Abstract： Medical institution data compliance is an exogenous product of the digital society， serving as a crucial means to maintain and balance the relationship between data protection and data sharing， as well as individual interests and public interests. The implementation of the Healthy China Initiative greatly benefits from its practical significance. In practice， data from medical institutions takes varied forms， including personally identifiable data collected before diagnosis and treatment， clinical medical data generated during diagnosis and treatment， medical data collected in public health management， and potential medical data generated in daily life. In the new journey of comprehensively promoting the Chinese path to modernization， it is necessary to clarify the shift from an individual-oriented to a societal-oriented value system， highlighting the reinforcing role of the trust concept. Guided by the principle of minimizing data utilization， the focus is on the new developments and changes in medical institution data in the post-pandemic era. This involves a series of measures such as fulfilling the obligation of notification and consent， specifying the scope of data collection and usage， strengthening the standardized use of relevant technical measures， and establishing a sound legal responsibility system for data compliance. Through these measures， a flexible and efficient medical institution data compliance system can be constructed.

Keywords： medical institution data; privacy protection; data security; compliance governance

CLC： D 913 DC： A Artical：2096-9783（2024）05?0110?13

1 Introduction

The medical big data industry， as the first sector in China to lay out and promote the market for data elements， is entering a phase of high-quality development. It profoundly influences the developmental trends and service modalities in the pharmaceutical and healthcare sectors. According to the Research Report on the Development of China's Digital Economy（2023） published by the China Academy of Information and Communications Technology， the data demand of the medical industry has become increasingly prominent， and the technical system formed around data has derived a series of industrial ecology and become an important carrier to release the value of data elements[1]. The report to the 20th National Congress of the Communist Party of China highlights the need to "accelerate the development of the digital economy， further integrate it with the real economy， and build internationally competitive digital industry clusters". Additionally， it emphasizes the importance of "strengthening the safeguards for ensuring economic， major infrastructure， financial， cyber， data， biological， resource， nuclear， space， and maritime security". In light of such context， incorporating medical institution data complianc① into the national governance system for research not only represents a timely response and reflection of academic research on the principle of "exercising law-based governance on all fronts and advancing the rule of law in China"， but also aims to improve compliance and regulatory requirements related to complex medical data processing activities. This approach is intended to promote the standardized development of "Internet Plus Healthcare".

With the successive enactment of laws such as the Cybersecurity Law of the People's Republic of China （hereafter referred to as the Cybersecurity Law）， the Civil Code of the People's Republic of China （hereafter referred to as the Civil Code）， the Law of the People's Republic of China on Basic Medical and Health Care and the Promotion of Health （hereafter referred to as the Basic Medical and Health Care Law）， the Data Security Law of the People's Republic of China （hereafter referred to as the Data Security Law）， and the Personal Information Protection Law of the People's Republic of China （hereafter referred to as the Personal Information Protection Law）， along with the increasingly evident tension between medical data development and utilization and personal privacy protection， there has been a practical impetus for medical institution data compliance. In the era of big data， the variety of data processed by medical institutions will increase， with a broader range of sources and applications and a heightened sensitivity to the data. If medical institutions are permitted to collect， use， store， and transmit medical data across borders without being bound by compliance requirements， it may lead to the disclosure of the personal privacy of data subjects. This could cause inconvenience or even harm to their private lives. In severe cases， it might even endanger national security and social stability②. However， in consideration of the public interest-for reasons of public health and safety， for instance， it should be permissible to disclose relevant data within the bounds of legal frameworks and procedures， in order to achieve sustainable social development[2]. According to a study conducted in 2019 by Greenbone Networks， a German vulnerability analysis and management company， there were 14 unprotected medical image archiving and communication systems in China， leading to the exposure of nearly 280 000 patient medical data records[3]. Given this， balancing the relationship between data protection and data sharing and striving to achieve a win-win situation for both individual and public interests in a bilateral negotiation has become a paramount concern in the compliant operation of data by medical institutions.

2 Legal Examination of Medical Institution Data Compliance

2.1 Medical Institution Data and Its Compliance Responsibility Entities

In China， medical institution data refers to health and medical-related data generated or held by these institutions during activities such as health management， disease diagnosis， and treatment. It encompasses all data related to health activities throughout an individual's life cycle， namely from birth to death， and includes a wide array of information such as patients' personal health and physiological data， medical records， and the registration status of mental health[4]. In practice， based on the varying sources and application scenarios， there are four categories of medical institution data： （1） Personal identity data collected prior to diagnosis and treatment. Prior to engaging in medical activities， pati94fcb44ffb3e190dd152d619a5201e4ee6ae958443add76de5c6da8f696d1cbbents are often required to provide basic information such as their name， contact details， identification number， and home address for the purpose of ID verification. Additionally， while being diagnosed online， patients may have to provide biometric data such as facial， voice， fingerprint， palmprint， and iris recognition for subsequent verification and comparison. （2） Clinical medical data generated during diagnosis and treatment. This type of data is a category within health and medical big data， typically acquired for disease diagnosis， treatment， research， or monitoring. It often directly reflects patients' actual health condition[5]. Clinical medical data from actual medical institutions includes information such as the patient's health status， medical history， medical imaging， laboratory reports， medication data， and medical insurance details. In internet-based medical activities， clinical medical data includes online consultation records， electronic medical records， follow-up and repeat consultations conducted online， and information related to the online purchase of medical product③. （3） Medical data collected in public health management. Health administrative agencies and healthcare organizations with public health management authority collect specific types of biological data （such as epidemiological data during disease outbreaks）， omics data （including genomics， transcriptomics， proteomics， and metabolomics）， and demographic data for disease prevention and control. （4） Potential medical data generated in everyday life. As people become increasingly attentive to their own health， they often share data through health management applications or social networking platforms， including information about their diet， work and sleep habits， psychological state， and emotional issues. Such data is of significant value for monitoring the effectiveness of medical treatments and assessing the needs of online clients in a scientific and accurate manner.

