Personal medical data protection of mobile pharmacy apps in China 2025: scale development and content analysis

Ting Chen; Rengui Guo

doi:10.1186/s13690-026-01839-w

. 2026 Jan 26;84:42. doi: 10.1186/s13690-026-01839-w

Personal medical data protection of mobile pharmacy apps in China 2025: scale development and content analysis

Ting Chen ¹, Rengui Guo ^2,^✉

PMCID: PMC12918090 PMID: 41588483

Abstract

Background

With the widespread adoption of smartphones and the increasing demand for convenient access to pharmaceuticals, mobile pharmacy apps that facilitate online medication purchases and provide medication consultation services have rapidly proliferated. These apps require users to consent to the collection of personal information as a prerequisite for utilizing their services, including data such as name, blood type, contact details, medical history, and allergy information. While these mobile pharmacy apps offer significant convenience to patients, they also pose risks to personal privacy and data security.

Method

Between March 15 and April 30, 2025, we accessed the Android and iOS app stores to find, obtain, and select privacy policies of 174 mobile pharmacy apps that provide pharmaceutical sales and consultation services to the general public, and conducted a comprehensive review of the privacy policies of these mobile pharmacy apps in the Chinese mainland. This analysis aims to facilitate a holistic assessment of data privacy practices within this sector. A compliance evaluation scale based on the Personal Information Protection Law and regulations was developed. We developed a 2-level indicator scale based on the PI life cycle. The scale comprised 5 level-1 indicators (PI collection, PI storage, PI usage and rights, PI processing, PI security and remedies) and 38 level-2 indicators.

Result

The compliance rate of privacy policies for 174 mobile pharmacy apps is relatively low (mean 67.30%, SD 20.74%), revealing that the vast majority of mobile pharmacy apps did not formulate their privacy policies in accordance with the laws and regulations. Only a minimal number of apps (n = 2) demonstrated a high (100%) compliance rate for privacy policies, with one each from Android and iOS mobile pharmacy apps. Seventy apps (40.23%) had a privacy policy compliance rate below the average (mean 67.30%), with 47 from the Android App Store (47 out of 119, 39.5%) and 23 from the iOS app stores (23 out of 55, 41.82%).

Conclusion

Our research reveals that the majority of mobile pharmacy apps exhibit low compliance with personal information regulations, particularly in PI storage, sensitive PI protection, automated decision-making, dead user PI protection, and dispute resolution mechanism. Addressing these deficiencies requires proactive intervention and operation from regulatory authorities, the public, and mobile pharmacy apps.

Supplementary Information

The online version contains supplementary material available at 10.1186/s13690-026-01839-w.

Keywords: Personal medical data, Mobile pharmacy, Privacy policy, Personal information, Sensitive personal information, Automated decision-making mechanisms

Text box 1. Contributions to the literature

• The vast majority of mobile pharmacy apps did not formulate their privacy policies in accordance with the laws and regulations in China.

• Mobile pharmacy apps exhibit issues such as ineffective informed consent, inadequate anonymization, and opaque automated processing when utilizing sensitive personal information like blood type, age, and medical history, leading to information leaks, online fraud, cyberbullying, and harassment.

• This study advances compliance practices between privacy policies of mobile pharmacy apps and personal information protection laws, providing valuable insights for enhancing privacy policy compliance and strengthening the security of personal medical data.

Open in a new tab

Introduction

Background

In recent years, mobile pharmacy applications(apps) have developed rapidly and continue to grow, driven by the combined effects of technological, market, and social factors. First, the widespread adoption of smartphones and the growing demand for convenient access to medications have jointly laid the market and social foundation for these apps. Second, the COVID-19 pandemic accelerated the need for contactless medical services [1–4], serving as a key catalyst for the sector’s expansion. Additionally, emerging technologies such as mobile internet, big data, and cloud computing have provided robust technical support for mobile pharmacy services [5–7], further enhancing their functionality and service scalability. Driven by these multiple factors, the global mobile pharmacy market has continued to expand. Data shows that the global market size reached approximately $98.72 billion in 2024 and is projected to grow to about $224.79 billion by 2034, with a compound annual growth rate of around 7.9% [8]. Currently, the app stores of the two major mobile operating systems, Android and iOS, offer a wide range of mobile pharmacy apps covering traditional Chinese medicine, Western medicine, and medication consultation services. As highly accessible mobile tools, these apps enhance the efficiency and flexibility of pharmaceutical services, providing unprecedented convenience to patients and pharmaceutical service providers worldwide [9, 10].

However, the rapid proliferation of mobile pharmacy apps has introduced numerous new risks, particularly concerning personal privacy and data security [11–13]. Notably, these include unauthorized data collection, mandatory consent for data acquisition, excessive scope of user information gathering, as well as illegal processing and third-party sharing of sensitive personal health data, thereby exposing users’ health information to significant vulnerabilities [14–16]. In 2020, Walgreens disclosed a malfunction in its mobile pharmacy app that permitted an unspecified number of users to access other users’ private health information, including details of personal prescriptions [17]. Similarly, U.S.-based fertility tracking apps such as Flo and Premom, developed by Easy Healthcare, have been subjected to substantial fines by the Federal Trade Commission (FTC) due to their sharing of user data with third parties [18, 19]. The leakage or misuse of personal medical data poses severe societal threats, including identity theft, fraud, discrimination [20, 21], and can be exploited for malicious activities such as targeted advertising, spam, and cybercrime [22, 23]. By April 2025, healthcare data breaches in the United States increased by 17.9% month-over-month, with the number of affected individuals surging from 2.7 million in March to 12.9 million in April, representing a 371% increase [24]. Compared to other application categories, mobile pharmacy apps collect highly sensitive and private information—such as physiological and health status data—which necessitates more stringent data governance measures [25, 26].

In this context, the United States, the European Union, and Japan have all enacted specialized privacy and data protection legislation. At the federal level, the United States has implemented statutes such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Breach Notification Rule(HBNR), and the Children’s Online Privacy Protection Rule (COPPA), which establish security obligations for healthcare entities regarding health data, mandate the development of consent mechanisms for sharing patient information with third parties, and delineate reporting duties and legal liabilities associated with data breaches involving sensitive information [27–29]. My Health My Data Act (MHMDA) of Washington State, effective in 2024, extends stringent privacy protections to consumer health data, expanding its scope from traditional healthcare providers to mobile healthcare providers [30, 31]. The European Union’s General Data Protection Regulation (GDPR) governs the collection, processing, and storage of personal data, requiring data controllers to obtain explicit consent from individuals and ensuring the privacy and security of personal information (PI) [32, 33]. Japan has enacted the Act on the Protection of Personal Information (APPI), which stipulates obligations for breach reporting, the right to delete personal data, and disclosure requirements when sharing data with third parties [34].

The rapid development of mobile pharmacy services within apps in China has similarly posed significant challenges to user privacy and data security [35, 36]. These issues are primarily manifested in the following aspects: firstly, the absence or poor readability of privacy policies. In 2019, the Healthy Tianjin app was subjected to administrative warnings due to the lack of a privacy agreement and suspected illegal collection of user location data [37]. Similarly, the Kang Ai Duo Mobile Pharmacy app was reported and penalized for privacy policy texts that were too small, densely packed, difficult to read, and unclear in terms of clauses [38]. Secondly, non-compliance of privacy policy content was identified. The National Computer Virus Emergency Response Center (NCVERC) discovered that over twenty mobile apps, including Dingdang Kuaiyao (version 5.7.0), Pharmacist Help (version 4.31.0), and Ping An Good Doctor (version 7.2.0), failed to explicitly disclose all requested privacy permissions, did not clarify rules for PI collection and usage, and lacked effective mechanisms for correcting, deleting personal data, or deactivating user accounts [39]. Thirdly, violations of informed consent rules were observed, with some apps collecting and excessively gathering personal data without user approval, such as HeLian Health and LeXin Health apps [40]. Fourthly, there is a lack of mechanisms to ensure health information sharing security. For example, Yiyao Wang app was criticized by the Ministry of Industry and Information Technology (MIIT) for illegally collecting PI and sharing it with third parties [41].

