China PIPL/DSL/CSL Compliance
Compliance mapping for medos-china deployments: PIPL/DSL/CSL + MLPS 2.0 + healthcare grading.
Compliance mapping for
medos-chinadeployments (UFH-class premium private group). Companion todocs/products/identity-vpn.mdanddocs/architecture/vpn-audit-compliance.md(which today cover TH/JP/PH/EU/UK only — this doc adds the China regime they omit).Status: design + control-mapping. Several items are Phase-0 build work, called out explicitly. Do not represent China as turnkey-compliant until the read-model-residency gate (below) closes.
The three statutes
| Statute | What it demands | medOS mapping |
|---|---|---|
| PIPL (个人信息保护法) | Patient data = sensitive personal information → explicit separate consent, purpose limitation, encryption, access control, complete audit trail, breach notice, DPIA for sensitive processing | RLS across 158 migrations; envelope/PIN encryption on health history; identity-VPN signed audit; requiresDpia=true + phiMaskingLevel=pipl_sensitive_pi in the medos-china manifest complianceProfile; per-channel consent split (care vs marketing) in PRM |
| DSL (数据安全法) | Data classification (incl. important data), security of processing, controlled cross-border transfer of regulated data | Data-residency china_pipl; de-identification toolkit (HMAC pseudonymize / k-anon — docs/architecture/ai-training-corpus.md) for any aggregate that leaves a site; cross-border transfer gated (see below) |
| CSL (网络安全法) + MLPS 2.0 (等级保护) | Network-tier classified-protection grading & filing, ≥6-month network log retention, IDS, real-name, critical-information-infrastructure rules | Application-layer covered by RUDS (user_action_events, 130+ rules); network-tier MLPS controls (IDS, host hardening, 6-month network logs, Level-3 filing) are infra/ops Phase-0, not shipped in app code |
Data localization — the gating constraint
All patient data must stay physically in China. medOS’s write path (MongoDB + 15 services)
self-hosts (docker-compose-onpremise.yml, public base images only). The realtime read
model does NOT yet self-host — it is hosted Supabase (Postgres + ~80 Deno edge functions +
realtime), and the on-prem compose only injects an outward-pointing SUPABASE_URL.
🚧 GATING PHASE-0 ITEM: package self-hosted Supabase (Postgres + PostgREST + GoTrue + Realtime + edge-runtime) as compose services so the read model + edge functions run fully in-country. Until this lands, a fully in-China deployment cannot ship. This is the single largest one-time platform item for China; it is paid once for the group, not per site.
Two compliant deployment targets: (1) on-prem / air-gapped in the hospital datacenter
(package-airgap.sh) — cleanest residency story; (2) China cloud (Alibaba / Tencent / Huawei) —
requires a parallel Terraform module (the existing modules/medos-stack is AWS-only).
Cross-border transfer (CAC)
Any regulated data leaving China requires one of: CAC security assessment, CAC standard contract, or certification (PIPL Art. 38–40). medOS posture:
- No raw PHI crosses a site/region boundary. Per-site Supabase + Mongo stay in-region
(
docs/architecture/cross-region-policy-gates-deployment.md). - Group-level roll-up federates de-identified aggregates only (counts/rates, no identifiers)
via the medallion de-identification pattern (
ai-training-corpus.md:ml_export_consentopt-in default-FALSE, HMAC pseudonymize, k-anon suppression,ml_access_log). - Cross-site patient referrals (Beijing→Shanghai) run through a documented transfer protocol, not raw replication.
Healthcare-specific grading (Phase-0 evidence package)
| Requirement | What it is | Status |
|---|---|---|
| 电子病历系统应用水平分级评价 | EMR application-level maturity grading (0–8) | ⬜ self-assessment artifact to author |
| 医院信息互联互通标准化成熟度测评 | Interconnection standardization maturity rating | ⬜ map FHIR R4 / HL7v2 to WS 363 / WS 364 / CDA (卫生信息共享文档) — conformance shim needed |
| 保险审计可追溯 (insurance audit traceability) | Every charge/order/access leaves a queryable trail | ✅ append-only hospital_events + RUDS evidence-export RPCs + 4 audit silos |
Audit & encryption control mapping
| PIPL/DSL control | medOS mechanism (shipped) | Anchor |
|---|---|---|
| Tamper-evident audit trail | Identity-VPN per-event Ed25519 signing + per-node hash chain + hourly Merkle anchoring + WORM export | services/identity-vpn/.../{vpnAuditEvent,vpnLedger,_signing,_wormExport} |
| Behavioural access monitoring | RUDS append-only user_action_events + 130+ rules + per-service guard |
packages/security-kit/src/ruds/, infrastructure/medbase/functions/ruds-* |
| Access control + least privilege | RLS pervasive (158 migrations); RBAC + break-glass override-with-reason | 20260527d_policy_gate_override_protocol.sql |
| Encryption of sensitive PI | pgcrypto envelope / PIN on health history | 20260524d_health_history_keys_multihospital.sql |
| Evidence export for regulator/insurer audit | ruds_export_user_evidence / ruds_export_tenant_summary (SECURITY DEFINER) |
20260522d_ruds_* |
| Per-jurisdiction retention | identity-VPN RETENTION_DAYS['CN'] = system 6y / security 10y |
vpnAuditEvent.service.ts |
| Deployment-local geo baseline | RUDS home_country='CN' seed |
market-packs/medos-china/seed-ruds-home-country.sql |
Retention
- Medical records: outpatient ≥15y, inpatient ≥30y (医疗机构病历管理规定) → manifest
retentionDays=10950(~30y, the binding maximum). - Audit/VPN logs:
RETENTION_DAYS['CN']system 6y / security 10y; anchored-minor records 25y. - Network logs (MLPS): ≥6 months at the network tier — infra/ops responsibility.
Phase-0 open items (ownership)
- Self-hosted Supabase in-China (read-model residency) — platform. Gating.
- China-cloud Terraform module or commit on-prem-only — platform/infra.
- MLPS 2.0 Level-3 controls + filing (IDS, host hardening, network logs) — infra/ops + legal.
- EMR-grading + 互联互通 self-assessment + CDA/WS-363/364 conformance shim — clinical informatics.
- CAC cross-border route selection (assessment vs standard contract) — legal.
- Named data-protection owner + DPIA per tenant — compliance.
Framing for the committee: the audit/encryption controls are production-tested in other markets; the China-specific mapping, residency packaging, and regulator evidence are scoped, front-loaded Phase-0 work. The honesty is the risk control (see
HIS_ROI_Presentation_UFH.mdAppendix B).