In accordance with Article 6， Paragraph 2 of the Administrative Measures on the Standards， Security， and Service of National Health and Medical Big Data （for Trial Implementation）， the primary entities responsible for data compliance in the health and medical field are various levels of medical and health institutions， as well as related enterprises and public institutions. The term "related enterprises and public institutions" should include various types of enterprises and public institutions engaged in the collection， storage， processing， application， operation， and transmission of health and medical data. These entities are responsible for fulfilling the corresponding medical data compliance obligations while engaging in activities such as disease and health management and medical research processes[6]. For instance， during significant public health events， in order to effectively safeguard the life and health security of the population， the government often relies on big data technology to implement precise risk prevention and control measures. This implies that relevant organizations should collect data related to the epidemic within their respective areas of responsibility. These organizations are not limited to medical institutions but also include community departments and transportation units that bear management responsibilities for epidemic prevention and control[7]. Furthermore， in accordance with the provisions of the Regulations on the Management of Human Genetic Resources and the Detailed Rules for the Implementation of the Regulation on the Management of Human Genetic Resources， organizations in China that collect， preserve， utilize， and provide human genetic resources are directly responsible for compliance with the information data related to human genetic resources. These organizations include research institutions， higher education institutions， medical institutions， or businesses involved in the collection and management of human genetic resources in China. It should also be noted that with the implementation of the Regulation on Protecting the Security of Critical Information Infrastructure， and the earlier issuance of regulations and documents by the National Health Commission， including the Measures for the Administration of Internet Hospitals （for Trial Implementation）， Grading and Evaluation Measures for the Application Level of Electronic Medical Record Systems （for Trial Implementation）， Maturity Assessment Scheme for Standardized Interconnection of National Medical and Health Information Hospital Information （2020 Edition）， and the Measures for the Network Security Management of Medical and Health Institutions， the healthcare industry has been formally included in the scope of critical information infrastructure protection. Network operators in this field are also subject to the obligation of ensuring network security and compliance with medical institution data regulations.

2.2 The Logical Foundations of Medical Institution Data Compliance

2.2.1 Emerging Changes in Compliance Foundations in the Digital Society

With the advent of the digital governance era， there has been a significant transformation in the legal framework governing compliance with medical institution data. Consequently， compliance requirements have become increasingly intricate and multifaceted. In China， the sources of such data compliance obligations primarily encompass relevant laws， regulations， administrative provisions， national standards， and industry standards. These obligations exhibit a characteristic multi-tiered effectiveness， aiming to comprehensively safeguard healthcare institution data from various dimensions， including the Internet， applications， and endpoints. For example， specific standards and regulations such as the National Standards for Informationization Construction in National Hospitals （for Trial Implementation）， National Standards for Informationization Construction in Grassroots Healthcare Institutions （for Trial Implementation）， Administrative Measures on the Standards， Security and Service of National Health and Medical Big Data （for Trial Implementation）， Information Security Technology-Guide for De-Identifying Personal Information （GB/T 37964-2019）， and Information Security Technology-Guide for Health Data Security （GB/T 39725-2020） （hereinafter referred to as the Security Guidelines） provide tailored provisions regarding the data rights of specific data subjects and the corresponding data compliance obligations they should fulfill. Moreover， various provincial， autonomous regional， and directly governed municipal governments have also enacted a series of local regulations governing the handling of medical institution data. These regulations are tailored to the local context of healthcare practice. Examples of such regional regulations include the Management Measures for Health and Medical Data Resources in Chongqing Municipality， the Management Measures for Health and Medical Big Data in Shandong Province， the Regulations on the Application and Development of Health and Medical Big Data in Guiyang Municipality， and the Interim Measures for the Management of Health and Medical Big Data Resources in Fuzhou Municipality.

It must be emphasized that the legislation pertaining to medical institution data compliance in China is currently undergoing continuous refinement and development. The existing legal framework contains a significant portion of content that is vague， coarse， lacking in precision， and inadequately tailored， rendering its legal efficacy akin to a "scratch on the surface". For example， the Administrative Measures on the Standards， Security， and Service of National Health and Medical Big Data （for Trial Implementation） only provide general principles regarding the accuracy， security， and de-identification of health and medical big data， but they do not address the specific operational modes and processes comprehensively. Furthermore， in regulations such as the Measures for the Administration of Population Health Information （for Trial Implementation）， Administrative Measures on the Standards， Security， and Service of National Health and Medical Big Data （for Trial Implementation）， and Management Measures for Health and Medical Big Data in Shandong Province， there is a notable absence of specific provisions regarding the scope of personal health and medical data collection， the content to be stored， and the duration of storage[8]. In comparison， national standards in the healthcare sector are often developed from industry standards， and they typically exhibit a higher degree of alignment with international standards. These standards can be categorized into three types： mandatory standards， recommended standards， and guidance technical documents. Such national standards are either established before the enactment of laws and regulations or are further elaborated upon after the issuance of laws and regulations. For instance， the Security Guidelines， which serve as a national standard， comprehensively enumerate eight typical healthcare and medical data usage scenarios. They provide specific regulations for key security measures related to data collection， data usage， and data disclosure within these scenarios. Consequently， these standards possess a high degree of practical applicability. As a result， health administrative authorities tend to consider relevant national standards instinctively as a significant criterion for determining legality or illegality when enforcing regulations. Therefore， entities responsible for healthcare institution data compliance should closely monitor and familiarize themselves with these types of standard provisions. They should use them as operational guidelines for data processing and， whenever possible， proactively engage in internal compliance efforts. This includes adjusting data management systems as needed and shifting from a stance of "passive compliance" to "proactive compliance".

