implement remote medical services, conduct remote consultation and remote diagnosis; practising physicians can only provide telemedicine services through the information technology platform or communication channels set by medical institutions, and the practising physicians who actually provide medical services should generally have more than three years of experience.

According to the Telemedicine Service Management Specifications (For Trial Implementation), there are only two modes of “telemedicine” that belong to legal “telemedicine”: 

• the first mode, medical institution A directly sends an invitation to medical institution B. Medical institution B uses information technology such as communication, computer and network technology to provide technical support to medical activities for the diagnosis and treatment of patients in medical institution A; or
• in the second mode, medical institution A or a third-party platform establishes an information technology platform (“information platform”). After other medical institutions register on these information platforms, medical institution A publishes their needs on the information platforms. Other medical institutions need to proactively respond to medical activities that provide technical support for patients in medical institution A. 

The scope of telemedicine service items is limited by law. According to the Opinions on Promoting Telemedicine Services in Medical Institutions, telemedicine service items include remote pathological diagnosis, remote medical imaging (including imaging, ultrasound, nuclear medicine, electrocardiogram, electromyography, electroencephalogram, etc.) diagnosis, remote monitoring, remote consultation, remote outpatient, remote case discussion, and other items specified by the above provincial level health and family planning administrative department. In other words, in addition to the above seven types of medical services, any other medical-related activities must not be carried out remotely, such as remote medical teaching or remote surgery.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Yes, the following notices have been published during the pandemic period to encourage the relevant authorities and medical institutions to better utilise telemedicine to treat patients (however, these notices have not relaxed the regulations and restrictions on telemedicine):

• Notice on Doing a Good Job in Internet Diagnosis and Treatment Consultation Services in the Prevention and Control of the Epidemic;
• Notice on the National Telemedicine and Internet Medical Center to Carry Out the National Remote Consultation of Severe and Critical Patients with New Coronary Pneumonia;
• Notice on Launching Online Services to Further Strengthen Hubei Epidemic Prevention and Control Work; and
• Guiding Opinions on Promoting the Development of “Internet +” Medical Insurance Services During the Period of Prevention and Control of the New Coronary Pneumonia Epidemic. 

Yes.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

Yes. The use of telemedicine is limited to some common diseases and chronic diseases after the first diagnosis and treatment. To be more specific, the patient’s first diagnosis and treatment shall be carried out by a physical consultation in a medical institution. Telemedicine can only be conducted during the follow-up visit. When a patient’s condition changes and requires medical personnel to perform an in-person examination, the medical institution and its medical personnel shall immediately terminate the internet diagnosis and treatment activities and refer the patient to a physical medical institution for treatment.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

Telemedicine Service Management Specifications (For Trial Implementation) clearly stipulates that if a patient raises a claim due to telemedicine services, the inviting party’s medical institution shall bear the corresponding legal responsibilities in the remote consultation; if it is a remote diagnosis, the inviting party and the invited party jointly assume corresponding legal responsibilities.

However, the Telemedicine Service Management Specifications (For Trial Implementation) does not mention whether third-party platforms need to be held responsible for “misdiagnosis” caused by information platforms, such as cases where patients are harmed due to technical errors in the transmission of pathological information.

The rights and responsibilities, procedures, and responsibilities in the service process of “remote consultation” and “remote diagnosis” are subject to the cooperation agreement of all parties involved in telemedicine services.

Yes. Medical institutions shall strictly abide by the “Prescription Management Measures” and other prescription management regulations when conducting internet diagnosis and shall not issue prescriptions for special management drugs such as narcotic drugs and psychotropic drugs. Physicians can make online prescriptions for patients with common and chronic diseases and can entrust qualified third-party agencies to deliver them. 

This is unclear. The existing regulations do not make clear and unified regulations on the charges for telemedicine services; however, it is expected that, in the future, the cost for telemedicine services will be covered by the state’s medical insurance.

Yes. The Technical Guidelines for the Construction of Telemedicine Information System requires that the telemedicine service network should have at least two network providers to provide the network to maintain network security and data security.

Considering that most regulations related to telemedicine have just been released in the past 5 years, there are no new regulations to be released for the time being. However, individual provinces are in the process of developing and implementing more detailed regulations based on national laws, and the development and implementation of these regulations is worth watching.