In response to the threats posed by data handlers such as mobile pharmacy apps to personal privacy and data security, China has enacted regulations at various levels to curb the illegal collection of personal data. In November 2019, the Cyberspace Administration of China (CAC) in conjunction with four other departments formulated the Method for Identifying Illegal and Non-compliant Collection and Use of Personal Information by Apps (MIINCUPIA), which delineates six categories of violations related to the collection and use of PI [42]. In November 2020, the China Telecommunications Terminal Industry Association (CTTIA) issued the Guidelines for the Minimum Necessary Evaluation of Personal Information Collection and Use by Apps (GMNEPICUA), emphasizing that the mobile internet sector must adhere to the principles of minimization and necessity when collecting sensitive personal data [43]. In March 2021, the CAC and other authorities jointly released the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Apps (RSNPICTMIA), explicitly prohibiting operators from denying users access to basic app functionalities solely due to refusal to provide non-essential PI [44]. Furthermore, the 14th Five-Year Plan for National Health Informatization issued by the National Health Commission (NHC) advocates for the orderly sharing and application of health big data [45]. However, these policies and guidelines possess relatively limited legal enforceability. To strengthen the protection of personal privacy and data security, China officially enacted the Personal Information Protection Law (PIPL) in August 2021, establishing unified regulations on the collection, processing, and utilization of personal data, clarifying the rights of data subjects and the obligations of data handlers [46, 47]. Meanwhile, a series of recommended national standards such as the Guidelines for Categorization and Classification of Network Data (GCCND) and the Personal Information Security Specification (PISS) have been formulated successively to facilitate the classification and graded protection of personal data [48, 49]. The above-mentioned legislation and related policies emphasize that data sharing should balance security and usability, adhere to principles such as minimum necessity and data available but not visible, and require that the entire process of data handling be traceable, auditable and accountable. The MIIT routinely monitors and mandates rectification for apps that infringe upon user rights. As of 2024, a total of 297 apps have been required to rectify violations related to the illegal collection of PI [50].

Under the regulatory frameworks of PIPL and the Data Security Law (DSL), mobile pharmacy apps that rely on user data as their operational foundation urgently need to establish internal mechanisms for privacy and data security management. Central to this effort is the formulation of compliant privacy policies. A legally valid privacy policy must comprehensively and clearly delineate the processing rules for the entire lifecycle of PI [51]. The effective implementation of such policies is critical to ensuring lawful operation of the application and balancing internal self-regulation with external oversight. Given that the level of protection provided by the application directly correlates with its adherence to relevant legal standards, a compliance assessment of the privacy policy should be conducted in accordance with the PIPL and related regulations [52].

Existing studies have examined the violations of personal privacy and data security regulations by mobile pharmacy apps across various countries, with particular emphasis on the phenomena of excessive collection and utilization of personal data. For instance, some research has identified deficiencies in privacy protections concerning users’ health information, including instances of unauthorized data collection and even sale of personal data [53]. Additionally, reports have indicated that nearly half of the mobile health apps embed third-party libraries within their code and files—such as Google Ads for advertising and Google Analytics for data analysis [12]. Based on these findings, scholars have advocated for strengthened industry regulation of mobile pharmacy apps from a data security perspective, emphasizing the necessity of implementing comprehensive measures to ensure the confidentiality, integrity, and availability of information, as well as securing data transmission channels [54]. Furthermore, some studies have evaluated the effectiveness of privacy policies by analyzing transparency and consistency in data collection and processing practices, as well as the accessibility of data disclosure clauses [55]. However, there is a notable paucity of research addressing the compliance of such apps with China’s comprehensive PI protection legal framework.

This study aims to evaluate the compliance of privacy policies and relevant PI protection regulations of mobile pharmacy apps within the framework of personal data protection law. In the Methods section, we will detail the selection and collection process of the sample apps, define the scope of compliance assessment based on privacy policy texts, and systematically describe the evaluation procedures, scoring criteria, and basis for valuation. In the Results and Discussion section, we will examine the level of PI protection provided by the privacy policies of the sample apps from the perspective of the information lifecycle, and report the compliance assessment outcomes. In the Improvement Suggestions section, we will address identified issues related to threats to PI security posed by these privacy policies, and propose enhancements to app operational oversight mechanisms and PI legislation within the Chinese legal framework.

Objective

In this study, we screen, collect and select mobile pharmacy apps developed for users in the Chinese mainland. We establish an evaluation framework—constructing a privacy policy compliance assessment model based on the PIPL, the GCCND, and the PISS. We assess compliance evaluation extent of the privacy policies of mobile pharmacy apps align with relevant PIPL and regulations from the perspectives of data lifecycle management and contextual scenarios, and propose improvement strategies to enhance privacy protection and operational regulatory mechanisms for mobile pharmacy apps. Thereby, we promote compliance with Chinese PIPL and support technological innovation and sustainable development. This research contributes to a deeper understanding of balancing PI protection with the sustainable innovation of mobile pharmacy apps, emphasizing the importance of enhancing legal compliance and providing concrete pathways for improvement. The findings aim to inform policymakers, developers, operators, and users worldwide in their privacy protection practices.

Methods

Study design

This study collected and analyzed privacy policy texts from Android and iOS apps categorized as Mobile Pharmacy within the Chinese mainland app stores. Through a detailed review of these privacy policies, we assess their compliance with the PIPL, the GCCND, and the PISS.

Sample selection and inclusion criteria

This study examines the compliance of privacy policies in mobile pharmacy apps. Since the smartphone market predominantly uses Android and iOS, we selected our sample apps from the app stores of these two major operating systems in the Chinese mainland. We accessed the relevant app stores, navigated to the apps section (yingyong in Chinese), then to the categories section (fenlei in Chinese), and used the keywords “medicine” (yao in Chinese) and “medication” (yaopin in Chinese) to filter the apps. The search was conducted from March 15 to March 30, 2025.

The sample includes apps that meet the following criteria: (1) apps specifically designed to offer a variety of mobile pharmaceutical sales services; (2) apps primarily aimed at the general public, rather than being exclusively for mobile pharmacy management institutions or healthcare professionals. The sample excludes apps that fit the following characteristics: (1) apps focused on physician assistant functions, pharmaceutical enterprise service platforms, or internal corporate communication; (2) apps that provide functionalities unrelated to mobile pharmaceutical services for traditional Chinese medicine, Western medicine, or health supplements, such as those limited only to retrieving information about drugs or devices.

In the Android and iOS app stores, we found a total of 190 mobile pharmacy apps available to users in mainland China who register with either an ID card or a mobile phone number. Out of these, we excluded seven apps from the Android App Store for the following reasons: three apps functioned solely as physician assistants, two apps provided drug information without purchasing capabilities, and two apps served only as medication reminders or doctor assistants. These exclusions were necessary because they did not align with the online sales feature of mobile pharmacy apps.

Additionally, we excluded a small but notable proportion of iOS App Store apps (9 out of 190, 5%) because their official websites could not be located, privacy policies could not be downloaded (n = 2), or although a website address was provided, the privacy policy was not accessible (n = 7). Due to the inability to directly obtain the privacy policy texts, these apps were also excluded from the sample.

