Healthcare data combines extremely high value and extremely high sensitivity: it’s the critical training material for AI medical models, while containing the most private personal information (disease history, genetic information, mental health records, medication use). Healthcare data breaches can affect employment, insurance, and social discrimination. This dual nature makes healthcare data the most stringently regulated information category globally.
## China’s Healthcare Data Protection Framework
**Personal Information Protection Law (PIPL, 2021)**: designates health and genetic information as “sensitive personal information” requiring “separate consent” and stricter security protection. Cross-border data transfer (e.g., clinical research sending patient data to overseas CROs) requires security assessments and regulatory approval.
**Data Security Law (DSL, 2021)**: classifies data by importance (core, important, general); large-scale genomic data relating to national security is classified as “important data” requiring security assessments.
**Cybersecurity Law and Multi-Level Protection Scheme (MLPS 2.0)**: healthcare institution information systems (HIS, electronic medical records) require Level 3 protection with detailed technical and management requirements.
**Genetic data special regulation**: China’s Human Genetic Resources Management Regulations (2019) strictly limit foreign entity access to Chinese human genetic resources — a critical compliance red line for international precision medicine collaborations.
## US HIPAA Core Requirements (Reference)
**Protected Health Information (PHI)**: medical data containing 18 types of identifiers (name, birth date, geographic information, diagnosis, etc.).
**Minimum necessary principle**: only the minimum necessary PHI to accomplish a specific purpose may be used or disclosed.
**Business Associate Agreements (BAAs)**: healthcare institutions must sign BAAs with any third party that accesses PHI (cloud providers, data analytics services), ensuring HIPAA compliance. HIPAA violation penalties are substantial (up to $1.5M per violation category per year).
## Patient Data Rights
Under China’s PIPL framework, individuals hold rights to: access (view how their data is being processed); copy (obtain data copies); correction (fix incorrect information); deletion (under specified conditions); and withdrawal of consent (revoke previously given authorization for data processing). Exercising these rights against internet medical platforms and health apps remains practically challenging, but improving.
See [AI Mental Health Apps: Privacy Concerns](https://sunqi.org/mental-health-ai-apps-en/) and [Precision Medicine](https://sunqi.org/precision-medicine-genomics-en/).
