With the outbreak of the COVID-19 pandemic, international co-operation in areas such as pandemic prevention and control, new drug development and medical treatment have become crucial. Reaching out to poor and remote areas through telemedicine and other tech-empowered methods is a practice that had already been adopted in medical institutions across different levels before the pandemic, and it has yielded good results. In this article, the author will sort out the main legal and compliance concerns relating to telemedicine by reference to recent legislation, regulation and projects.
According to the Opinions on Promoting the Development of Internet plus Healthcare, the Measures for the Management of Consultation and Prescription of Medicine Over Internet (for Trial Implementation), the Measures for the Management of Internet Hospitals (for Trial Implementation), the Rules for the Management of Telemedicine (for Trial Implementation), and other applicable regulations, when categorizing by staffing and service methods, there are three types of “internet plus healthcare” projects:
(1) Telemedicine, through which the medical institutions ask their own registered medical staff to use the internet and other IT tools to provide online consultation and diagnosis;
(2) Internet consultation and prescription activities, in which the medical institutions ask their own registered medical staff to use the internet and other IT tools to provide subsequent consultations to patients for some common and chronic diseases, and for family physician registration services; and
(3) Internet hospitals, which allow their own registered physicians, and physicians registered in other institutions, to provide online consultations and prescriptions, and subsequent consultations to patients for some common and chronic diseases, and for family physician registration services.
Telemedicine and internet consultations and prescriptions are ways of practising for internet hospitals, while the internet hospitals are merely one of the platforms for conducting telemedicine, and internet consultations and prescriptions.
Telemedicine is a medical activity in which a medical institution invites other institutions to provide tech-empowered medical consultation and prescription services to its patients through IT tools. From this definition, it is understood that telemedicine can only be performed by medical institutions, and only institutions with medical practice licences are allowed to issue and accept invitations.
The tools that empower telemedicine are IT tools, including telecoms, computing and internet technologies. Telemedicine provides varied service items including distance pathological diagnosis, medical imaging diagnosis (e.g., imaging, ultrasounds, and electrocardiograms), nursing, consultation, outpatient services, case discussion, etc.
The Rules for the Management of Telemedicine (for Trial Implementation) and other applicable regulations have defined the following main modes:
It is noted that in the above modes: (1) medical institution A is the inviting organization, and institution B accepts the invitation; (2) the platform may be established either by medical institution A or a third party; (3) medical institution A shall apply for an internet hospital licence if it wants to invite medical staff to provide online medical services on its own platform; and (4) In whatever way, the parties shall define their rights and obligations through agreement.
Cybersecurity and data compliance
Telemedicine may involve different aspects of data compliance, including but not limited to:
Data Collection. Apply safety classification to the medical information and adopt different methods to collect information of different classes. The consent and authorization of guardians are required if the personal information of child patients is to be collected.
Data storage. The organizations should store the medical information through fragmented distributed discreet storage technology. Store the personal information of the patients through de-identifying encrypted safety measures. Control the access to the stored data by establishing access systems and limiting the management authority of the data to dedicated persons.
Data transmission. The organization should adopt encrypted and other measures to ensure safe transmission of virtual machine image files, system management data, authentication information, and important business data. Establish redundant protection in the transmission channels of business data, control data and management data. The channels should be separated from each other, and conduct troubleshooting, repair and separation alone.
Data deletion. Provide tools to clear all copies of the data of telemedicine. Provide technological methods to prevent the recovery of destroyed data.
Data backup and recovery. Local backup and recovery functions should be maintained, with at least daily data backup and offsite storage of backup media. Remote real-time backup function should be provided, and the data stored into a disaster backup centre with telecommunication technology.
Ramon Huang is a partner at Hui Ye Law Firm. He can be contacted on +86 150 0091 0002 or by email at [email protected]
Li Tianhang is a partner at Hui Ye Law Firm. He can be contacted on +86 177 6515 8866 or by email at [email protected]