medOS ultra

China PIPL/DSL/CSL Compliance

Compliance mapping for medos-china deployments: PIPL/DSL/CSL + MLPS 2.0 + healthcare grading.

4 min read diagramsUpdated 2026-06-03docs/architecture/china-pipl-dsl-compliance.md

Compliance mapping for medos-china deployments (UFH-class premium private group). Companion to docs/products/identity-vpn.md and docs/architecture/vpn-audit-compliance.md (which today cover TH/JP/PH/EU/UK only — this doc adds the China regime they omit).

Status: design + control-mapping. Several items are Phase-0 build work, called out explicitly. Do not represent China as turnkey-compliant until the read-model-residency gate (below) closes.

The three statutes

Statute What it demands medOS mapping
PIPL (个人信息保护法) Patient data = sensitive personal information → explicit separate consent, purpose limitation, encryption, access control, complete audit trail, breach notice, DPIA for sensitive processing RLS across 158 migrations; envelope/PIN encryption on health history; identity-VPN signed audit; requiresDpia=true + phiMaskingLevel=pipl_sensitive_pi in the medos-china manifest complianceProfile; per-channel consent split (care vs marketing) in PRM
DSL (数据安全法) Data classification (incl. important data), security of processing, controlled cross-border transfer of regulated data Data-residency china_pipl; de-identification toolkit (HMAC pseudonymize / k-anon — docs/architecture/ai-training-corpus.md) for any aggregate that leaves a site; cross-border transfer gated (see below)
CSL (网络安全法) + MLPS 2.0 (等级保护) Network-tier classified-protection grading & filing, ≥6-month network log retention, IDS, real-name, critical-information-infrastructure rules Application-layer covered by RUDS (user_action_events, 130+ rules); network-tier MLPS controls (IDS, host hardening, 6-month network logs, Level-3 filing) are infra/ops Phase-0, not shipped in app code

Data localization — the gating constraint

All patient data must stay physically in China. medOS’s write path (MongoDB + 15 services) self-hosts (docker-compose-onpremise.yml, public base images only). The realtime read model does NOT yet self-host — it is hosted Supabase (Postgres + ~80 Deno edge functions + realtime), and the on-prem compose only injects an outward-pointing SUPABASE_URL.

🚧 GATING PHASE-0 ITEM: package self-hosted Supabase (Postgres + PostgREST + GoTrue + Realtime + edge-runtime) as compose services so the read model + edge functions run fully in-country. Until this lands, a fully in-China deployment cannot ship. This is the single largest one-time platform item for China; it is paid once for the group, not per site.

Two compliant deployment targets: (1) on-prem / air-gapped in the hospital datacenter (package-airgap.sh) — cleanest residency story; (2) China cloud (Alibaba / Tencent / Huawei) — requires a parallel Terraform module (the existing modules/medos-stack is AWS-only).

Cross-border transfer (CAC)

Any regulated data leaving China requires one of: CAC security assessment, CAC standard contract, or certification (PIPL Art. 38–40). medOS posture:

  • No raw PHI crosses a site/region boundary. Per-site Supabase + Mongo stay in-region (docs/architecture/cross-region-policy-gates-deployment.md).
  • Group-level roll-up federates de-identified aggregates only (counts/rates, no identifiers) via the medallion de-identification pattern (ai-training-corpus.md: ml_export_consent opt-in default-FALSE, HMAC pseudonymize, k-anon suppression, ml_access_log).
  • Cross-site patient referrals (Beijing→Shanghai) run through a documented transfer protocol, not raw replication.

Healthcare-specific grading (Phase-0 evidence package)

Requirement What it is Status
电子病历系统应用水平分级评价 EMR application-level maturity grading (0–8) ⬜ self-assessment artifact to author
医院信息互联互通标准化成熟度测评 Interconnection standardization maturity rating ⬜ map FHIR R4 / HL7v2 to WS 363 / WS 364 / CDA (卫生信息共享文档) — conformance shim needed
保险审计可追溯 (insurance audit traceability) Every charge/order/access leaves a queryable trail ✅ append-only hospital_events + RUDS evidence-export RPCs + 4 audit silos

Audit & encryption control mapping

PIPL/DSL control medOS mechanism (shipped) Anchor
Tamper-evident audit trail Identity-VPN per-event Ed25519 signing + per-node hash chain + hourly Merkle anchoring + WORM export services/identity-vpn/.../{vpnAuditEvent,vpnLedger,_signing,_wormExport}
Behavioural access monitoring RUDS append-only user_action_events + 130+ rules + per-service guard packages/security-kit/src/ruds/, infrastructure/medbase/functions/ruds-*
Access control + least privilege RLS pervasive (158 migrations); RBAC + break-glass override-with-reason 20260527d_policy_gate_override_protocol.sql
Encryption of sensitive PI pgcrypto envelope / PIN on health history 20260524d_health_history_keys_multihospital.sql
Evidence export for regulator/insurer audit ruds_export_user_evidence / ruds_export_tenant_summary (SECURITY DEFINER) 20260522d_ruds_*
Per-jurisdiction retention identity-VPN RETENTION_DAYS['CN'] = system 6y / security 10y vpnAuditEvent.service.ts
Deployment-local geo baseline RUDS home_country='CN' seed market-packs/medos-china/seed-ruds-home-country.sql

Retention

  • Medical records: outpatient ≥15y, inpatient ≥30y (医疗机构病历管理规定) → manifest retentionDays=10950 (~30y, the binding maximum).
  • Audit/VPN logs: RETENTION_DAYS['CN'] system 6y / security 10y; anchored-minor records 25y.
  • Network logs (MLPS): ≥6 months at the network tier — infra/ops responsibility.

Phase-0 open items (ownership)

  1. Self-hosted Supabase in-China (read-model residency) — platform. Gating.
  2. China-cloud Terraform module or commit on-prem-only — platform/infra.
  3. MLPS 2.0 Level-3 controls + filing (IDS, host hardening, network logs) — infra/ops + legal.
  4. EMR-grading + 互联互通 self-assessment + CDA/WS-363/364 conformance shim — clinical informatics.
  5. CAC cross-border route selection (assessment vs standard contract) — legal.
  6. Named data-protection owner + DPIA per tenant — compliance.

Framing for the committee: the audit/encryption controls are production-tested in other markets; the China-specific mapping, residency packaging, and regulator evidence are scoped, front-loaded Phase-0 work. The honesty is the risk control (see HIS_ROI_Presentation_UFH.md Appendix B).

Ask Anything