We obtained the full privacy policy texts for 174 mobile pharmacy apps (Fig. 1), comprising 119 from the Android App Store and 55 from the iOS App Store. The Android App Store includes 41 apps from the Xiaomi App Store, 40 apps from the Redmi App Store, and 38 apps from the Vivo App Store. Between April 1 and April 15, 2025, we thoroughly reviewed the privacy policies of these 174 apps. Our study further examined whether the privacy policies of these apps complied with the PIPL, the GCCND, and the PISS.

Development of the compliance evaluation scale

Overview

This study takes a comprehensive approach to the data lifecycle in order to create a framework for assessing compliance with privacy policies. This framework is intended to evaluate how well the privacy policies of mobile pharmacy applications align with the PIPL, the GCCND, and the PISS. The detailed process for constructing this framework is explained below.

Comprehensive review

First, we have extracted the primary assessment requirements that a privacy policy evaluation framework should include based on the PIPL. The PIPL stipulates that all activities involving the collection, use, processing, transmission, and provision of PI must be conducted lawfully and in compliance [46]. Specifically, it sets forth requirements regarding identity information for PI collectors and processors, general consent for PI collection and processing, storage requirements for PI, processing requirements for sensitive PI, requirements for entrusting PI processing, notification requirements for automated decision-making, special requirements for cross-border transmission of PI, rights granted to individuals, security management obligations and security incident reporting obligations [47]. Therefore, the privacy policy assessment framework must include requirements for identity disclosure, general consent, storage, processing of sensitive personal information, entrusted processing, automated decision-making, and cross-border transfers.

Second, to align the privacy policy assessment framework with corporate privacy protection practices, we drew upon provisions from the GCCND and PISS, which serve as recommended national standards. As national standards, the GCCND and PISS provide strong guidance for corporate privacy policy development. The GCCND and PISS define requirements for PI collection, storage, use, data subject rights, entrusted processing, sharing, transfer, public disclosure, security, and remedies based on the data lifecycle [48, 49]. Therefore, grounded in the PIPL and incorporating the provisions of the GCCND and PISS, we propose that privacy policy assessments should encompass fundamental requirements, including PI collection, storage, use, data subject rights, processing, security, and remedies.

Furthermore, drawing upon Jiayi Jiang and Zexing Zheng’s privacy policy evaluation framework and considering the characteristics of mobile pharmacy apps [56], we developed a comprehensive privacy policy evaluation framework for mobile pharmacy apps with recommendations from three legal experts (Dong H., Liu H., Chen J.).

Indicator development

From a comprehensive data lifecycle perspective and in accordance with the PIPL, the GCCND, and the PISS, the activities involving personal data within mobile pharmacy apps are categorized into five core stages, established as level-1 evaluation indicators. These include the PI collection (pursuant to Articles 14 and 17 of the PIPL and Article 5 of the PISS), the PI storage (based on Articles 19 and 39 of the PIPL and Article 9 of the PISS), the PI usage and rights (guided by Articles 14, 15, 17, and Sect. 3 of the PIPL, as well as Articles 7 and 8 of the PISS), the PI processing (according to Articles 23, 25, and 27 of the PIPL and Article 9 of the PISS), and the PI security and remedies (as stipulated in Article 15 of the PIPL and Articles 10 and 11 of the PISS).

Indicator elaboration

Under the five level-1 evaluation indicators, grounded in the PIPL, the GCCND, and the PISS, the framework is further subdivided into a total of 38 level-2 evaluation indicators, constituting a comprehensive privacy compliance evaluation structure (Table 1). Specifically, these are: (1) Regarding the PI collection under the level-1 indicator, it is subdivided into nine level-2 indicators based on privacy compliance requirements, including PI collection entity, PI policy update, PI scope, PI type, purpose of PI collection, processing method, general PI consent, sensitive PI consent, exceptions to explicit consent; (2) Concerning the PI storage, it is divided into four level-2 indicators: storage period, storage location, anonymisation, special requirements for storing sensitive PI (distinguishing between encryption, biometric information, and personal identity data); (3) Pertaining to the PI usage and rights, it is subdivided into fifteen level-2 indicators: rules for restricting access to PI, anonymisation use, limits on the use of PI, authorisation for change of use, automated decision-making mechanisms, inquiry, correction, deletion, portability, cancellation of account, withdrawal or modification of authorisation, request response, constraints on automated decision-making, dead user rule, complaint management procedure; (4) Regarding the PI processing, it is further divided into five level-2 indicators: requests from controllers to process PI, types for sharing, transferring and disclosing PI, security measures of sharing, transfer and disclosure PI, consent exceptions, cross-border transmission conditions; (5) Concerning PI security and remedies, it is subdivided into five level-2 indicators: PI security risk management mechanism, security incident notifications, user feedback, response time, dispute resolution mechanism.

Table 1.

Level-1 and Level-2 evaluation indicators of the privacy compliance evaluation structure based on China’s 2025 regulatory framework

Level-1 indicator 1: PI Collection

Level-2 indicator:

•1.1 PI Collection Entity

• 1.2 PI Policy Update

• 1.3 PI Scope

• 1.4 PI Type

• 1.5 Purpose of PI Collection

• 1.6 Processing Method

• 1.7 General PI Consent

• 1.8 Sensitive PI Consent

• 1.9 Exceptions to Explicit Consent

Level-1 indicator 2: PI Storage

Level-2 indicator:

• 2.1 Storage Period

• 2.2 Storage Location

• 2.3 Anonymisation

• 2.4 Special Requirements for Storing Sensitive PI

Level-1 indicator 3: PI Usage and Rights

Level-2 indicator:

• 3.1 Rules for Restricting Access to PI

• 3.2 Anonymisation Use

• 3.3 Limits on the Use of PI

• 3.4 Authorisation for Change of Use

• 3.5 Automated Decision-making Mechanisms

• 3.6 Inquiry

• 3.7 Correction

• 3.8 Deletion

• 3.9 Portability

• 3.10 Cancellation of Account

• 3.11 Withdrawal or Modification of Authorisation

• 3.12 Request Response

• 3.13 Constraints on Automated Decision-making

• 3.14 Dead User Rule

• 3.15 Complaint Management Procedure

Level-1 indicator 4: PI Processing

Level 2 indicator:

• 4.1 Requests from Controllers to Process PI

• 4.2 Types for Sharing, Transferring and Disclosing PI

• 4.3 Security Measures of Sharing, Transfer and Disclosure PI

• 4.4 Consent Exceptions

• 4.5 Cross-border Transmission Conditions

Level-1 indicator 5: PI Security and Remedies

Level-2 indicator:

• 5.1 PI Security Risk Management Mechanism

• 5.2 Security Incident Notifications

• 5.3 User Feedback

• 5.4 Response Time

• 5.5 Dispute Resolution Mechanism

Open in a new tab

Scoring and evaluation procedure

We assign a weight of 1 to each of the 38 level-2 evaluation indicators within the five level-1 evaluation indicators, reflecting the equal importance of personal privacy protection in activities related to PI processing. If the privacy policy of a mobile pharmacy app accurately and effectively articulates these 38 level-2 evaluation indicators, it receives a score of 1; if not, it receives a score of 0. This results in a maximum total score of 38 points for each app`s privacy policy. By converting this score to a percentage, we derive the final score for each app, which serves as the basis for evaluating the overall design quality of the privacy policy. Additionally, we calculated the mean scores for each secondary indicator across all sampled apps.

