Cross-border consultation, cross-border medical research, international clinical trials, medical devices going to sea ... Cross-border medical care has developed rapidly in recent years, and a large number of cross-border medical data with sensitive personal information means higher compliance requirements for relevant institutions and enterprises.
The interviewed experts believe that the cross-border flow mechanism of medical data in China is still unclear, and it is urgent to design targeted industry rules under the framework of the Data Security Law and the Personal Information Protection Law, combined with the characteristics of the pharmaceutical industry, which not only protects personal rights and data security, but also takes into account the efficiency of innovative research and development of drugs and medical devices. At the same time, actively realizing the integration of domestic data governance laws and regulations with international data governance laws and regulations will help China to conduct more in-depth cooperation with overseas pharmaceutical companies, universities and hospitals.
Since 2020, the global COVID-19 epidemic has blocked the road of cross-border medical treatment to a certain extent and continuously stimulated the demand for cross-border telemedicine.
The network connects patients with foreign doctors, and can communicate through video or telephone to draw diagnosis and treatment conclusions. In this process, it often involves doctors' cross-border retrieval of patients' medical images and other information and data.
This is one of the common application scenarios of cross-border transmission of medical data. In fact, with the increasingly frequent global medical exchanges, the cross-border demand for medical data is becoming more and more urgent.
According to "China Internet Security Report 2020" issued by the National Computer Network Emergency Technology Processing Coordination Center, in 2020, * * * found that domestic medical image data left the country through the network for more than 4.97 million times, among which, China's non-desensitized medical image data left the country for nearly 400,000 times, accounting for 7.9% of the total times. However, medical image files contain a lot of personal information of patients who have not been desensitized.
In addition to patients' personal information and health status data, medical data also includes medical application data and human genetic resources. The existence of a large number of these data may bring hidden dangers to China's medical and health safety.
As early as 20 18 and 10, official website, the Ministry of Science and Technology, issued six penalty messages, involving six companies, including Huada Gene, Huashan Hospital affiliated to Fudan University, Suzhou Wuxi PharmaTech, AstraZeneca, Aide Bio and Hao Kun Ruicheng. The ticket shows that all six companies violated the Regulations on the Management of Human Genetic Resources, or illegally transported and received the remaining samples of approved projects; Or illegally carrying out state cooperative research; Some people even use human serum as dog plasma to leave the country illegally.
Lu Jing, a partner of Beijing Shi Hui Law Firm, said that the Personal Information Protection Law regards "medical health" information as sensitive information, and a large amount of patient-related information in the medical industry will fall into the category of personal sensitive information because of its "medical health" attribute. For example: medical record information, adverse reaction report information, clinical trial data, etc.
Taking international clinical trials as an example, Cai Peng, a partner of Zhonglun Law Firm, said that in international clinical trial cooperation, medical data that constitute personal sensitive information will be involved. When collecting and processing sensitive personal information, data processors should follow the compliance requirements for handling sensitive personal information in the Personal Information Protection Law, and make an impact assessment on personal information protection in advance as required. At the same time, for cross-border provision, domestic data providers also need to ensure compliance with the provisions of the Personal Information Protection Law on cross-border provision of personal information.
In addition to the above regulatory requirements, if the data involved in international cooperative clinical trials are marked as "health care big data", "population health information" or genetic materials such as genes and genomes, they should be in accordance with the National Health Care Big Data Standard, the Measures for the Administration of Safety and Services (Trial), the Measures for the Administration of Population Health Information (Trial), the Regulations of People's Republic of China (PRC) on the Administration of Human Genetic Resources or
In February this year, the National Health and Wellness Committee published a reply to Chen's proposal on strengthening the protection of personal information and data of clinical research subjects. It is mentioned that the National Health and Health Commission will actively cooperate with relevant departments to promote the introduction of relevant countermeasures against new challenges such as data leaving the country but processing results leaving the country and overseas institutions obtaining clinical data in the mainland through agents, and on this basis, promote medical and health institutions to implement relevant work.
For medical and health enterprises, what are the difficulties in achieving cross-border compliance of medical data?
From the perspective of pharmaceutical companies, Lu Jing pointed out that pharmaceutical companies need to pay extra time to fulfill their compliance obligations, and the research and development time of drugs and medical devices will increase accordingly. However, in the international cooperation scenario of clinical trials, some compliance requirements (for example, the name and contact information of each overseas recipient should be informed to natural persons before providing personal information overseas) may be difficult to implement.
"Too strict compliance requirements at the level of rule design can easily lead to widespread violations at the level of rule implementation, thus affecting the seriousness of the regulations." Lu Wei said.
Therefore, he suggested that under the framework of the Data Security Law and the Personal Information Protection Law, combined with the characteristics of the pharmaceutical industry, industry rules should be designed in a targeted manner, which not only protects personal rights and data security, but also takes into account the efficiency of innovative research and development of drugs and medical devices.