2.2.2 Adapting to the Evolution of Medical Institution Data

With the continuous advancement of biotechnology and the extensive utilization of big data， the sources and types of data in medical institutions have become increasingly diverse. Furthermore， their quantity has experienced exponential growth compared to the past. This expansion has surpassed the traditional scope of specific medical data generated during patient visits， leading to both structural and substantive changes. Exactly speaking， the original medical institution data was limited to specific patients' medical records， including their case histories， test reports， and image data generated during single medical visits. However， in the present context， medical institution data is now incorporating a wide range of data types. This includes health management data and lifestyle information collected by mobile healthcare applications， vital sign data （such as body temperature， blood pressure， blood glucose， blood oxygen levels， and heart rate）， and daily activity information （such as geographical location， specific physical activities， and daily calorie consumption） monitored by wearable smart medical devices， etc. In other words， medical institution data is not solely generated within the doctor-patient relationship， and some seemingly unrelated fields may also produce such data[9]. Overall， medical institution data is evolving from its previous single-layer and individualized form towards a multi-layered and diversified direction. Such evolution not only complicates data compliance but also places data subjects in what can be likened to Michel Foucault's description of a "panopticon"， as outlined in his work Discipline and Punish. Despite some efforts to curb the tide of data collection， advanced privacy protection measures are rarely employed by individuals， leaving them exposed to these evolving data dynamics[10]. As a result， in order to adapt to the new characteristics of medical institution data in the era of big data， it is essential to identify privacy interests on a group dimension in a scientific manner and， when necessary， adjust relevant compliance regulations. This involves establishing dynamic data compliance operational processes through a tiered and categorized approach.

2.2.3 Focusing on the Scientific Prevention of Data Security Risks

The sensitivity of data is highly dependent on specific application scenarios and their relationships with other information， individuals， decisions， and actions， rather than the categorization of the data[11]. The security risks associated with medical institution data primarily center around the aspect of data leakage， encompassing two main categories： （1） Concerning internal risks， they typically result from vulnerabilities in the corresponding information security management systems， leading to unauthorized actions by internal personnel within healthcare institutions or related organizations. According to the Cost of Insider Risks Global Report （2023）， published by the Ponemon Institute， there has been a noticeable increase in the number of incidents related to insider threats in the past two years. Among these incidents， 55% were attributed to employee negligence， and the average annual cost to remediate these incidents was $7.2 million. 25% were associated with internal criminal activities， and 20% resulted from employee credential theft. Following the occurrence of insider threat incidents， a series of subsequent activities are required， including monitoring， investigation， permission upgrades， incident response， containment， post-analysis， and remediation. Such activities result in substantial expenditures[12]. Additional research indicates that as many as 73.6% of surveyed healthcare professionals have access to the login passwords of others in the Electronic Health Record （EHR） system， and many have access to more than one individual's credentials[13]. （2） Regarding external risks， they broadly refer to data security risks that arise from external intrusions or breaches. Due to the high precision and identifiability of medical institution data， its potentially significant value often makes it a target for malicious actors， leading to frequent incidents of hacking attacks. Certainly， when medical institutions collaborate with third-party organizations， external risks related to data may also arise. For instance， internet hospitals often operate through collaborations between healthcare institutions （providing online medical personnel） and third-party organizations （providing online platforms）. When utilizing technologies such as artificial intelligence， big data， the Internet of Things， and cloud computing for the management of medical institution data， there is a possibility that due to insufficient authorization permissions， inadequate control measures， or deficiencies in the technical support level of systems and platforms， there could be unauthorized access to or improper disclosure of patient-related data.

3 Practical Examination of Medical Institution Data Compliance at Home and Abroad

3.1 Analysis of International Practices： Taking the United States， Japan， and the European Union as Reference

In the United States， medical institution data compliance is primarily regulated under the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 （HIPAA）. This act is fundamental in the field of healthcare in the United States and aims to promote innovation， simplify and reduce administrative costs， and strengthen the protection of individuals' privacy data in the healthcare sector. By specifying particular behavioral patterns and operational procedures， the United States is one of the leading countries in healthcare data security in terms of legislation[14]. Furthermore， against the impact of the COVID-19 pandemic， the U.S. Department of Health and Human Services （HHS） issued a proposed rule revision to the HIPAA Privacy Rule in 2020. The aim was to respond effectively to public health emergencies while strengthening data sharing in healthcare collaboration and individual medical record management， all while ensuring the privacy of personal medical data. The proposed revisions aimed to enhance the flexibility of medical data disclosure and reduce administrative burdens for entities subject to HIPAA[15]. In essence， the entities subject to the HIPAA Privacy Rule， also known as Covered Entities， primarily include health plans （typically individuals or groups that provide healthcare services or pay healthcare expenses）， healthcare information processing organizations， healthcare providers transmitting health information， and their corresponding business associates. This regulation provides a detailed and stringent set of norms regarding the use and disclosure of health information， particularly establishing a series of punitive clauses that enhance its operability. Health enforcement agencies， relying on these regulations， can determine the legal nature of specific actions， the extent of harm caused， and， consequently， the amount of compensation for damages[16].

In contrast to the United States， Japan's regulation of medical institution data employs a model that combines basic laws with specialized legislation[17]. Japan outlines， in one of its basic laws， the Act on the Protection of Personal Information （APPI）， the fundamental principles for the protection of personal information. The Act classifies the majority of data from medical institutions， including medical records， health diagnostics， and examination results， as "sensitive personal information" requiring enhanced protection. If such information is to be provided to others， confirmation， recording， and preservation of the process are mandatory[18]. It is noteworthy that if all medical institution data were subject to the aforementioned strict control model， it could potentially restrain the utility of such data， impeding the sustainable development of the digital economy. To address this， Japan has introduced a specialized law， the Next-Generation Medical Infrastructure Law （also known as the Healthcare Big Data Act）， specifically to regulate the appropriate use of medical institution data. Article 1 of this law explicitly states its legislative purpose： To promote research and development in the medical field， as well as the creation of new industries， thereby contributing to the formation of a society characterized by health and longevity. In this legislation， provisions concerning the anonymous processing of medical information constitute a focal point of the law④. Through anonymous processing， the individual identification characteristics of medical data can be eliminated. Subsequently， universities， research institutions， and enterprises can utilize such data for research and development activities， thereby maximizing the economic and social value of medical data[19].

