By Zhang Yunwei (Mark) (partner), Yao Jinchuang(associate) and Zhan Jia(assistant associate)
With the rapid development of information network technology, healthcare system reform and M-health policy support from the PRC government, the Chinese mobile health market which emerged in 2014 has grown quickly. More and more pharmaceutical and medical device manufacturers and trading companies (“Healthcare Companies”) are actively seeking to engage in the Chinese mobile health market. This trend which affects the relationship between Healthcare Companies and patients, may result in the reform of the current product sale and promotion models of Healthcare Companies. However, when the “fire” of Healthcare Companies’ investment passion meets the “ice” of Chinese regulators regarding online medical services, internet driven hospitals and data privacy, how will Healthcare Companies tackle the challenges to ascend the “Iron Throne” of the “Westeros” of Chinese M-Health market.
1. Rise of Kings—Various Methods Adopted by Healthcare Companies to Engage in the Chinese Mobile Health Market
The emergence of mobile health has created more ways to change the circulation of information in the healthcare industry. In concert with this trend, Healthcare Companies have developed various innovative market practices.
Under traditional business models, Healthcare Companies receive feedback on the sales of pharmaceuticals and medical devices ( “Healthcare Products”) and market information through the supply chain of “Healthcare Companies—Medical Institutes—Patients”. Medical institutes are the primary target customers of Healthcare Companies’ marketing strategies and underpin the basic form of their promotional activities. However, the decentralization caused by the Internet and the Chinese government reform separating medical services and pharmaceutical sales is enabling Healthcare Companies to directly contact patients.
In this context current practices of Healthcare Companies (“Mobile Healthcare Market Practices”) which constitute the basic framework of circulation and utilization of healthcare information in the PRC mobile healthcare market fall into the following categories:
(1) Healthcare Information Collection and Storage: Healthcare Companies collect healthcare information on patients through (a) R&D on or investment in wearable healthcare monitoring devices, or (b) adding information collecting and transmitting functions to medical devices, or (c) cooperating with medical institutes or Internet companies;
(2) Provision of Healthcare Information: with the healthcare information collected, Healthcare Companies provide healthcare information to the market in targeted manners, including (a) helping patients to manage their health or chronic diseases, or (b) providing healthcare professionals with processed information to manage diseases, or (c) cooperating with Internet companies to participate in “Internet plus Medical Service” programs and giving healthcare consultations;
(3) Healthcare Information as Products: based on the healthcare information collected, Healthcare Companies provide personalized healthcare device information to individuals and conduct online or O2O (online to offline) sales, completing the dual “online and offline” supply chain.
2. Winter is Coming—Legal Challenges Faced by Healthcare Companies when Entering the Chinese Mobile Health Market
When adopting the abovementioned Mobile Health Market Practices, Healthcare Companies need to pay heed to the following legal issues under the current Chinese healthcare regulatory system:
(1) Collection and Storage of Patient Information—Marching amid Uncertainty
(a) Wearable Healthcare Monitoring Devices May Be Categorized as Medical Devices
Although Healthcare Companies are passionate about wearable health monitoring devices ( “Wearable Devices”), PRC law has not clearly defined the legal status of Wearable Devices. We consider that Wearable Devices are closely related to the definition of “medical devices” in existing PRC law. According to Article 76 of the Regulations on Supervision and Administration of Medical Devices, a medical device is any instrument, equipment, appliance, in vitro diagnostic reagent or any other article, directly or indirectly used for human beings and intended to be used for “medical purposes”. Current Wearable Devices available in the PRC market are mainly used to monitor and record vital signs such as heart rate, body temperature, blood pressure and oxygen content of blood, so they may be categorized as “medical devices” under PRC law and regulated by Chinese authorities accordingly.
Given the abovementioned definition of “medical devices”, we believe that one of the most important factors in determining the nature of Wearable Devices is whether they are intended to be used for medical purposes.
In this regard the US regulatory authorities have taken a similar approach. On 29 July 2016, the FDA released its final version of the eye-catching Guidance on low risk general wellness devices which promote a healthy lifestyle (namely general wellness products). According to the Guidance, if a product is intended for only general wellness use and presents a low risk to the safety of users and other persons, then this product will be defined as a “general wellness product”. The FDA does not intend to examine low risk general wellness products to determine whether they are medical devices and whether they must obey the regulatory rules on medical devices.
According to the Guidance, a general wellness product, has (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity, or (2) an intended use that relates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition. Therefore, when not used for diagnosis or treatment, Wearable Devices are less likely to be categorized as medical devices.
