On October 26, 2021, the Medical Administration and Hospital Administration of the National Health Commission issued the “Regulations for Internet Diagnosis and Treatment (Draft for Comment)” (“Regulations”) for public comments. Based on the relevant theories and practical experience of cyber security and data security legal governance, the Law Institute puts forward the following preliminary analysis suggestions:
1. On the whole, the “Regulations” mainly regulates the two types of diagnosis and treatment activities defined in the “Administrative Measures for Internet Diagnosis and Treatment (Trial)”: medical institutions use physicians registered in the institution to carry out information technologies such as the Internet (1 ) Follow-up consultations for some common diseases and chronic diseases; and (2) “Internet +” family doctor contract service. It is not for pre-diagnosis, diagnosis and treatment of other diseases, nor does it involve telemedicine. In fact, it is more necessary to set a balance between personal rights and personality rights.
For example, Article 16 of the “Administrative Measures for Internet Diagnosis and Treatment (Trial)” stipulates that “Internet diagnosis and treatment activities shall not be carried out for first-diagnosed patients.” This is essentially a personal information issue. Regarding how a patient determines the first consultation after registration, and distinguishes whether the personal information processing after the first consultation, in fact, it is necessary to implement more detailed personal information collection, provision, sharing and other processing regulations and program design in Article 18 of the “Supervision Rules” , To enrich the content of “terminating Internet diagnosis and treatment activities”, not just repeating the “Internet diagnosis and treatment management measures (trial)” “guide patients to physical medical institutions”.
2. In terms of specific terms, we make preliminary suggestions on the following terms:
(1) Article 19: The Electronic medical record information generated by the medical institution during the process of Internet diagnosis and treatment shall be shared with the electronic medical record system of the entity medical institution that it relies on, and the entity medical institution that it relies on shall carry out integrated online and offline quality control.
Internet diagnosis and treatment medical records are managed in accordance with the relevant regulations of outpatient electronic medical records. The graphic dialogues, audio and video materials in the diagnosis and treatment process should be traced and traceable throughout the entire process, and the data interface should be opened to the provincial supervision platform, and the storage time should not be less than 15 year.
As far as this article is concerned, it is necessary to clarify that the preservation of “graphic dialogue, audio and video data” is not equivalent to “leave traces”. The former refers to the storage of the data itself, while the latter actually refers to the record or index (for example, the index requires Point to the data itself). Due to the difference in specific activities, the subsequent provision of interfaces, storage locations to provincial agencies, and even the specific technical measures adopted for network security level protection above the third level are different. Therefore, it is recommended that the specific storage and “marks” objects, format standards, compression requirements and other content should be clarified. These should be issues that need to be resolved at the detailed level.
(2) Article 25: Provincial-level health authorities shall collect relevant data of medical institutions in accordance with the “minimum availability principle”, focusing on collecting medical institution qualifications, medical personnel qualifications, diagnosis and treatment subjects, types of diagnosis and treatment, electronic medical records, electronic prescriptions, Information about medication usage, satisfaction evaluation, patient complaints, patient safety adverse events, etc., analyze the overall situation of Internet diagnosis and treatment, and regularly (at least once a month) feedback problems to medical institutions and their registration agencies, and specify the rectification period. After receiving the feedback from the provincial health authority, the institution shall make rectification in a timely manner, upload the rectification situation to the provincial supervision platform, and report to its registration authority at the same time.
Encourage qualified provinces to set rules for determining the rationality of Internet diagnosis and treatment in the provincial supervision platform, and use artificial intelligence, big data and other emerging technologies to implement analysis and supervision.
There are actually two issues here. One is that the “least usable principle” is not a “principle” that should be stipulated. As a prerequisite for the supervision of Internet diagnosis and treatment by regulatory agencies, it will inevitably require medical institutions to provide sufficient information for support or defense. This supervisory principle will not be changed because provincial agencies “take it up” through the interface or require medical institutions to “provide”. Of course, it is also necessary to restrict and restrict this authority, as well as to require medical institutions to make rectifications based on this, and other principles of administrative law such as the “principle of proportionality” should be applied.
On the basis of the first question, we will also find that, in fact, paragraph 2 of this article is in conflict with the “minimum available”. The prerequisite for big data and AI analysis is the adequacy of data acquisition, otherwise it will be difficult to make paragraph 2. The envisaged conclusion of the “rationality judgment”.
(3) Article 34: When a network security incident such as the leakage of patient personal information or medical data occurs in a medical institution, it shall promptly report to the relevant competent authority and take effective countermeasures.
The main problem of this article is that it should be detailed in accordance with Article 57 of the Personal Information Protection Law, and clearly notify/report objects include “departments and individuals performing personal information protection duties.” Of course, this goes back to the old sensitive issue of that medical institution…
As the detailed document of the “Internet Diagnosis and Treatment Management Measures (Trial)”, the “Regulations on Network Data Security (Draft) )” and other forward-looking considerations. After all, under the parallel trend of online and offline integrated quality control in Internet hospitals and development to the cloud, hospital information system data is one of the more widely used CDE “Guiding Principles of Real World Data for Generating Real World Evidence (Trial)” Such data sources, which have both non-specific and dual data features with specific functions, should be used as a precise entry point for the development and supervision of Internet hospitals, and also provide early preparations for the substantive promotion of telemedicine.