Plain-English answer
The U.S. question is usually: who is the covered entity or business associate, what is protected health information, and what contract or security controls apply? The China question is broader: what personal information is being processed, whether it is sensitive, whether cross-border transfer is allowed, and whether the data activity triggers cybersecurity, data-security, or sectoral medical rules.
How the U.S. side works
HIPAA applies to covered entities and business associates, not to every company that touches health-adjacent data. That creates gaps where digital health apps, wellness products, device platforms, consumer services, and analytics vendors may fall outside HIPAA but still face FTC enforcement, state privacy laws, breach-notification duties, security obligations, and customer contract requirements.
How the China side works
China's Personal Information Protection Law treats medical health information as sensitive personal information. Processing such data usually requires a specific purpose, necessity, heightened protection, and separate consent where applicable. Cross-border transfer can trigger additional mechanisms, and healthcare data may also intersect with cybersecurity, human genetic resources, hospital information, and state data-security concerns.
Side-by-side comparison
| Dimension | United States | China | Strategic implication |
|---|---|---|---|
| Main model | Sectoral: HIPAA plus FTC, state, contract, cybersecurity, and device rules. | Comprehensive personal-information law plus data security, cybersecurity, and sector rules. | Do not assume HIPAA compliance is enough for a U.S. launch or that U.S. data practices transfer cleanly into China. |
| Health data trigger | Protected health information depends on covered entity or business associate role. | Medical health information is sensitive personal information under PIPL. | Role mapping is central in the U.S.; data-type and transfer mapping are central in China. |
| Cross-border concern | Driven by contracts, security, customer expectations, sanctions/export controls, and state privacy where relevant. | Driven by personal information export mechanisms, security review risk, localization concerns, and state oversight. | U.S.-China data architecture should be designed before pilots, not after sales start. |
Current evidence and sources
- HHS OCR - Covered Entities and Business Associates: HIPAA applies to covered entities and business associates and requires written business associate arrangements where PHI is handled for covered functions.
- FTC - Health Breach Notification Rule update: the FTC clarified the rule's relevance to health apps and similar non-HIPAA technologies.
- National People's Congress - PIPL English text: medical health information is listed as sensitive personal information.
Strategic meaning
For cross-border healthcare companies, privacy is not just a legal policy page. It determines cloud region, model training, support access, contracting, breach response, patient consent, customer diligence, and whether data can move between the United States, China, and third-country teams.