Currently, there are no rules or standards under PRC law to define whether a Wearable Device is for medical use. In practice, determining whether a Wearable Device is a medical device or not may be affected by various factors such as the accuracy of monitoring data, its major function and its market positioning, and thus it should be analyzed case by case.
To increase credibility in the market and reduce regulatory risks, more and more companies have started to apply for medical device registration for their wearable or portable monitoring devices. However, considering the long duration of the medical device registration procedure, the large number of clinical trial data required in the registration of new medical devices, the relatively high cost and regulatory reviews of advertisements, Healthcare Companies should be prudent when designing the functions and positioning of Wearable Devices.
(b) Collection, Storage, Use and Processing of Personal Health Data from Patients Must Be in Compliance with Data Privacy Regulations on “Personal Information”, “Population Health Information”, and “Medical Records Information”.
From different angles, the personal health data of patients may fall into different categories: firstly, as health data is closely associated with the identity of a person, it bears the character of “personal information”; if such personal health data is collected during medical activity, it also has the characters of “population health information” and “medical records” from a healthcare administration perspective. Naturally, Healthcare Companies must comply with regulations on data privacy during the collection, storage, use and processing of personal health data of patients, especially when conducting these activities in cooperation with medical institutes. Since there are no clear definitions of such information in current PRC law, Healthcare Companies may need to evaluate legal risks cautiously.
(i) Requirements for Personal Information Protection
Currently, there is no personal information protection law in China, and regulations covering personal information protection are mainly around telecommunications, the Internet and consumer rights protection. Generally speaking, “personal information” refers to various information which may identify a person when alone or combining with other information, including a person’s name, sex, date of birth, ID number, occupation, address, contact information, income, property status and health status, etc.
According to the relevant laws, this information must be used in a legal, appropriate manner and only used when necessary. Basic requirements include: the collectors/users of personal information must expressly indicate the purpose, method, target content and usage and obtain consent when collecting or utilizing personal information. Also, the collector and user must take technical and other necessary steps to ensure the safety of the personal information, and avoid leakage, damage and loss of such information.
(ii) Requirements on Population Health Information Protection
According to the Administrative Measures on Population Health Information (for Trial) (“Measures on Population Health Information”), the scope of population health information is very broad, including “population health information generated in the service and management process of medical and family planning service institutes of all types at all levels, including basic population information, medical and health service information etc.” According to the official interpretation of the National Health and Family Planning Commission, population health information “mainly includes overall population information, electronic health records, electronic medical records, statistical information on population health etc.”
Although under the current healthcare information management system, medical and family planning service institutes of all types at all levels are responsible for the collection, utilization, management and protection of population health information (“Responsible Entity”), Healthcare Companies are still under regulation when utilizing and storing population health information while cooperating with medical institutions.
According to the Measures on Population Health Information, the utilization of population health information must be managed by category and confidential and personal private information may not be disclosed to any third party. In cases where a Responsible Entity authorizes a third party to utilize population health information, the Responsible Entity and the third party must enter into a data utilization agreement and the third party may not utilize and publish the population health information beyond the scope as agreed in the authorization agreement. In the event a Responsible Entity entrusts other parties to store population health information, the entrusted party must strictly follow the agency agreement to provide technical support for the management of the population health information, and must refrain from collecting, developing and utilizing population health information beyond the scope agreed in the authorization agreement. It is especially noteworthy for foreign invested Healthcare Companies that population health information is not allowed to be stored in servers hosted or rented overseas.
(iii) Requirements for Medical Records Information Protection
Medical records refer to all the texts, symbols, graphics, images and slides generated in medical activities by healthcare professionals, including outpatient (emergency) medical records and inpatient medical records. Medical records documented form a medical file. Chinese law requires, medical institutions to abide by the Regulations for Medical Institutions on Medical Records Management (Edition 2013) (“Medical Records Regulations”), the Basic Standard for Electronic Medical Records (for Trial), the Basic Standard for Electronic Medical Records of Traditional Chinese Medicine (for trial) and other related regulations in establishing, utilizing, storing and managing medical records. Healthcare Companies must be aware of these provisions when cooperating with medical institutions to obtain patient medical records.