To ensure the reliability of our assessment, six independent evaluators (GR, CT, HW, WJ, DS, YZ) conducted a privacy policy evaluation of all 174 mobile pharmacy apps from April 16 to April 30, 2025. To maintain consistency and reliability among the evaluators, each one independently assessed a randomly selected subset of 30 apps, which represented 30% of the total. The intercorrelation coefficient within this subset was 0.988 (P < 0.001), indicating near-perfect agreement among the raters. Following this preliminary assessment, the evaluators convened to discuss any discrepancies and the reasons behind them, ultimately establishing a unified scoring standard. This approach ensured fairness and standardization throughout the evaluations. Afterward, the 174 apps were divided into six groups of 29 apps each. Each evaluator was randomly assigned one group and independently scored it, with the results finally aggregated.

Results

Sample distribution

We analyzed the privacy policy texts of 174 mobile pharmacy apps available in the Chinese mainland, which can be accessed via the Android and iOS app stores. A comprehensive analysis of these privacy policies revealed variability in their nomenclature (see Multimedia Appendix 1), including designations such as Privacy Policy (n = 161), Privacy Protection Policy (n = 4), Privacy Rights Policy (n = 5), PI Processing Rules (n = 2), and other terminologies (n = 2). All 174 apps, including 119 from the Android App Store and 55 from the iOS App Store, provide online medication purchasing and consultation services. These apps do not specifically target Western pharmaceuticals and also offer traditional Chinese medicine formulations for purchase.

Compliance evaluation

Overall, the privacy policy compliance landscape of 174 mobile pharmacy apps appears to be complex. To assess the variability in privacy policy compliance levels among 174 mobile pharmacy apps, we categorized the privacy compliance scores into five tiers. These tiers are distributed as follows: above 90 points (Excellent), 80–90 points(Good), 70–80 points(Passing), 60–70 points(Bad), and below 60 points(Very Bad) [57, 58]. The evaluation results of the level-1 and level-2 indicators for these apps are summarized in Fig. 2; Table 2, respectively. The scores for the level-1 evaluation indicators (shown in Fig. 2) range from low to high as follows: PI storage (mean 56.01%, SD 40.34%), PI usage and rights (mean 58.81%, SD 45.71%), PI security and remedies (mean 64.58%, SD 30.71%), PI processing (mean 64.92%, SD 41.69%), PI collection (mean 86.53%, SD 24.97%). The names of each application and their respective evaluation outcomes are detailed in Multimedia Appendix 1.

Fig. 2 — Compliance evaluation scores of the level-1 evaluation indicators for mobile pharmacy applications in China, 2025

Table 2.

Compliance evaluation scores of the level-2 evaluation indicators for mobile pharmacy applications in China, 2025

Level-1 indicator	Level-2 indicator	Mean(%)	SD(%)	Compliance tier
PI collection		86.53	24.97	Good
	PI collection entity	99.43	7.58	Excellent
	PI policy update	95.4	21.0	Excellent
	PI scope	89.08	31.28	Good
	PI type	98.85	10.69	Excellent
	Purpose of PI collection	96.55	18.3	Excellent
	Processing method	76.44	42.56	Passing
	General PI consent	91.95	27.28	Excellent
	Sensitive PI consent	57.47	49.58	Very bad
	Exceptions to explicit consent	73.56	44.23	Passing
PI storage		56.01	40.34	Very bad
	Storage period	74.71	43.59	Passing
	Storage location	77.01	42.20	Passing
	Anonymisation	51.15	50.13	Very bad
	Special requirements for storing sensitive PI	27.59	44.82	Very bad
PI usage and rights		58.81	45.71	Very bad
	Rules for restricting access to PI	79.89	40.20	Passing
	Anonymisation use	39.08	48.93	Very bad
	Limits on the use of PI	70.69	45.65	Passing
	Authorisation for change of use	60.92	48.85	Bad
	Automated decision-making mechanisms	23.56	42.56	Very bad
	Inquiry	80.46	39.77	Good
	Correction	79.31	40.62	Passing
	Deletion	81.03	39.32	Good
	Portability	33.91	47.48	Very bad
	Cancellation of account	90.23	29.78	Excellent
	Withdrawal or modification of authorisation	66.67	47.28	Bad
	Request response	59.77	49.18	Very bad
	Constraints on automated decision-making	25.29	43.59	Very bad
	Dead user rule	7.47	26.37	Very bad
	Complaint management procedure	83.91	36.4	Good
PI processing		64.58	30.71	Bad
	Requirements for entrusted controller processing PI	40.8	49.29	Very bad
	Reasons for sharing, transferring and disclosing PI	95.4	21.0	Excellent
	Security measures of sharing, transferring and disclosing PI	80.46	39.77	Good
	Special circumstances without consent	74.14	43.91	Passing
	Cross-border transmission requirements	43.1	49.67	Very bad
PI security and remedies		64.58	30.71	Bad
	Security incident response mechanism	49.43	50.14	Very bad
	Security event notification mechanism	72.41	44.82	Passing
	Feedback channel	90.8	28.98	Excellent
	Feedback period	70.69	45.46	Passing
	External dispute resolution mechanisms	48.85	50.14	Very bad

Open in a new tab

Based on this tier distribution, we further analyzed the compliance levels of mobile pharmacy apps across different app stores in the Chinese mainland (Fig. 3). The compliance tier for each app is detailed in Multimedia Appendix 2.

Fig. 3 — Tiered distribution of the privacy compliance for different application stores in China, 2025

The level-1 indicator PI storage (mean 56.01%, SD 40.34%) had the lowest compliance rate, indicating that mobile pharmacy apps do not prioritize the storage and anonymization of PI (Fig. 4). One reason for this low compliance is the high cost associated with storing personal data, which discourages mobile pharmacy apps from investing in self-storage solutions. Consequently, this leads to weaker storage provisions in their privacy policies. Additionally, the risk of data leakage after storage is considerable, further diminishing the incentive for these apps to include robust storage rules in their privacy policies. For level-2 indicators, the compliance rate for the storage period was 74.71% (SD 44%), with 44 mobile pharmacy apps lacking the storage period(mean 25.29%). The compliance rate for storage location was 77.01% (SD 42%), meaning that 22.99% (n = 40) of mobile pharmacy apps failed to clearly specify the storage location in their privacy policies. The score for anonymization was 51.15% (SD 50%), with 48.85% (n = 85) of mobile pharmacy apps not including any provisions for anonymizing personal information. Anonymization is essential for protecting personal data, as it prevents specific information from being linked to individuals, thereby safeguarding their privacy [59, 60]. Over half of the mobile pharmacy apps neglected to implement anonymization rules, which heightens the risk of personal data leaks. There is a pressing need for improved anonymization practices in these apps. Additionally, special requirements for storing sensitive PI had the lowest compliance rate under PI storage (mean 27.59%, SD 45%). Only 48 apps specified storage requirements for sensitive PI, while 72.41% (n = 126) of mobile pharmacy apps lacked provisions for storing sensitive information. This shows that the vast majority of mobile pharmacy apps overlook the protection of sensitive user data, which is non-compliant with PIPL.