Reference can also be made to the relevant legislation of the European Union. On January 11， 2024， the Regulation on Harmonized Rules on Fair Access to and Use of Data （hereafter referred to as the Data Act） officially came into effect to accommodate the increasing value of data flows and utilization. It remedies the bias of the Data Governance Act （DGA）， building on the General Data Protection Regulation （GDPR） to provide broader rules that apply to all data， including medical institution data. The impact of the Data Act on medical institution data compliance mainly includes the following aspects： First， the Data Act essentially expands the user's data control and realizes the dynamic protection of personal information in the flow of data， e.g.， by giving users access to IT data， which could serve as a further continuation and enhancement of the right to data portability under the GDPR. Second， the Data Act imposes strict liability requirements on data holders. For example， a data holder shall not discriminate regarding the arrangements for making data available between comparable categories of data recipients， including partner enterprises or linked enterprises of the data holder， when making data available. Third， the Data Act introduces a series of safeguards against unlawful third-party access to non-personal data. For example， the third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder that is designed to protect the data in order to obtain access to the data. Fourth， the Data Act stipulates that measures should be taken to remove obstacles to effective switching， such as the gradual withdrawal of switching charges. All parties involved， including destination providers of data processing services， shall cooperate in good faith to make the switching process effective， enable the timely transfer of data， and maintain the continuity of the data processing service. Fifth， the Data Act provides essential requirements regarding the interoperability of data， data sharing mechanisms， and services， as well as of common data spaces. Sixth， Chapter V of the Data Act sets out the obligations of data holders to provide data， including the relevant metadata necessary to interpret and use those data， to the European Union public sector bodies based on an exceptional need， such as where the data requested is necessary to respond to a public health emergency and the public sector body is unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions.

3.2 Analysis of Domestic Practices

This paper only enumerates some of the relevant provisions from key laws and regulations. At the legislative level： The Cybersecurity Law is the first to elevate the protection of network information security to a legal level; the Basic Medical and Health Care Law explicitly prohibits illegally leaking， collecting， using， processing， transmitting， trading in， providing， or disclosing citizens' personal health information and imposes strict legal liability for such acts; the Civil Code clarifies that personal information should be legally protected and sets out the principles and conditions for processing personal information; the Data Security Law specifies that health and other relevant departments bear the responsibility for data security supervision in their respective industries and fields， and mandates the establishment of a comprehensive data security governance system to enhance data security capabilities; The Personal Information Protection Law establishes the "inform-consent" rule as the core of personal information processing， marking the beginning of an era of stringent state supervision for the protection of personal information. At the regulatory level， the National Health Commission issued the National Standards and Norms for Hospital Information Construction （for Trial Implementation）， which defined the content and requirements of hospital information system construction and proposed technical mechanisms for protecting data security. The Office of the Central Cyberspace Affairs Commission released the Notice on Personal Information Protection and Utilization of Big Data to Support Joint Prevention and Control， which stipulated the minimum scope principle for the collection of epidemic information and the purposes for which the collected personal information can be used.

Objectively speaking， there are certain shortcomings in the current regulations in China regarding medical institution data compliance. These shortcomings are primarily evident in several aspects： First， to date， there has been no specific legal or regulatory issuance dedicated to the compliance of medical institution data. This results in medical institutions and related enterprises and institutions facing challenges during data compliance management， such as determining the scope of sensitive personal information and understanding how to de-identify such information， including the objectives， principles， techniques， models， processes， and organizational measures for de-identification， without reference to or direct applicability of legal foundations. Second， the supervision of medical institution data compliance still primarily focuses on post-event monitoring， overlooking preemptive and concurrent data risk prevention. Third， the methods for assuming responsibility and relief measures for non-compliance with medical institution data obligations are relatively limited. Currently， judicial practices mostly adopt the principle of responsibility for data collectors， with administrative responsibility being the primary form of liability.

4 Basic Concepts of Medical Institution Data Compliance

4.1 Protecting Personal Interests： The Logical Starting Point of Medical Institution Data Compliance

Medical institution data often possesses a strong personal character; hence， traditional data compliance models are built upon the foundation of individual-centric concepts. In protecting individual data rights， the law also fully respects the data subject's right to self-determination， emphasizing the individual's exclusive rights to their data. Without the person's informed consent， others are not permitted to collect， process， or use such data[20]. This means that the data subject is the focal point in the information value chain. Drawing on the relevant provisions of the Data Act， it is possible to explore the circulation and transaction system of data elements， focusing on the user's right to access IoT data and the user's right to data portability， to strengthen the individual's right to control and autonomy over the medical institution's data， and to scientifically build a system of rights and responsibilities for data sharing. In this situation， the data processor is viewed as the primary responsible party for personal data protection， required to fulfill legal obligations such as data security assurance and compliance management， thereby realizing the defensive function of individual data rights. After all， the biggest victim of personal information leakage is the infringement of ordinary citizens' rights to privacy[21].

In practice， diverse entities have varying needs for the utilization and protection of medical institution data. For patients engaged in diagnosis and treatment activities at medical institutions， as well as users of smart medical applications， the medical data involved typically consists of highly confidential personal data， some of which may even pertain to sensitive data or privacy. Therefore， such subjects have a high demand for autonomous control over their medical data. They often refuse to make it publicly available， preferring to keep it in closed possession. Even for medical welfare purposes， they tend to favor strict behavioral regulatory norms for the compliance of medical institution data. This emphasizes that data processors must adhere to high-standard compliance management norms when transmitting and sharing relevant data， thereby protecting the individual's data security. In contrast， medical institutions， when diagnosing complex diseases or conducting medical research， require access to a vast pool of medical data， using ample sample data as a foundation for scientific research. Additionally， many pharmaceutical companies， in the process of product development or iterative updates， also need to collect， mine， analyze， and assess massive amounts of medical data， which is essential for driving technological innovation effectively in the medical field[22]. Even government agencies， in order to formulate scientifically sound and reasonable public health policies， require access to medical big data as a basis for the rationality and legitimacy of their policies. Hence， finding a balance between protecting the individual interests of medical institution data subjects and meeting the objective needs for the development and utilization of medical institution data has become the key focus and challenge in data compliance for medical institutions[23].