For the establishment, utilization, storage and other management activities of medical records, generally Chinese Law has stricter requirements for protection than for general personal information:
- Regarding maintenance of medical records. Medical Records Regulations provide that outpatient (emergency) medical records must be kept by the patients, but in cases where medical institutions are well equipped and have obtained consent from the patients or their legal representatives, medical institutions may keep outpatient (emergency) medical records; inpatient medical records are required to be kept by medical institutions; however, under the Medical Records Regulations no express authorization is granted to medical institutions to entrust a third party to keep and manage medical records;
- Regarding reviewing or borrowing of medical records. Medical Records Regulations provide that except for healthcare professionals providing medical services to the patients and the department or staff authorized by health and family planning authorities or medical institutes in charge of medical file management or medical management,-- no organization or individual may have any access to a patient's medical records; as an exception, other medical institutions and healthcare personnel needing to review or borrow the medical records for scientific research and teaching purposes may file an application with the medical institution where the patient receives treatment, and review or borrow the medical records only after obtaining approvals and going through relevant formalities, provided that the medical records must be returned before a specified date and may not be taken away from the medical institution where the patient receives treatment;
- Regarding duplication of medical records. Medical Records Regulations provide that only patients themselves, their legal heir or representatives of deceased patients and officials from government departments of public security, justice, human resources and social security, insurance and healthcare appraisal may apply to copy medical records for needs of dealing certain cases or in the performance of their duties; and specified formalities may also be required in copying the medical records.
Current PRC law has not clearly defined ownership of medical records, hindering the proper authorization of the use of medical records and making it more difficult for Healthcare Companies to use medical records.
Although there have been some brand new cooperative programs between Internet companies, Healthcare Companies and medical institutions (e.g. health management platforms and chronic disease programs) cooperative mechanisms have simply complied with the abovementioned regulations (e.g. establishment of firewalls for patient data in cooperation between medical institutions and Healthcare Companies). Given the uncertainty of their legal obligations, Healthcare Companies need to explore a way forward.
(2) Healthcare Information on Mobile Internet—Requirements Shrouded in Mist
Unlike health information collection and storage which are haunted by unclear legal definitions, the difficulties faced by Healthcare Companies in providing pharmaceutical and medical device information on the mobile Internet rest more on how regulations will be enforced in practice.
The regulation of pharmaceutical and medical device information through traditional online stores is relatively clear. According to Administrative Measures on Internet Pharmaceutical Information Services, companies providing pharmaceutical (including medical device) information services must apply to the food and drug administration authorities for an Internet Pharmaceutical Information Service Qualification Certificate. Under the Administrative Measures on Internet Information Services, an Internet Pharmaceutical Information Service Qualification Certificate is a pre-condition for applicants to be approved for profit-making Internet information services of pharmaceuticals and medical devices or to file for these services by non-profit-makers.
With the rapid development of mobile communications, applications to provide medical information on mobile communication terminals (“APP”) are growing; however, the requirements to qualify are uncertain:
- Approvals for providing telecommunication services. According to the 2003 Catalog of Classification of Telecommunication Services issued by the Ministry of Industry and Information Technology (“MIIT”), an “information service business” is defined by reference to the type of communication network which transmits the information. Since the APP transmission network is relatively complicated, the telecom regulatory authorities have not set out the requirements for APP operators. However, since the 2015 Catalog of Classification of Telecommunication Services issued by MIIT which came into effect on 1 March 2016 no longer classifies “information service business” based on communication network types, the regulatory requirements of telecom authorities have changed. Now it is considered that profit-making APP information services must obtain approvals for value-added telecommunications services after consultation with MIIT and local telecom regulatory authorities in Beijing and Shanghai. For non-profit making APP information services, there are no express requirements and in practice, the telecom authorities still do not accept their filing applications; but it is likely that local telecom regulatory authorities will require operators to file in accordance with the Administrative Measures Governing Internet Information Services in the future.
- Approvals for providing pharmaceutical information services on the Internet. Since the Administrative Measures on Internet Pharmaceutical Information Services does not strictly differentiate the types of basic communication network through which the relevant information services are provided, theoretically, pharmaceutical/medical device information services performed through mobile communication terminals are also subject to the requirements of the Internet Pharmaceutical Information Service Qualification Certificate. Our consultations with the food and drug administration authorities in Shanghai and Beijing have confirmed our analysis. However, since the current approval system of pharmaceutical information services on the Internet has been established particularly for information services provided through traditional online stores, food and drug administration authorities do not really accept applications for an Internet Drug Information Service Qualification Certificate for APPs in practice. To avoid compliance risks, APP operators may establish a corresponding online website and obtain an Internet Drug Information Service Qualification Certificate for the website. However, whether such an attempt can avoid the compliance risks completely remains to be seen.