Fig. 4 — Compliance evaluation results of the level-1 indicator personal information storage in China, 2025

The level-1 indicator PI usage and rights (mean 58.81%, SD 45.71%) also showed a relatively low average compliance rate, indicating that mobile pharmacy apps generally do not adequately address the mandatory requirements for PI usage under the PIPL (Fig. 5). The privacy compliance rates for anonymisation use (mean 39.08%, SD 49%, n = 68), automated decision-making mechanisms (mean 23.56%, SD 43%, n = 41), Portability (mean 33.91%, SD 47%, n = 59), and Constraints on automated decision-making (mean 25.29%, SD 44%, n = 44) all failed to exceed a half. Only a small number of mobile pharmacy apps (n = 13) included provisions for the dead user rule, reflecting a mean compliance rate of just 7.47% (SD 26%). In contrast, several indicators had compliance rates above two-thirds: rules for restricting access to PI (mean 79.89%, SD 40%, n = 139), limits on the use of PI (mean 70.69%, SD 46%, n = 123), inquiry (mean 80.46%, SD 40%, n = 140), correction (mean 79.31%, SD 41%, n = 138), deletion (mean 81.03%, SD 39%, n = 141), withdrawal or modification of authorisation (mean 66.67%, SD 47%, n = 116) and complaint management procedure (mean 83.91%, SD 36%, n = 146). The compliance rates for authorisation for change of use (mean 60.92%, SD 49%, n = 106) and request response (mean 59.77%, SD 49%, n = 104) were around 50%. However, cancellation of account (mean 90.23%, SD 30%) had an average compliance rate exceeding 90%, indicating that the vast majority of mobile pharmacy apps (n = 157) ensured users’ freedom to choose whether to use or delete their accounts, with only 17 (9.77%) apps failing to explicitly state that users could freely cancel their accounts.

Fig. 5 — Compliance evaluation results of the level-1 indicator personal information usage and rights in China, 2025

Regarding PI security and remedies (mean 64.58%, SD 30.71%), the scores of its level-2 evaluation indicators also displayed notable diversity (Fig. 6). The compliance rates for both security risk management mechanism (mean 49.43%, SD 50%, n = 86) and dispute resolution mechanism (mean 48.85%, SD 50%, n = 85) were low, with more than half of the apps failing to include provisions for security risk management mechanism and dispute resolution mechanism in their privacy policies. This indicates that the vast majority of mobile pharmacy apps did not establish effective mechanisms for PI security risk management (n = 88) and dispute resolution (n = 89). In contrast, user feedback methods achieved a high average privacy compliance rate (mean 90.8%, SD 29%), demonstrating that most mobile pharmacy apps (n = 158) generally prioritized user feedback on privacy protection, with only a small number of apps (n = 16) needing to strengthen their user feedback rules. The privacy compliance rates for security incident notification (mean 72.41%, SD 45%, n = 126) and response time (mean 70.69%, SD 45%, n = 123) were passing, with more than a quarter of apps failing to specify provisions for security incident notification (mean 27.59%, n = 48) and response time (mean 29.31%, n = 51).

For the level-1 indicator PI processing (mean 64.92%, SD 41.69%), the compliance rates of level-2 evaluation indicators showed significant variations (Fig. 7). Types for sharing, transferring, and disclosing PI achieved a remarkably high average compliance rate of 95.4% (n = 166, SD 21%), demonstrating effective efforts in transparency of sharing, transferring, and disclosing PI. In contrast, requests from controllers to process PI had a much lower average privacy compliance rate of 40.8%, with only about half of mobile pharmacy apps (n = 71, SD 49%) including provisions for requests from controllers to process PI in their privacy policies. This oversight may lead to disorderly sharing, transferring, and disclosing of PI, increasing the risk of PI violations. The compliance rate for security measures of sharing, transfer, and disclosure of PI was relatively high (mean 80.46%, SD 40%), with 140 apps specifying these security measures in their privacy policies. Only a small number of apps (n = 34) failed to address security measures and risks. Consent exceptions showed a lower compliance rate (mean 74.14%, SD 44%), as many apps (n = 45) did not clearly define consent exceptions in their privacy policies. The lowest average compliance rate was observed for cross-border transmission conditions (mean 43.1%, SD 50%). A significant majority of apps (n = 99, 59.6%) lacked provisions for cross-border transmission conditions, indicating that most apps face legal risks regarding cross-border transmission of PI.

Fig. 7 — Compliance evaluation results of the level-1 indicator personal information processing in China, 2025

For the level-1 indicator PI collection (mean 86.53%, SD 24.97%), it achieved the highest score among privacy policy indicators, demonstrating thorough implementation of information disclosure by data collectors and user consent rules (Fig. 8). Among the level-2 evaluation indicators, PI collection entity (mean 99.43%, SD 8%) and PI type (mean 98.85%, SD 11%) showed notably high privacy policy compliance rates, with nearly all apps’ privacy policies clearly specifying PI collection entity (n = 173) and PI type (n = 172). PI policy update (mean 95.4%, SD 21%, n = 166), purpose of PI collection (mean 96.55%, SD 18%, n = 168), and general PI consent (mean 91.95%, SD 27%, n = 160) also maintained high privacy compliance rates. This indicates that mobile pharmacy apps generally emphasize transparency and legality in PI collection. However, compliance rates were relatively lower for processing method (mean 76.44%, SD 43%, n = 133) and exceptions to explicit consent (mean 73.56%, SD 44%, n = 128). Notably, nearly half of mobile pharmacy apps (n = 74, mean 42.53%) lacked provisions for sensitive PI consent, resulting in the lowest privacy compliance rate of sensitive PI consent(mean 57.47%, SD 50%).

Fig. 8 — Compliance evaluation results of the level-1 indicator personal information collection in China, 2025

Discussion

Principal findings

The successful digitalization of pharmacy department operations relies on the continuous collection and utilization of substantial amounts of high-quality user personal data. The ongoing collection and use of such data necessitate the effective protection of PI and privacy data [61, 62]. Our study aims to comprehensively assess the compliance of privacy policies of mobile pharmacy apps and PI protection frameworks in the Chinese mainland.

We employed Data Life Cycle Management (DLM) theory [63, 64], combined with Contextual Integrity (CI) theory [65, 66], to evaluate the compliance of mobile pharmacy apps’ privacy policies across the entire data lifecycle—including collection, storage, usage, processing, security safeguards, and dispute resolution. Three key findings emerged from this analysis.

First, overall, a comprehensive evaluation of privacy policy compliance for 174 mobile pharmacy apps in the Chinese mainland revealed relatively low compliance rates (mean 67.30%, SD 20.74%). This indicates that the vast majority of mobile pharmacy apps failed to formulate their privacy policies in accordance with PIPL, preventing users from effectively understanding the scope, purpose, and location of PI usage, thereby exposing users’ PI to high potential privacy leakage risks. Only a very small number of apps (n = 2) demonstrated high privacy policy compliance, achieving a 100% compliance rate, with one mobile pharmacy app of the Android App Store and one mobile pharmacy app of the iOS App Store. Merely 14 apps showed high privacy policy compliance (compliance rate ≥ 90%), while 104 of 174 apps (59.77%) exceeded the average compliance rate (mean 67.30%). In contrast, 70 of 174 apps (40.23%) fell below the average compliance rate (mean 67.30%). Among these, 47 apps were from the Android App Store, accounting for 39.5% of the 119 Android-based mobile pharmacy apps, while 23 apps were from the iOS App Store, representing 41.82% of the 55 Apple-based mobile pharmacy apps. This reveals that Android-based mobile pharmacy apps exhibit better privacy policy compliance than their Apple-based counterparts.