4.2 Safeguarding Public Interests： Key Considerations in Medical Institution Data Compliance

The social-centric approach views society as the logical starting point and serves as a correction to the individual-centric concept， where individuals have absolute control over medical data. Its purpose is to balance the interests of diverse entities while achieving an organic unity between individual interests and societal interests. For example， according to Article 13 of the Personal Information Protection Law， in response to sudden public health emergencies or urgent situations necessary to protect the life， health， and property safety of natural persons， personal information processors can process relevant information without the individual's consent. While this provision does， to some extent， limit individual control over medical data， it effectively achieves the prevention and control of public safety risks. In essence， it represents an expansion of the scope of individual consent and reflects the private， market， and societal public attributes of medical institution data. It also underscores the prioritized position of public interest in the value hierarchy of interests.

Scholars like Sch?nberger have pointed out that we should shift from the data protection models of the past， which were prevalent in the era of small data， to emphasize the legal responsibilities that data collectors and users should bear for their data processing activities[24]. This implies that in the construction of data compliance for medical institutions， in addition to adhering to the social-centric "meta-philosophy"， it is also necessary to scientifically understand the legality and appropriateness boundaries of data utilization. Only by doing so can we establish a favorable ecosystem for the orderly development and utilization of medical institution data. Specifically， attention should be given to the following aspects： First， the collection entities of medical institution data must have corresponding legal qualifications. Unless otherwise justified by clear legal reasons， data protection rules that require informed consent should be applied. Second， not all medical institution data are related to personality. Data that lacks personal attributes and is of little importance can be classified as part of the social public domain. Individuals do not have exclusive control over such data， and others can freely collect， process， and utilize it. Third， the emphasis on medical institution data compliance should shift from the past focus on the informed consent mechanism during the data collection stage to the construction of mechanisms for risk assessment， regulation， and accountability during the data usage stage. Fourth， in the era of big data， the collection and utilization no longer involve isolated individual pieces of medical institution data but rather vast amounts of medical institution data from unspecified individuals. The interests at stake are no longer limited to the personal interests of data subjects but also extend to the financial interests of data processors. It may even be related to the high-quality development of the digital healthcare industry and the economy as a whole. Fifth， the use of medical institution data should adhere to the basic principles of necessity， minimization of harm， and purpose limitation. It should involve careful disclosure or sharing of personal medical data and the prior implementation of de-identification and anonymization measures to protect the legitimate rights and interests of data subjects.

4.3 Emphasizing the Concept of Trust： A Beneficial Addition to Medical Institution Data Compliance

According to the concept of trust， there is a mutual and trust-based relationship between data subjects and data processors. It is a stable legal relationship built upon trust and the sharing of personal data[25]. Such a relationship of trust includes both the data subject's tolerance for data risks and the fiduciary duty that data processors should bear. In the era of big data， presuming personal medical data can easily end up being misused and violated will result in data subjects gradually losing control over their data. However， based on the trust relationship， data processors are expected to actively fulfill their duties of loyalty and diligence， ensuring that their data usage aligns with the reasonable expectations of data subjects arising from the trust. Introducing the concept of trust into medical institution data compliance has four benefits： Firstly， it can alleviate the tense adversarial relationship between data subjects and data processors， enhance mutual trust and dependence， effectively reduce and prevent potential ethical risks， and proactively resolve future data rights disputes at their source. Secondly， by imposing the fiduciary duty on data processors， they can be encouraged to proactively take various substantive and procedural measures to protect medical institution data and disclose it in a timely manner. This allows data subjects to stay informed about the true state of data governance and risk control. Thirdly， the fiduciary duty assumed by data processors is a legal obligation that cannot be arbitrarily excluded through private agreements[26]. Last but not least， under the trust-based approach， data processing actions that violate the duty of diligence and good faith can be pursued by data subjects even when the extent of harm is uncertain.

5 Optimizing the Path to Medical Institution Data Compliance

5.1 Compliance with Informed-Consent Obligations for Medical Institution Data Processing

The act of collecting medical institution data essentially involves separating the data from the independent control of the source subject， underscoring its significance. At this stage， what is involved is not only the data actively provided by the data subject but also data generated through interaction with mobile medical application users or through automated collection processes. According to Article 33 of the Personal Information Protection Law， such collection activities should ideally obtain separate consent from the data subject beforehand， yet the outcomes in practice often fall short of expectations. For instance， mobile medical applications typically inform users about data collection through privacy agreements or statements displayed during software registration. However， users often skip reading these terms in detail， habitually opting directly to check the box to agree. If the aforementioned process is deemed sufficient for data collectors to fulfill their notification obligations and thus exempts them from corresponding legal responsibilities， it would be extremely detrimental to privacy protection and data security. When fulfilling the obligation of notification， collectors of medical institution data should inform the data subject at a prominent location and in clear， unambiguous language about the name and contact details of the data collector， the types and purposes of the collected data， the duration of data retention， and other relevant information. Additionally， they must ensure the authenticity， accuracy， and completeness of the stated matters. Moreover， when the collected medical institution data constitutes sensitive personal information， collectors must explicitly inform the data subject of the necessity and legitimacy of the collection activity and how it might impact their rights and interests. Certainly， collectors of medical institution data must also consider that data subjects （such as children or adults with intellectual disabilities） might vary in terms of intelligence， and therefore， a one-size-fits-all approach to informed consent is not appropriate.

The use of medical institution data generally refers to all operational processing activities other than data storage and destruction， which include， but are not limited to， data analysis， mining， application， and trading. Engaging in such activities is typically based on the purposes or uses set at the time of data collection. In the event of any deviation， it is necessary to notify the data subject separately and obtain their consent. Moreover， the relevant data must undergo a de-identification process before use. It should be noted that when developing and utilizing a vast amount of publicly available personal medical institution data， if the approach of obtaining absolute individual consent is still adopted， it will significantly increase the cost of medical institution data compliance， contrary to the principle of efficiency[27]. In this regard， Japan's practices provide valuable experience： in addition to adhering to the rule of separate consent for the use of medical institution data， there are also exceptions that allow for simplified and exempted informed consent. As for China， it is recommended to provide advance notification and offer data subjects the right to opt-out. Advance notification can be carried out through one-on-one communication or public announcements， ensuring that the data subjects are aware of their right to opt-out. If they do not express refusal， it can be presumed to be consent. Without undergoing the aforementioned advance notification procedure， no organization or individual should be permitted to use medical institution data.