The Administrative Provisions on Mobile Internet Application Information Services released by the National Office of Internet Information came into effect on 1 August 2016. This is the latest attempt by the government to regulate APP information services. Article 5 states that “when providing information services via mobile internal applications, the relevant qualifications must be obtained in accordance with laws and regulations”; Article 7 also clarifies the responsibility of mobile internet application providers on information security management.
Based on our communications with the telecom regulatory authorities in Shanghai and Beijing, we do not yet see any obvious impact of these Provisions on the practice of telecom regulatory authorities. However, since the National Office of Internet has the duty and power to “guide, coordinate, supervise the relevant departments on strengthening the management of information services on the Internet”, we cannot rule out the possibility that in the future the telecom regulatory authorities may alter their practices in accordance with the Provisions. Moreover, Article 3 of the Provisions gives the national and local Internet offices responsiblity for the supervision, regulation and law enforcement of mobile Internet applications, so it is likely that in the future the National Office of Internet or its local counterparts may enforce related laws beyond the current supervision system of the telecom regulatory authorities. While shrouded in mist, let us wait and see how the supervision of information services on pharmaceutical and medical devices via mobile Internet will evolve.
(3) Information as a Product—Whether the Winter of On-line Sales of Pharmaceutical and Medical Devices Will Encounter Extreme Cold Weather or Is the Spring Approaching
Compared with the vagueness of regulations on healthcare information collection and provision, there are clear restrictions over Healthcare Companies selling pharmaceuticals and medical devices to Chinese consumers through the Internet.
- Firstly, only a few types of enterprises are permitted to sell pharmaceutical and medical devices online. According to the Interim Regulations on Internet Drug Trading Services Approval (the “Interim Regulations”), enterprises providing Internet pharmaceutical trading services (including providing medical devices and packaging materials and containers which directly contact pharmaceuticals ) are divided into three types: (1) enterprises providing Internet pharmaceutical trading services for pharmaceutical manufacturers, pharmaceutical trading enterprises and medical institutions; (2) pharmaceutical manufacturing enterprises and pharmaceutical wholesaling enterprises selling pharmaceuticals online through their own websites to enterprises other than their member companies; and (3) companies selling pharmaceuticals online to individual consumers (“On-line Pharmaceutical Retailing Enterprise”). On-line Pharmaceutical Retailing Enterprises must be duly established pharmaceutical retail chain enterprises.
- Secondly, the Interim Regulations also provide that the On-line Pharmaceutical Retail Enterprise may only sell the over-the-counter pharmaceuticals on line, and may not sell products to other enterprises or medical institutes. To this end, the China Food and Drug Administration (“CFDA”) released the Measures for Supervision and Administration on Internet Food and Drug Business Operation (Draft Soliciting Comments) on 28 May 2014, concerning the sale of prescription pharmaceuticals to individual consumers through the Internet; however, after soliciting comments for two years there is still no legally binding document.
- Thirdly, O2O (online to offline), sales of prescription pharmaceuticals face the challenge of the validity of electronic prescriptions. According to the Administrative Measures on Prescription, when physicians issue or deliver a prescription through computers, they should print out the prescription in the same form as a hand written prescription; the printed paper prescription will be valid with a signature or seal. When the pharmacists verify and deliver the pharmaceuticals, they must check the printed paper prescription, deliver the pharmaceuticals, and file the printed paper prescription as well as the prescription delivered by computer for future verification. Although China has developed policies to encourage electronic prescriptions, their legal validity is still doubtful.
There are signs that the government is further tightening its supervision. In 2013, CFDA launched a pilot of third-party pharmaceutical online retailing platforms for three companies, namely “95095”, “Ba Bai Fang” and “Yi Hao Dian”. However, CFDA terminated the pilot in July 2016 on the grounds that the “responsibilities of the third-party platforms and the physical pharmaceutical stores are not clear and quality control is difficult”. CFDA also emphasized that both online trading and physical trading must be conducted strictly on the basis that prescription pharmaceuticals are sold only according to prescriptions, sending a signal that the reform of online sales of prescription drugs remains stagnant.
Although online sales of pharmaceuticals and medical devices are subject to strict supervision, some analysts believe that the state is preparing reform and the spring of online sales of pharmaceuticals and medical devices may be just around the corner.
3. Collision of Fire and Ice Once Again
Technological advances continue to reshape the business models of Healthcare Companies. The issues in this article are only a few faced by the Mobile Healthcare Market. Due to the sensitivity of the healthcare industry and telecommunications, the activities of Healthcare Companies are under strict regulation by the authorities. Facing rapid technology and business model changes, market players are challenged by the lack of up-to-date government supervision. Hence there will be more and more legal issues emerging in the mobile healthcare industry and fire and ice in this area will collide with each other once again. Healthcare Companies are remended to stay alert to avoid legal risks and we will also stay focused on developments. The clash of investment aspiration and the ice of regulation may breed great companies in the future.