Second, mobile pharmacy apps showed relatively high compliance rates in PI collection (mean 86.53%), indicating that most mobile pharmacy apps’ privacy policies have established reasonable provisions in accordance with Sect. 1 of Chap. 2 of PIPL. However, the compliance rate for sensitive PI consent (mean 57.47%) was significantly lower, a gap closely related to the sensitive PI protection rules specifically mandated by Article 29 of PIPL. Since sensitive PI constitutes the most critical component of PI, its leakage or unlawful use may easily lead to violations of individuals’ dignity or pose threats to their personal and property safety [67]. Therefore, clear and separate sensitive PI consent has become one of the users’ most fundamental and essential rights. This means mobile pharmacy apps should provide users with a separate and explicit consent request to comply with PIPL requirements. However, in reality, more than one-half of apps failed to offer users a clear and standalone consent option in their privacy policies, severely diminishing users’ awareness of sensitive PI collection and their understanding of associated risks. These findings suggest that mobile pharmacy privacy policies often fail to provide users with an adequate opportunity to comprehend the requirements and purposes of PI processing. Notably, among iOS App Store apps, 33 out of 55 (60%) included sensitive PI consent rules, whereas only 67 out of 119 (56.3%) Android apps implemented such provisions. This indicates that Android apps perform worse than iOS apps in sensitive PI compliance, suggesting that the Android App Store should strengthen oversight of mobile pharmacy apps’ sensitive PI protection practices. Otherwise, the CAC should impose penalties on apps failing to meet sensitive PI protection standards.

Third, mobile pharmacy apps showed the lowest privacy policy compliance rates in PI storage (mean 56.01%) and PI usage (mean 58.81%), revealing an urgent need to strengthen privacy compliance in these areas. PI storage is explicitly mandated by Article 5 of PIPL and Article 6 of PISS, requiring minimized storage duration and anonymisation. Many PI leaks occur due to unauthorized transfers or processing by third-party PI storage platforms [68, 69]. Therefore, robust PI protection necessitates mandatory regulations on storage duration and location. Our findings indicate that mobile pharmacy apps fail to provide users sufficient information about storage timelines and locations, increasing PI risks. This demonstrates that clear PI storage provisions in privacy policies are feasible. Thus, mobile pharmacy apps must improve rules on PI storage to ensure users can anticipate mandatory PI storage requirements, reducing concerns about data breaches. Special requirements for storing sensitive PI (mean 27.59%) showed critically low compliance, contradicting the stringent sensitive PI storage and processing rules under Articles 30 and 31 of PIPL. This further highlights mobile pharmacy apps’ neglect of sensitive data protection. Anonymisation (mean 51.15%) compliance did not exceed half. Since anonymisation effectively decouples data from personal identity, it is vital for privacy protection. Most mobile pharmacy apps performed poorly in automated decision-making mechanisms (mean 23.56%) and constraints on automated decision-making (mean 25.29%). While AI-driven automation is widely adopted, Article 24 of PIPL mandates transparency, fairness, and user opt-out options for automated decisions. However, apps largely failed to disclose automated decision-making mechanisms or provide rejection methods. With China’s aging population exceeding 300 million aged above 60 [70], millions of elderly app users will soon pass away. The near-total absence of deceased user PI provisions, violating Article 49 of PIPL, will inevitably trigger disputes over posthumous data handling.

Fourth, our research found that many mobile pharmacy apps did not fully clarify the identities of third-party sub-processors or effectively explain the conditions affecting users’ understanding of PI processing methods and destinations. Requests from controllers to process PI (mean 40.8%, SD 49%), with 103 apps failing to explain the identities of third-party processors, indicating that the basic requirements for third-party processors entrusted with the processing of PI explicitly required by Article 21 of PIPL were not fully implemented. The nondisclosure of entrusted third-party processors may lead to PI being processed by unqualified processors, creating PI security risk41 out of 55 (74.55%) apps of iOS App Store and 62 out of 119 (52.1%) apps of Android App Store did not disclose entrusted third-party processors, showing that Android-based apps performed better than Apple-based apps in disclosing the roles of authorized third-party processors. This is because CAC and MIIT frequently inspect and penalize Android apps for non-compliant third-party data processing, prompting Android apps to actively disclose third-party processors in their privacy policies. Cross-border transmission conditions (mean 43.1%, SD 50%) had a compliance rate as low as half, with many apps failing to specify PI cross-border transfer conditions, which contradicts the mandatory provisions in Chap. 3 of PIPL, particularly Article 38 and Article 39. This finding indicates that many apps have loopholes in PI protection, which may lead to PI being accessed by foreign data processors, jeopardizing user privacy and national data security. Currently, Article 31 of the DSL and Article 37 of the Cybersecurity Law (CL) explicitly require data processors, especially critical information infrastructure operators, to clearly disclose cross-border transfer conditions for important data (including PI) and apply for security assessments with the CAC. Many mobile pharmacy apps that fail to comply with PIPL, DSL, and CL will face serious legal liabilities. Alarmingly, many apps did not clarify security risk management mechanisms or dispute resolution mechanisms, which contradicts the mandatory dispute resolution mechanism required by Article 50 of PIPL, the data security management systems and security technical measures required by Article 51 and Article 52 of PIPL. These findings show that many apps neither provide users with reasonable channels to express requests and resolve disputes nor establish lawful and proper data security management systems. This not only fails to effectively handle data disputes but also cannot prevent the occurrence and escalation of data security risks.

Strengths and limitations

Existing studies have primarily focused on internet hospital apps [56], chronic disease management apps [71], Contact tracing apps [72], and health code apps [73]. This is the first study to examine the privacy policy compliance of mobile pharmacy apps in the Chinese mainland. Our research not only investigates mobile pharmacy apps at a macro level but also specifically compares the differences in privacy compliance rates between apps on the Android and iOS app stores. Grounded in DLM theory and CI theory, we conducted a comprehensive assessment of mobile pharmacy apps’ compliance with PIPL and PI standards across the entire data lifecycle, including PI collection, storage, usage, sharing, transfer, and cross-border transmission, as well as scenario-based criteria. Our study holds significant implications for researchers focusing on pharmacy service accessibility and privacy protection.

This study encountered some limitations. First, our research primarily collected and conducted content analysis on the privacy policies of mobile pharmacy apps, but did not evaluate the actual implementation effectiveness of these policies. In reality, there is often a gap between privacy policies and their practical enforcement. Our study only analyzed the text of privacy policies, making it difficult to reflect the actual PI protection effectiveness. Second, this research examined the publicly available privacy policy texts of mobile pharmacy apps but did not delve into how these apps employ technical measures and internal corporate regulations to fulfill PIPL requirements (e.g., encryption and anonymisation as security technical measures stipulated in article 51 of PIPL, or regular publication of PI protection social responsibility reports as required by article 58 of PIPL). This limitation prevents a comprehensive and accurate assessment of mobile pharmacy apps’ privacy policy compliance. Third, our study focused on mobile pharmacy apps from the two largest app stores (iOS App Store and Android App Store) in the Chinese mainland, but did not include apps from smaller operating system platforms (e.g., Huawei AppGallery running on HarmonyOS). This limitation may introduce bias in the research sample of mobile pharmacy apps. Future researchers could advance the evaluation of mobile pharmacy apps’ privacy policy compliance by dynamically and holistically examining technical measure implementation, internal corporate regulations, and user experience surveys.

Conclusions and suggestions

Our research conducted a comprehensive compliance evaluation of privacy policies from 174 mobile pharmacy apps collected from the Android and iOS app stores in the Chinese mainland. The results reveal a diversified landscape of privacy policy compliance among mobile pharmacy apps. While some apps demonstrated remarkable compliance with the PIPL, the GCCND, and the PISS, the majority of apps showed low PI compliance, particularly in areas of PI storage, sensitive PI protection, automated decision-making, dead user PI protection, and dispute resolution mechanisms. Grounding our analysis in DLM theory and CI theory, we emphasize that mobile pharmacy apps’ privacy policies should be evaluated comprehensively and dynamically according to PIPL and relevant PI protection standards, considering the entire data lifecycle management (collection, storage, usage, and processing) and scenario-based criteria. Currently, most mobile pharmacy apps’ privacy policies fail to comply with PIPL’s requirements for processing PI in accordance with the principles of legality, legitimacy, necessity, good faith, openness, and transparency.