Wang Shuang, founder and chairman of Hao Wei Science and Technology, believes that the current difficulty in cross-border medical data mainly lies in meeting the needs of different business scenarios under the premise of cross-border compliance. In China, medical data may involve many laws and regulations, and different protected data classifications will be generated in different scenarios. However, the laws and regulations of different countries in the world are different, so different classification and grading standards will also be produced.
In this regard, Wang Shuang suggested that before cross-border medical data, relevant enterprises and institutions should first ensure that the data are classified and graded according to the requirements of domestic laws and regulations. Then, when the data leaves the country, look for the * * * similarity required by each country to comply with the regulations. Among them, the data that can't be exchanged can be processed by technical means such as privacy computing, so as to meet the compliance requirements in an "available and invisible" mode and realize the "manageable, controllable and measurable" cooperation of cross-border medical data. In addition, it is necessary to build a complete personnel system and form an organizational structure consisting of decision-making, management, implementation, supervision and coordination. At the same time, to improve the document system, it should include details related to data security, such as policies and guidelines, system process specifications, personnel training materials, data collection, etc.
Zhonglun Law Firm believes that when implementing cross-border transmission of medical data information, enterprises must clarify the data collection, use, transmission, sender and receiver, as well as the third party providing services for this purpose, and clarify the content and attributes of medical data; Clean up the data storage place; At the same time, make plans such as data exit scheme, and stipulate the purpose, mode and safety measures of data processing; Improve the risk self-assessment mechanism of important data processing activities, network security level protection mechanism, key information infrastructure (CII) security protection mechanism and non-CII operators' network security review response mechanism.
For medical and health enterprises with listing requirements, the impact of stricter cross-border supervision of data may be more direct. "Medical big data companies have taken the issue of data cross-border as one of the key considerations when choosing the listing location." Zhai Yunkai, deputy director of the National Engineering Laboratory for Internet Medical Systems and Applications, said.
Recently, Zero Krypton Technology, the leader of medical big data, withdrew its US IPO plan. Its previously disclosed prospectus shows that the company has more than 2.5 million patients and more than 9 million longitudinal medical records. After the company suddenly suspended its IPO in the United States in July last year, it was reported or transferred to Hong Kong for listing in September of the same year. Zero krypton didn't respond to this.
At present, there are not many special standards for the cross-border flow of personal health medical data in the world. The Guidelines for the Protection of Health Informatics Data to Promote the Cross-border Flow of Personal Health Information issued by the International Organization for Standardization (ISO) ISO)2004 mentioned that personal health data should not be transmitted except for the transmission necessary to protect the vital interests of the data subject, unless the data subject explicitly agrees. Australia explicitly prohibits health care-related data from leaving the country.
"The circulation of medical data in different countries is of great significance for promoting scientific research and industrial development in related fields and further improving the level of medical and health services. However, more and more countries or regions openly call for complete localization of medical and health data based on' important' and' sensitive' data to protect national security or personal privacy, which is not conducive to promoting the free flow of data, nor to scientific research and industrial development. " Yan Yunkai said.
For China, on the one hand, it can improve the cross-border system of medical data compliance and promote the international flow of data. Cai Peng pointed out that the promulgation of the Personal Information Protection Law undoubtedly makes enterprises face higher compliance costs, but the promulgation of this law is also a great progress in the protection of human rights in China, which has prompted China enterprises to connect with international standards in related fields and gain international recognition. Taking GDPR as an example, if China's subsequent supporting legislation can be in line with it, it will be of great significance for domestic enterprises to carry out in-depth scientific research and clinical cooperation with European enterprises, universities and hospitals, and promote data flow while safeguarding national security.
On the other hand, China has repeatedly explored cross-border data pilots. As early as 2065438+July 2009, the State Council released the overall plan of Lingang New Area of China (Shanghai) Pilot Free Trade Zone, explicitly supporting the new area to focus on key areas such as biomedicine, conducting pilot projects for cross-border data flow security assessment, and establishing data security management mechanisms such as data protection capability certification, data circulation backup audit, cross-border data flow and transaction risk assessment. At the end of 2020, Beijing also focused on key areas such as artificial intelligence and biomedicine, and promoted the pilot work of data crossing into mobile security management.
"As a special kind of data, what kind of cross-border flow mechanism should medical data establish? Laws, regulations and practices really need to be further clarified. " Yan Yunkai stressed. He suggested that China could learn from the experience of the European Union and other countries, establish a diversified legal flow mechanism that meets the needs of China's national conditions, and set up a guiding model agreement for cross-border data flow.
At the same time, from the perspective of international coordination, it can promote the formation of a unified governance system for cross-border data. Relevant international organizations, such as WHO and ITU, jointly formulate detailed norms for cross-border flow and transaction of medical and health data, and * * * formulate relevant international standards through consultation. Facing the cross-border transmission protection of massive medical big data, an independent and unified data protection law enforcement agency will be set up to independently guarantee the security of data activities, avoid repeated law enforcement in different countries and improve the efficiency of data flow.
For more information, please download 2 1 financial APP.