Editor’s note: This article was published on Chinalawinsight.com
“China” and the “PRC” in this article mean the People’s Republic of China, and for the purpose of this article, excludes Hong Kong, Macau and Taiwan.
“《医疗器械监督管理条例》” in Chinese, promulgated on 7 March, 2014 by State Council and effective on 1 June, 2014
Including: (1) diagnose, precaution, monitoring, treatment or remission of diseases; (2) diagnose, monitoring, treatment or remission of injuries or functional compensation; (3) testing, substitution adjustment or support to physiological structure or physiological process; (4) support or sustainability of life; (5) pregnancy control; (6) test of samples from a human body to provide information for purpose of medical treatment or diagnosis and etc.
General Wellness: Policy for Low Risk Devices—Guidance for Industry and Food and Drug Administration Staff, the draft of which was promulgated on 20 January 2015
According to relevant statistics, in 2013, five wearable or portable health monitoring devices applied for registration as medical device in China and in 2014, 2015 and 2016 up to July the numbers were fourteen, fifteen and twenty.
Please refer to Cyber Security Law of the People's Republic of China (Draft) (“《中华人民共和国网络安全法(草案)》” in Chinese) promulgated on 6 July, 2015 by Standing Committee of the National People's Congress; Provisions on Protection of Personal Information of Telecommunication and Internet Users (“《电信和互联网用户个人信息保护规定 》” in Chinese) promulgated on 16 July, 2013 by Ministry of Industry and Information Technology and effective on 1 September, 2013; Several Provisions on Regulation of the Order of Internet Information Service Market (“《规范互联网信息服务市场秩序若干规定》” in Chinese) promulgated on 29 December 2011 by Ministry of Industry and Information Technology and effective on 15 March 2012; Measures on Punishments against Infringements on Consumer Rights and Interests (“《侵害消费者权益行为处罚办法》” in Chinese) promulgated on 5 January 2015 by State Administration for Industry and Commerce and effective on 15 March 2015; and other relevant laws and regulations.
“《人口健康信息管理办法(试行)》” in Chinese, promulgated and effective on 6 July 2015 by National Health and Family Planning Commission
Please refer to the website of National Health and Family Planning Commission: http://www.nhfpc.gov.cn/zhuzhan/zcjd/201405/9992e411fff04a95b03caeda31794c 7d.shtml, which was issued on 13 May 2014
《医疗机构病历管理规定(2013年版)》” in Chinese, promulgated on 20 November 2013 by National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine and effective on 1 January 2014
《电子病历基本规范(试行)》”in Chinese, promulgated on 22 February 2010 by the original Ministry of Health and effective on 1 April 2010
“《中医电子病历基本规范(试行)》” in Chinese, promulgated on 21 April 2010 by State Administration of Traditional Chinese Medicine and effective on 1 May 2010
“《互联网药品信息服务管理办法》” in Chinese, promulgated and effective on 8 July 2004 by the original State Food and Drug Administration
“《互联网信息服务管理办法》” in Chinese, promulgated on 25 September 2000 by State Council and effective on 8 January 2011
Including (1) to verify the real identity information of the registered users through mobile phone numbers and others in accordance with the principle of “a real name backstage, and a freely-chosen name on stage”; (2) to establish and improve the mechanism for user information security protection, follow the principles of "legality, appropriateness and necessity", expressly state the purpose, methods and scope of information collection, and obtain the users' consent in collection and use of personal information; (3) to establish and improve the information censorship and management mechanism; adopt proper sanctions and measures such as warning, limiting functions, suspending updates, and closing accounts, against activities of releasing illegal information; keep records and report to the competent authority of such activities; (4) to protect and safeguard users' "rights to know and rights to choose" in accordance with the law during installation or use of the applications; without express statement to the users and the consent of the users, not to turn on the functions of collecting geographic location, reading address books, or using cameras or recordings; not to turn on functions irrelevant to the services; not to tie up and install irrelevant applications; (5) to respect and protect intellectual property rights, and not to produce or release applications violating others' intellectual property rights; (6) to keep records of user log information for 60 days.
“《互联网药品交易服务审批暂行规定》” in Chinese, promulgated on 20 September 2005 by the original State Food and Drug Administration and effective on 1 December 2005
“《处方管理办法》” in Chinese, promulgated on 14 February 2007 by original Ministry of Health and effective on 1 May 2007