To address these issues, first, active intervention from Chinese authorities such as the MIIT and the CAC is needed to establish management regulations and protection guidelines for healthcare data, and implement specialized oversight of mobile pharmacy apps. If the privacy policies of mobile pharmacy apps fail to comply with the PIPL and related regulations, the MIIT and the CAC should issue notifications, require improvements to privacy policies, mandate rectification of personal information collection and processing practices, and impose penalties. In cases where mobile pharmacy apps severely infringe upon PI rights, their continued operation should be prohibited. Second, resolving these issues requires active participation and cooperation from mobile pharmacy app developers themselves. Mobile pharmacy app developers must rigorously adhere to the PIPL, regulations, and standards for the development of their applications. mobile pharmacy app developers should establish comprehensive privacy policies to respect and protect users’ PI, and integrate these policies into the specific functional design of the app. Third, professional PI protection bodies should actively participate in the formulation of PI protection guidelines and standards, effectively oversee privacy protection practices of mobile pharmacy apps, and report to relevant Chinese authorities when discovering privacy policies of such apps fail to comply with the PIPL and related regulations. In addition, these bodies could publish annual privacy protection reports on mobile pharmacy apps, researching and disclosing their compliance status while urging improvements in PI protection practices. Finally, we believe the key solution lies in promoting information transparency and integrity through public education initiatives, including public awareness campaigns and awareness campaigns to enhance individuals’ awareness and sense of responsibility regarding PI protection. Addressing these concerns is not merely about complying with PIPL’s mandatory requirements, but also about building user trust and promoting the healthy development of mobile pharmacy services in China.

Supplementary Information

Supplementary Material 1.^{(43.2KB, xlsx)}

Supplementary Material 2.^{(17.4KB, xlsx)}

Acknowledgements

Not applicable.

Abbreviations

App: Application
FTC: Federal Trade Commission
HIPAA: Health Insurance Portability and Accountability Act
HBNR: Health Breach Notification Rule
COPPA: Children's Online Privacy Protection Rule
MHMDA: My Health My Data Act
GDPR: European Union's General Data Protection Regulation
PI: Personal Information
APPI: Act on the Protection of Personal Information
NCVERC: National Computer Virus Emergency Response Center
MIIT: Ministry of Industry and Information Technology
CAC: Cyberspace Administration of China
MIINCUPIA: Method for Identifying Illegal and Non-compliant Collection and Use of Personal Information by Apps
CTTIA: China Telecommunications Terminal Industry Association
GMNEPICUA: Guidelines for the Minimum Necessary Evaluation of Personal Information Collection and Use by Apps
RSNPICTMIA: Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Apps
NHC: National Health Commission
PIPL: Personal Information Protection Law
GCCND: Guidelines for Categorization and Classification of Network Data
PISS: Personal Information Security Specification
DSL: Data Security Law
DLM: Data Life Cycle Management
CI: Contextual Integrity
CL: Cybersecurity Law

Authors’ contributions

Ting Chen made the conceptualization, data curation, formal analysis, and original draft. Rengui Guo performed the conceptualization, investigation, data curation, formal analysis, and original draft. All authors read and approved the final manuscript.

Funding

This article was supported by the National Social Science Fund of China ‘Research on the Optimization of the Legal System for Open Sharing of Scientific Data’ (project number: 24CFX023).

Data availability

All data generated or analysed during this study are included in this published article and its supplementary information files.

Declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare no competing interests.