5.2 Clarifying the Scope of Collection and Use of Medical Institution Data

The scope of the collection and use of medical institution data should align with the basic requirements of the minimization principle. The minimization principle refers to the concept that when third parties other than the data subject process data， regardless of purpose， they should protect the rights of the data subject to the greatest extent possible， thereby minimizing harm to the data subject. The U.S. HIPAA Privacy Rule mandates that covered entities make reasonable efforts to establish internal rules and regulations to ensure that the use and disclosure of data meet the minimum necessity requirements， minimizing the impact on the concerned parties. Moreover， these entities are permitted to use and disclose protected health information only upon obtaining authorization from the data subject or when it falls within the minimum necessary scope as described in the Privacy Rule. When applying the minimization principle， unless the covered entity can provide a reasonable justification for the need for the entire record， the use and disclosure of a person's entire medical record are not permitted⑤. The data minimization principle of the European Union mandates that the data collected and processed by data controllers must be directly and sufficiently relevant to the processing purpose. It should be necessary for conducting business and providing services. An assessment must be conducted prior to the commencement of the collection activity to evaluate whether the personal data being collected is suitable and reasonably aimed at achieving a specific purpose. Such assessment then determines the amount and scope of data to be collected， strictly prohibiting the collection of unnecessary data. If there is a need to change the purpose of data collection， the relevant individuals must be notified again to obtain their consent.

In China， Article 1035 of the Civil Code and Article 5 of the Personal Information Protection Law explicitly state that the collection and processing of personal information must adhere to the principles of legality， legitimacy， necessity， and honesty. Furthermore， it is prohibited to process personal information excessively or through misleading， fraudulent， or coercive means. The aforementioned provisions essentially represent the Chinese interpretation and application of the minimization principle. Specifically in the healthcare sector， the collected medical institution data must be directly associated with providing medical services or conducting medical research， and the absence of such data would impede the achievement of set goals. The data collected via mobile medical applications should be of the minimum type and amount necessary to fulfill the functions of the application. Additionally， it is important to clarify that typical violations of the minimization principle include， but are not limited to： collecting medical institution data irrelevant to medical purposes; refusing or restricting basic service functions to mobile medical application users who disagree to provide non-essential information， thereby coercing them to provide relevant medical institution data; using medical institution data beyond the informed consent of the data subject; compelling data subjects to grant a "blanket authorization" or "one-time authorization for multiple/chain uses"， etc.

It is also crucial to emphasize that when using medical institution data， consideration must be given to potential harms and impacts on public interest and national security. Moreover， based on the importance and risk level of the data， it should be classified into five levels according to the Security Guidelines： （1） medical institution data that can be publicly used， such as the name， address， and phone number of a medical institution， which can be easily obtained via online platforms; （2） medical institution data that can be shared within a relatively broad range， such as data that cannot be identified as belonging to a specific individual， which can be used for analysis and research by doctors in different departments after approval; （3） medical institution data that can be shared within an appropriate range， such as partially de-identified data that might still be re-identified， which can only be used with authorization; （4） medical institution data that can only be shared within a limited scope， such as data that can directly identify an individual， which can only be accessed by relevant medical professionals; （5） medical institution data that can only be shared under very limited conditions and strict restrictions， such as data about specific diseases （e.g.， HIV/AIDS， sexually transmitted diseases， COVID-19）， which should only be accessible by healthcare personnel in charge and must be strictly controlled.

5.3 Strengthening the Standardized Use of Relevant Technical Measures

Advancing medical institution data compliance largely depends on extending compliance management mechanisms to the technical level. It means that technologies employed in the data collection process of medical institutions， such as web crawlers， artificial intelligence， blockchain， etc.， should meet corresponding compliance requirements. In China， technical measures are a crucial component of the compliance management system for medical institution data. It is necessary to adopt the concept of "RegTech" （Regulatory Technology）， which asks for embedding data security needs directly into the earliest stage of technology operation （i.e.， the design phase） and making it the default rule in each technical aspect rather than applying relevant legal rules only after problems arise[28]. It implies that， when collecting medical institution data through systems like data acquisition systems and mobile medical applications， it is necessary to employ technical means to restrict the process， preventing covert， excessive， and coercive collection. We should know that the more complex the data environment， the greater the likelihood that technical parties will legally circumvent constraints put in place. The objective is to indirectly maximize their interests， often at the expense of social and public interests. Consequently， when configuring software systems for particularly sensitive data （such as family medical history or genetic test results） collection authorization procedures， a dynamic authorization mechanism can be applied， where an authorization dialog box should pop up immediately for each category of sensitive information being collected. Besides， default and pre-selected options should be disabled， which aims to respect the autonomy of users allowing them to choose manually whether to grant data processors permission to collect data of interest.

Let's not forget the technical de-identification measures employed during the collection of medical institution data. De-identification should not be solely regarded as a technical process to ensure data security but also as a systematic measure[29]. It focuses on individuals and utilizes techniques such as statistical methods， encryption， suppression， pseudonymization， generalization， randomization， and data synthesis to replace personal identifiers in the data while still retaining the granularity of the individual. Article 73 of the Personal Information Protection Law stipulates de-identification. It's worth reminding ourselves that there is an obvious difference between de-identification and anonymization. Anonymization offers a higher degree of protection for personal privacy and data security than de-identification. Once personal data is anonymized， it becomes impossible to re-identify the specific natural person， and the process is irreversible. In contrast， de-identification reduces the distinguishability of data in a dataset， making it unable to be linked to a specific individual. In practice， a threshold is often set， requiring that the data correspond to a number of people exceeding such a threshold. Additionally， personal identifiers need to be separated from other information to maintain data privacy.

It is also worth mentioning that the Data Act has formulated a series of compatibility rules regulating the use of technical measures， including the implementation of standard contracts and the promotion of technical specifications for interoperability. In this regard， China needs to learn from this and actively advocate the construction of technical standards for the flow of medical institution data， strengthen technical interconnection， and enhance the interoperability and security of relevant data. Only by breaking down the technical barriers to the flow of medical institution data can we accelerate the development and utilization of such data， build an efficient， standardized， and secure data factor market， and ultimately promote the high-quality development of China's health industry in a comprehensive manner.

