JMIR Publications

ABSTRACT

Background:

Internet hospital apps are adopted in many countries, especially during the COVID-19 pandemic, to provide a range of medical services and enhance their accessibility. China has been encouraging the construction of internet hospitals since the establishment of the first internet hospital in 2015. However, increasing concerns on personal information (PI) and strict requirements on legal compliance necessitate privacy assessment on these apps.

Objective:

We aimed to evaluate the compliance status of the privacy policies of internet hospital apps’ in the mainland of China with the Personal Information Protection Law (PIPL), related specifications and rules for internet hospitals.

Methods:

We searched and obtained 59 internet hospital apps on November 7, 2023. Subsequently, we reviewed 52 privacy policies available between November 8 and 23, 2023. In addition, we developed a three-level indicator scale based on the information life cycle as provided in the PIPL, related specifications and rules for internet hospitals. The scale comprised 7 level-1 indicators, 26 level-2 indicators and 70 level-3 indicators.

Results:

The mean compliance score of the 52 assessed apps was 73.0/100 (SD=22.4%). While 36 apps scored above the average, 16 fell below. The level-1 indicators were ranked from highest to lowest scores as follows: general attributes (mean 92.1%, SD=16.5%); PI collection and usage (mean 81.5%, SD=17.9%); PI sharing, transfer, disclosure, and transmission (mean 75.0%, SD=25.2%); PI storage and protection (mean 71.5%, SD=30.7%); individual rights (mean 68.4%, SD=31.5%); PI deletion (mean 64.7%, SD=34.8%); and PI processors duties (mean 59.4%, SD=28.4%). Sensitive PI protection compliance (mean 73.9%, SD=24.2%) lagged behind general PI protection (mean 90.4%, SD=14.7%), with only 12 apps requiring separate consent for processing sensitive PI (mean 73.9%, SD=24.2%). Most apps were in line with the rules for public disclosure (mean 93.3%, SD=24.1%), PI sharing and transfer (mean 77.5%, SD=30.0%), and cross-border transmission (mean 71.2%, SD=43.1%). Moreover, although most apps (n=41, 78.8%) committed to supervise the subcontractors, only a quarter (n=13, 25.0%) required users’ explicit consent for subcontracting activities. Concerning PI storage security (mean 71.2%, SD=29.3%) and incidents management (71.8%, SD=36.6%), half of the assessed apps (n=27, 51.9%) committed to bear corresponding legal responsibility, while less than half of the apps (n=24, 46.2%) specified the security level obtained. Most privacy policies stated the PI retention period (n=40, 76.9%) and instances of PI deletion or anonymization (n=41, 78.8%), but fewer apps (n=20, 38.5%) committed to prompt third-party PI deletion. Most apps delineated various individual rights: the right to inquire (n=42, 80.8%), correct (n=42, 80.8%), and delete PI (n=42, 80.8%); cancel their account (n=40, 76.9%); withdraw or modify consent (n=41, 78.8%); and request privacy policy explanations (n=43, 82.7%). Only a fraction addressed the rights to obtain copies (n=22, 42.3%) or refuse advertisement of automated decision-making (n=13, 25.0%). The mean compliance rate of PI processor management of users’ requests and complaints stood at 72.9% (SD=35.8%) and 64.7% (SD=40.0%) respectively, while significant deficiencies remained in regular compliance audits (mean=11.5%, SD=37.8%), impact assessments (mean 13.5%, SD=15.2%) and PI officer disclosure (mean=48.1%, SD=49.3%).

Conclusions:

Our analysis revealed both strengths and significant shortcomings in the compliance of internet hospital apps’ privacy policies with the PIPL, related specifications and rules for internet hospitals. As China expands the use of internet hospital apps under the “internet+ healthcare” strategy, it should always ensure the informed consent of users for PI processing activities, in particular those involving third-party providers. Meanwhile, China should keep enhancing the compliance level of relevant privacy policies of the internet hospital apps and fortify its enforcement across the information life cycle.