News

Today's healthcare services are becoming increasingly digitalised, with patient-doctor interactions no longer limited to face-to-face consultations or paper medical records; various types of online consultation and AI diagnostic platforms have also emerged. In this process, how to let patients know clearly who collects their personal health data, why it is collected, how it is used, and whether it can be deleted or corrected has become the focus of compliance management. Moreover, with the rise of artificial intelligence, some diagnostic and treatment decisions are being automated by algorithms, making patients' questions about ‘how algorithms determine their own course of treatment’ even more pressing.The GDPR and China's Personal Insurance Law both require ‘good faith and adequate’ efforts at transparency and rights protection. The GDPR and China's Personal Insurance Law both require ‘good faith and adequate’ efforts at transparency and rights protection.

01 Duty to Inform: Privacy Policy and Necessary Notice

Articles 13 and 14 of the GDPR enumerate the detailed information that controllers should provide to data subjects when collecting personal data, including: identity of the processor, contact details, purpose of processing, categories of data, retention period, potential recipients, cross-border transfers, and rights of the data subject. Where sensitive health data is processed, the legal basis or exception clause should also be further explained. The obligation to inform is not limited to paper-based agreements; the privacy statement on the website or app must also be easy to understand and focused.

In the healthcare context, it is common practice for hospitals to have ‘patient privacy notices’ or for online platforms to have ‘privacy policy pop-ups’. The risk of non-compliance lies in the fact that some platforms write long and obscure privacy terms that are difficult for users to understand, or are not in line with the promised content in actual practice, leading to the authorities or the courts recognising them as ‘formal notifications’.

Articles 17 and 30 of China's Personal Insurance Law also require processors to provide special notification of ‘the necessity of processing and the impact on the rights and interests of individuals’ and to obtain ‘individual consent’ before collecting sensitive personal information. Medical organisations or commercial health platforms that provide diagnostic functions and at the same time want to collect the user's movement tracks and consumption records should fully explain the purpose, scope and risks in a prominent position, rather than just ‘talking in general terms’ in their privacy policies. If the user refuses, the organisation cannot use this as a reason to stop providing basic diagnostic functions, unless the information is necessary for the diagnostic process.

02 Exercise of patients' rights: access, rectification and erasure

Articles 15 and 16 of the GDPR and Articles 45 and 46 of the Personal Protection Code provide that the data subject (patient) has the right to consult and obtain a copy of his or her own health data, and to request its correction or supplementation if it is found to be incorrect or incomplete. When healthcare organisations refuse to cooperate, this may be seen as an infringement of rights or a violation of the law.

For example, if a patient wants to request an electronic medical record held by the hospital for transfer or legal defence, the hospital must provide it within a reasonable time. The patient may also request a correction if there is an error in the medical record (e.g. omission of allergy history). However, it is important to note that there is a statutory record-keeping system in the medical field, and that historical diagnostic conclusions cannot be redacted at will, and corrections need to be recorded in the medical record file as required.

Article 17 of the GDPR and Article 47 of the Personal Insurance Law both list the circumstances in which an individual may request the deletion of data, such as when the purpose of the processing has been fulfilled, when it is no longer necessary, or when the processor has collected it in violation of the law. When a patient requests the deletion of his or her health information on a platform, the platform should, in principle, co-operate. However, if other legal requirements exist (e.g. medical records must be kept for x years), they may be kept in accordance with the legal deadline.

At the same time, Article 15 of the Personal Insurance Law stipulates that individuals have the right to withdraw their consent at any time, and that processing based on consent prior to withdrawal does not thereby become invalid. For healthcare organisations, if the user refuses to reuse his or her data for scientific research or commercial services, the processing should in principle be stopped and the data deleted or anonymised, but the necessary parts of the consultation process can still be retained.

03 Automated decision-making and the patient's right to intervention

Article 22 of the GDPR introduces the right ‘not to be bound by automated decision-making based solely on the fact that it has a significant impact on them’. Article 24 of China's Personal Insurance Law makes it even clearer that individuals can demand explanations from the processor for automated decisions and reject decisions made solely by algorithms. This is important for AI healthcare: if an AI system automatically draws conclusions about a patient's condition and makes major medical decisions based on medical records and images, the patient must have the right to ask for human intervention or review to protect against algorithmic inaccuracies or discrimination.

In fact, in current medical practice, most countries require ‘AI-assisted diagnosis’ to be signed by a qualified doctor. However, with the advancement of technology, if a fully automated ‘AI diagnosis and treatment’ model emerges, how to meet the legal rights of patients to ‘human review’ will become a huge challenge.

For critical automated medical decisions, patients want to know the general rationale or basis of the AI decision, not just ‘reviewable’. Although the GDPR does not provide for a ‘right to interpretation’, EDPB guidelines and national practices tend to allow data subjects to obtain the necessary ‘intelligible information’. In China, although the Personal Insurance Law does not elaborate on ‘interpretability’, when ‘automated decision-making affects a person's significant rights and interests’, the platform should at least explain to the patient the type of data relied on, the logic of the algorithm in brief, and the possible consequences.

From the perspective of medical ethics, doctors should also explain to patients the results and rationale of the algorithm's diagnosis, and ensure that patients accept or reject a treatment based on informed consent. If the AI system is too ‘black box’, it not only violates the patient's right to know, but also may result in disputes over efficacy and liability.

04 Practice recommendation: enhancing patient visibility into data processing

To enhance patient visibility of data processing, healthcare organisations and commercial health platforms can take the following steps:

a. Concise and easy-to-understand privacy policy: Use FAQ-style or segmented design so that users can quickly grasp the key points, especially before collecting health data make sure to pop-up tips, not all hidden at the end of the long text.

b. Improvement of rights exercise channels: establish dual online/offline channels for patients to submit access, correction, and deletion requests conveniently, and set up a dedicated person or team to follow up.

c. Automated Decision Explanation Module: Reserve an ‘algorithm principle’ brief module for key functions such as AI diagnosis or AI recommendation, and provide patients with the option of manual review when necessary.

d. Scenario-based information: In different functions (e.g. booking, remote consultation, data authorisation for scientific research), provide layered and scenario-based prompts instead of a one-time package of all ‘information’.

Through the above measures, medical institutions and commercial health platforms can gradually build ‘tangible and credible’ information transparency for patients and protect their rights to personal health data. In the long run, this is not only the key to avoiding legal risks, but also the key to winning patients' trust and promoting the sustainable development of digital healthcare.

Special Note:

This article was originally written by JAVY law firm lawyers and represents the views of the authors only, and should not be regarded as a formal legal opinion or advice issued by JAVY law firm or its lawyers. If you need to reproduce or quote any content of this article, please indicate the source.