5.4 Establishing a Comprehensive Legal Responsibility System for Medical Institution Data Compliance

First of all， when determining liability for infringement of medical institution data， it's crucial to apply the principle of presumed fault responsibility. Compared to entities with greater economic and technological resources and actual control over the compliance obligations of medical institution data， individuals often find themselves in a weaker， passive， and disadvantaged position. Infringements involving data are often concealed in nature， making it difficult and costly for individuals to gather evidence. Sometimes， it's even challenging to ascertain the nature and extent of the losses incurred. Therefore， in cases of infringement of medical institution data， the allocation of the burden of proof should be biased in favor of the data subject to truly protect their legal rights and achieve fairness and justice， as usually pursued by the law. It is noteworthy that Article 69， Paragraph 1， of the Personal Information Protection Law has already explicitly stipulated the application of the presumed fault responsibility principle at the legal level.

Second of all， in certain cases， proper fulfillment of medical institution data compliance obligations can serve as a basis for reducing or exempting legal liability. In March 2020， the Supreme People's Procuratorate of China began implementing pilot reforms for corporate compliance in criminal cases， which represents a highly innovative reform in the criminal justice system[30]. In judicial practice， "leniency for compliance" mainly applies to the following situations： （1） if a compliance entity has established an effective data compliance management system when the entity is suspected of a crime， its criminal liability can be reduced or exempted， and only the criminal liability of the directly responsible individuals will be pursued; （2） if a compliance entity has not established or has an incomplete data compliance management system and the entity is suspected of a minor crime， it can request public security organs， procuratorates， or courts to impose lenient or reduced penalties by committing to establish or improve the data compliance management system promptly. After the grace period， if the data compliance management system is assessed as effective， the entity can receive lenient or reduced penalties.

6 Conclusion

In the digital era， safeguarding privacy and ensuring data security have emerged as formidable challenges for medical institutions and concerned entities. To navigate this landscape successfully， a practice-oriented approach to comprehensive medical institution data compliance is imperative. This approach underscores the proactive adherence of relevant stakeholders to applicable laws and regulations across the entire data lifecycle， encompassing data collection， utilization， processing， transmission， and disposal. For instance， compliance stakeholders must categorize medical institution data （e.g.， personal identity data， medical records and financial information） for improved management and protective measures. Establishing robust data protection measures， such as encryption， backup protocols， and access control， is crucial to preserving data security and integrity. Regular training of data personnel is important to ensure their awareness of data compliance policies and proper data handling. Conducting routine internal audits and risk assessments fosters a data compliance culture and preemptive risk mitigation. It is essential to acknowledge that effective data compliance is pivotal in striking a harmonious balance between facilitating the efficient utilization of medical institution data and safeguarding the legitimate rights and interests of data subjects.

Reference：

[1] China Academy of Information and Communications Technology. Research report on the development of China's digital economy（2023） [EB/OL]. （2023-04-27） [2023-11-11]. http：//www.caict.ac.cn/kxyj/qwfb/bps/202304/P020230427572038 320317.pdf.

[2] PRICE W N， COHEN I G. Privacy in the age of medical big data[J]. Nature Medicine， 2019， 25（1）： 37?43.

[3] LI H Q. Major privacy breach： global medical data breach of massive scale， dark web value exceeds one billion， involving China [EB/OL]. （2019-09-20） [2023-11-16]. https：//www.sohu.com/a/342182951_161795.

[4] CHEN M， ZHOU B， XIAO S F. Health and medical big data： security and management[M]. Beijing： People's Medical Publishing House， 2020： 16?18.

[5] HE N， HU R W. Research on regulation of big data flowing and sharing in clinical research[J]. Science Technology and Law， 2019（6）： 49?50.

[6] NING X F， WU H， DAN X Z， LI H H. Emphasizing both development and compliance management in medical big data[J]. Shanghai Legal Studies， 2020（13）： 244.

[7] GAO Y L， XU Y J. Studying on the legal issues and countermeasures of health care data using in public health security[J]. China Health Service Management， 2021， 38（12）： 919.

[8] XIANG L L， WANG H. Comparison of personal healthcare data protection standards between China and foreign countries[J]. Information Studies： Theory & Application， 2022， 45（3）： 193.

[9] LIU S G， XIONG J W. Group dimension of privacy in health and medical care big data[J]. Legal Forum， 2019， 34（3）： 126.

[10] MADDEN M， RAINIE L. Americans' attitudes about privacy， security and surveillance [EB/OL]. （2015-05-20） [2023-11-19]. https：//www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/.

[11] Nuffield Council on Bioethics. The collection， linking and use of data in biomedical research and health care： ethical issues [EB/OL]. （2015-02-03） [2023-11-19]. https：//www.nuffieldbioethics.org/wp-content/uploads/Biological_and_health_ data_ web.pdf.

[12] Ponemon Institute. Cost of insider risks global report 2023 [EB/OL]. （2023-10-14） [2023-11-22]. https：//ponemons ullivanreport.com/2023/10/cost-of-insider-risks-global-report-2023/.

[13] WU S N. 70% of medical staff have access to others' passwords， electronic medical records security sparks controversy [EB/OL]. （2017-10-23） [2023-11-20]. https：//www.sohu.com/a/199522687_452205.

[14] HOFFMAN S. Electronic health records and medical big data[M]. Cambridge： Cambridge University Press， 2016： 79.

[15] DAVIS J. HHS proposes HIPAA privacy rule changes， improving right of access [EB/OL]. （2020-12-10） [2023-11-20]. https：//healthitsecurity.com/news/hhs-proposes-hipaa-privacy-rule-changes-improving-right-of-access.

[16] CAI H W， GONG S H. A study on references to the protection of patient privacy rights of HIPAA[J]. Journal of University of Chinese Academy of Social Sciences， 2017（5）： 117?118.

[17] LI H M， CHEN G. On conflict and balance between data-driven innovation and personal information protection-a study of Japan's medical data regulation experience[J]. Bulletin of Chinese Academy of Sciences， 2020， 35（9）： 1145.

[18] MIZUMACHI M. Personal information protection law[M]. Tokyo： Labor Administration， 2017： 61.

[19] LI R S. On the mechanism of anonymization of personal medical information-with the relevant provisions of personal information protection law[J]. SJTU Law Review， 2022（4）： 122.

[20] CHEN Q W， NIE L F. Idea change and system construction of personal information protection in China in the era of big data[J]. Changbai Journal， 2021（4）： 84?85.

[21] JIN Y P. The investigation and analysis report on personal privacy data leakage in the era of big data[J]. Journal of Tsinghua University （Philosophy and Social Sciences）， 2021， 36（1）： 198.

[22] SHI X W. The rights construction of the beneficial adjustment framework of medical big data[J]. Medicine and Society， 2022， 35（1）： 51.

[23] LONG K Y. The situation and response of reflexive modernization of the rule of law in public health[J]. Administrative Law Review， 2023（6）： 110.

[24] MAYER-SCH?NBERGER V， CUKIER K. Big data： a revolution that will transform how we live， work， and think[M]. translated by SHENG Y Y， ZHOU T. Hangzhou： Zhejiang People's Publishing House， 2013： 220.

[25] SARAT A. A world without privacy： what law can and should do？[M]. Cambridge： Cambridge University Press， 2015： 33.

[26] WU H. Personal information use and protection under the concept of trust[J]. ECUPL Journal， 2018， 21（1）： 35.

[27] MAN H J， GUO L L. Protection of personal health information in wearable devices-concentrating on the consent[J]. Legal Forum， 2023， 38（2）： 126.

[28] RUBINSTEIN I， GOOD N. Privacy by design： a counterfactual analysis of Google and Facebook privacy incidents[J]. Berkeley Technology Law Journal， 2013， 38（2）： 1335.

[29] GAO F P. Institutional foundation of personal information sharing-from the perspective of information identifiability[J].Global Law Review， 2022， 44（1）： 94.

[30] LIU Y H. Corporate compliance in China： systematic legislation in civil and criminal law[M]. Beijing： Law

Press， 2022： 1.

變遷與調(diào)適：醫(yī)療機(jī)構(gòu)數(shù)據(jù)合規(guī)的法治因應(yīng)

龍柯宇

摘 要：醫(yī)療機(jī)構(gòu)數(shù)據(jù)合規(guī)是數(shù)字社會的外生產(chǎn)物，也是維系和平衡數(shù)據(jù)保護(hù)與數(shù)據(jù)共享、個人利益與公共利益之間關(guān)系的重要途徑，對于健康中國戰(zhàn)略的實施具有重大現(xiàn)實意義。實踐中，醫(yī)療機(jī)構(gòu)數(shù)據(jù)囊括了診療前收集的個人身份識別數(shù)據(jù)、診療中產(chǎn)生的臨床醫(yī)療數(shù)據(jù)、公共衛(wèi)生管理中收集的醫(yī)療數(shù)據(jù)、日常生活中產(chǎn)生的潛在醫(yī)療數(shù)據(jù)等主要樣態(tài)。在全面推進(jìn)中國式現(xiàn)代化的新征程上，應(yīng)明晰從個人本位向社會本位的價值轉(zhuǎn)向，凸顯信賴?yán)砟畹难a(bǔ)強(qiáng)作用，以數(shù)據(jù)利用的最小化原則為指南，著眼于后疫情時代醫(yī)療機(jī)構(gòu)數(shù)據(jù)的新發(fā)展和新變化。與此同時，通過履行告知同意義務(wù)、明確數(shù)據(jù)收集和使用范圍、強(qiáng)化相關(guān)技術(shù)措施的規(guī)范使用、健全數(shù)據(jù)合規(guī)法律責(zé)任體系等一系列舉措，建構(gòu)出一套靈活且高效的醫(yī)療機(jī)構(gòu)數(shù)據(jù)合規(guī)體系。

關(guān)鍵詞：醫(yī)療機(jī)構(gòu)數(shù)據(jù)；隱私保護(hù)；數(shù)據(jù)安全；合規(guī)治理

Author Profile： Long Keyu， from Chengdu City of Sichuan Province， Ph.D.， Associate Professor， Research Fields： Civil and Commercial Law， Medical Law.

① The term "medical institution data compliance" in this paper means that the processing activities of medical institution data should comply with relevant laws and regulations， business rules and ethical norms， so as to protect personal privacy， as well as the security， integrity and availability of data， to promote the legitimate development and utilization of the value of the data， and to safeguard national sovereignty， security and development interests.

② When domestic medical institutions， driven by intentional or gross negligence， fail to adhere to restrictive regulations governing the transmission of medical data and unlawfully transfer relevant data abroad （such as infectious disease outbreak data or genetic mapping data）， foreign governments can utilize data analysis to understand the political， economic， social， and cultural conditions of China， thereby posing a significant threat to our national security.

③ Statistical data indicates that as of June 2023， the users of Internet-based medical services in China amounts to as high as 364 million， an increase of 1.62 million compared to December 2022， accounting for 33.8% of the overall netizen population. See China Internet Network Information Center. China Internet Development Status Statistical Report （52nd Edition）. https：//cnnic.cn/n4/2023/0828/c199-10830.html.

④ To ensure the smooth implementation of the anonymous processing of medical information， the law imposes a series of legal obligations on entities engaged in the anonymous processing of personal medical information. These obligations include the duty to process information appropriately， ensure its security， disclose information as required， and prohibit re-identification. According to the provisions under the provision of anonymously processed medical information section of the law， specific methods of anonymous processing include removing descriptions that can identify specific individuals， erasing personal identification symbols， eliminating symbols between linked information， and deleting unique descriptions， among others.

⑤ Under the HIPAA Act， the minimization principle does not apply in the following scenarios： 1. disclosures to healthcare providers for treatment; 2. disclosures to the patient themselves; 3. uses or disclosures made under the patient's authorization; 4. uses or disclosures required by law; 5. disclosures to the Department of Health and Human Services （HHS） for investigation， compliance reviews， or enforcement actions.