Footnotes

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References

1.Mbunge E, Batani J, Gaobotse G, et al. Virtual healthcare services and digital health technologies deployed during coronavirus disease 2019 (COVID-19) pandemic in South africa: a systematic review. Glob Health J. 2022;6:2. 10.1016/J.GLOHJ.2022.03.001. [DOI] [PMC free article] [PubMed] [Google Scholar]
2.Lee SM, Lee D. Opportunities and challenges for contactless healthcare services in the post-COVID-19 era. Technol Forecast Soc Change. 2021;167:120712. 10.1016/j.techfore.2021.120712. [DOI] [PMC free article] [PubMed] [Google Scholar]
3.Kondylakis H, Katehakis DG, Kouroubali A, et al. COVID-19 mobile apps: a systematic review of the literature. J Med Internet Res. 2020;22(12):e23170. 10.2196/23170. [DOI] [PMC free article] [PubMed] [Google Scholar]
4.Bokolo AJ. Application of telemedicine and eHealth technology for clinical services in response to COVID-19 pandemic. Health Technol (Berl). 2021;11(2):359–66. 10.1007/s12553-020-00516-4. [DOI] [PMC free article] [PubMed] [Google Scholar]
5.Junaid SB, Imam AA, Balogun AO, et al. Recent advancements in emerging technologies for healthcare management systems: a survey. Healthc (Basel). 2022;10(10):1940. 10.3390/healthcare10101940. [DOI] [PMC free article] [PubMed] [Google Scholar]
6.Trenfield SJ, Awad A, McCoubrey LE, et al. Advancing pharmacy and healthcare with virtual digital technologies. Adv Drug Deliv Rev. 2022;182:114098. 10.1016/j.addr.2021.114098. [DOI] [PubMed] [Google Scholar]
7.Yaqoob I, Salah K, Jayaraman R, et al. Blockchain for healthcare data management: opportunities, challenges, and future recommendations. Neural Comput Appl. 2022;34:11475–90. 10.1007/S00521-020-05519-W. [Google Scholar]
8.Grand View Research. Pharmacy Market Size, Share & Trends Analysis Report. https://www.grandviewresearch.com/industry-analysis/pharmacy-market-report/segmentation. (Accessed, July 21, 2025).
9.Haleem A, Javaid M, Singh RP, et al. Telemedicine for healthcare: capabilities, features, barriers, and applications. Sens Int. 2021;2:100117. 10.1016/j.sintl.2021.100117. [DOI] [PMC free article] [PubMed] [Google Scholar]
10.Almeman A. The digital transformation in pharmacy: embracing online platforms and the cosmeceutical paradigm shift. J Health Popul Nutr. 2024;43(1):60. 10.1186/s41043-024-00550-2. [DOI] [PMC free article] [PubMed] [Google Scholar]
11.Cheng-Kai K, Andrew M, Ankur B. Mobile health apps: Current state, barriers, and future directions.in The Digital Doctor, ed. Chayakrit Krittanawong, Academic Press. 2025;53–67. 10.1016/B978-0-443-15728-8.00019-7.
12.Tangari G, Ikram M, Ijaz K, et al. Mobile health and privacy: cross sectional study. BMJ. 2021;373:n1248. 10.1136/bmj.n1248. [DOI] [PMC free article] [PubMed] [Google Scholar]
13.Rowland SP, Fitzgerald JE, Holme T, et al. What is the clinical value of mHealth for patients? NPJ Digit Med. 2020;3(1):4. 10.1038/s41746-019-0206-x. [DOI] [PMC free article] [PubMed] [Google Scholar]
14.Pang PCI, McKay D, Chang S, et al. Privacy concerns of the Australian my health record: implications for other large-scale opt-out personal health records. Inf Process Manag. 2020;57:102364. 10.1016/j.ipm.2020.102364. [Google Scholar]
15.Alfawzan N, Christen M, Spitale G, et al. Privacy, data sharing, and data security policies of women’s mHealth apps: scoping review and content analysis. JMIR MHealth UHealth. 2022;10(5):e33735. 10.2196/33735. [DOI] [PMC free article] [PubMed] [Google Scholar]
16.Murdoch B. Privacy and artificial intelligence: challenges for protecting health information in a new era. BMC Med Ethics. 2021;22:122. 10.1186/s12910-021-00687-3v. [DOI] [PMC free article] [PubMed] [Google Scholar]
17.Davis J. Walgreens Reports Data Breach from Personal Mobile Messaging App Error. Health IT security. https://healthitsecurity.com/news/walgreens-reports-databreach-from-personal-mobile-messaging-app-error. (Accessed, July 21, 2025).
18.Lomas N. Flo gets FTC slap for sharing user data when it promised privacy. TechCrunch. https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-user-data-when-it-promised-privacy/. (Accessed, July 21, 2025).
19.McGee MK. FTC Fines Fertility App Vendor, Bars It From Data Sharing. 2023. https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-userdata-when-it-promised-privacy/.(Accessed, July 21, 2025).
20.Healthcare Readers. The Privacy and Security of Health Information: Safeguarding Your Personal Data in the Digital Age. https://healthcarereaders.com/insights/healthcare-data-privacy-and-security. (Accessed, July 21, 2025).
21.Lee I. An analysis of data breaches in the U.S. Healthcare industry: diversity, trends, and risk profiling. Inform Secur J. 2022;31:346–58. 10.1080/19393555.2021.2017522. [Google Scholar]
22.Nurgalieva L, O’Callaghan D, Doherty G. Security and privacy of mHealth applications: a scoping review. IEEE Access. 2020;8:104247–68. 10.1109/ACCESS.2020.2999934. [Google Scholar]
23.Pool J, Akhlaghpour S, Fatehi F, et al. A systematic analysis of failures in protecting personal health data: a scoping review. Int J Inf Manag. 2024;74:102719. 10.1016/j.ijinfomgt.2023.102719. [Google Scholar]
24.Alder S. April 2025 Healthcare Data Breach Report. The HIPAA Journal. https://www.hipaajournal.com/april-2025-healthcare-data-breach-report/. (Accessed, July 21, 2025).
25.Seh AH, Zarour M, Alenezi M, et al. Healthcare data breaches: insights and implications. Healthc (Basel). 2020;8:133. 10.3390/healthcare8020133. [DOI] [PMC free article] [PubMed] [Google Scholar]
26.Elhoseny M, Thilakarathne NN, Alghamdi MI, et al. Security and privacy issues in medical internet of things: overview, countermeasures, challenges and future directions. Sustainability. 2021;13:11645. 10.3390/su132111645. [Google Scholar]
27.Congress US. The Health Insurance Portability and Accountability Act. https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996.(Accessed, October 17, 2025).
28.Federal Trade Commission. The Health Breach Notification Rule. https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule. (Accessed, October 17, 2025).
29.Federal Trade Commission. The Children’s Online Privacy Protection Rule. https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa. (Accessed, October 17, 2025).
30.Bernstein S, Geoghegan S, Alive, Kicking. Washington State’s My Health My Data Act Goes into Effect Today. EPIC.org. 2024. https://epic.org/alive-and-kicking-washington-states-my-health-my-data-act-goes-into-effect-today/. (Accessed, July 21, 2025).
31.Francis AM, My Health, My Dolla Amazon’s Health Data Troubles in Washington. The National Law Review. 2025. https://natlawreview.com/article/going-beyond-hipaa-washington-health-privacy-law-enacted-broad-reach-amorphous-scope. (Accessed, July 21, 2025).
32.Benjumea J, Ropero J, Rivera-Romero O, et al. Assessment of the fairness of privacy policies of mobile health apps: scale development and evaluation in cancer apps. JMIR MHealth UHealth. 2020;8:e17134. 10.2196/17134. [DOI] [PMC free article] [PubMed] [Google Scholar]
33.Hatamian M, Wairimu S, Momen N, et al. A privacy and security analysis of early-deployed COVID-19 contact tracing android apps. Empir Softw Eng. 2021;26:36. 10.1007/s10664-020-09934-4. [DOI] [PMC free article] [PubMed] [Google Scholar]
34.Ying L. Translation of act on the protection of personal information of Japan. Beijing Foreign Stud Univ Law Rev. 2021;2:217. [Google Scholar]
35.Jun L, Research on APP Privacy and Security Issues and Protection Strategies. Netw Secur Technol Application. 2023;12:82–3. 10.3969/i.issn.1009-6833.2023.12.035. [Google Scholar]
36.Zhecheng W, Qi Z, Suggestions on Permission to Collect Personal Information Based on Mobile Internet Apps. Risk analysis and. Netw Secur Technol Application. 2023;5:82–3. 10.3969/i.issn.1009-6833.2023.05.035. [Google Scholar]
37.Penpai. Police focus on illegal collection of personal Information, 100 apps taken down. Accessed; 2025; 20. https://www.thepaper.cn/newsDetail_forward_5138636.
38.Guangdong Communications Administration. 209 Apps ordered to be rectified or shut down by Guangdong Communications Authority (Nov-Dec 2020). https://gdca.miit.gov.cn/xwdt/gzdt/art/2021/art_56d961693e12484d84818f92245543d1.html. (Accessed, July 20, 2025).
39.Xinhua News Agency. National Computer Virus Emergency Response Center monitors and finds more than 20 offending mobile apps. https://www.gov.cn/xinwen/2020-04/10/content_5500961.htm. (Accessed, July 20, 2025).
40.Nan W. A number of medical and health apps had been notified for illegal collection of personal information. https://news.qq.com/rain/a/20220722A03N2400. (Accessed, July 20, 2025).
41.Ministry of Industry and Information Technology of the People`s` Republic of China. APP circulars on infringement of users’ rights and interests (first batch in 2020). https://www.gov.cn/xinwen/2020-05/17/content_5512332.htm. (Accessed, July 20, 2025).
42.Cyberspace Administration of China. The Method for Identifying Illegal and Non-compliant Collection and Use of Personal Information by Apps. https://wap.miit.gov.cn/jgsj/waj/wjfb/art/2020/art_8663d2afe61b40c3beb7c65bf6ec2a64.html. (Accessed, October 17, 2025).
43.Telecommunications Terminal Industry Association. Guidelines for the Minimum Necessary Evaluation of Personal Information Collection and Use by Apps. https://wap.miit.gov.cn/jgsj/xgj/APPqhyhqyzxzzxd/zcbz/art/2021/art_f438a606b92e40ada9c611139f297300.html.(Accessed, October 17, 2025).
44.Cyberspace Administration of China. The Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Apps. https://www.gov.cn/zhengce/zhengceku/2021-03/23/content_5595088.htm. (Accessed, October 17, 2025).
45.The Beijing News. Medical App Privacy Leak, More Important Than Technical Fixes Is Mechanism Improvement. https://m.bjnews.com.cn/detail/1669038797169080.html. (Accessed, July 20, 2025).
46.Liming W, Xiaodong D. On the Highlights, features and application of the personal information protection act. Jurist.2021;6,1–16 + 191.10.16094/j.cnki.1005-0221.2021.06.001
47.Jia Y. The system of rights of subjects of personal information: A multidimensional observation based on the rights of individuals in the digital age. ECUPL J. 2022;2:87–99. [Google Scholar]
48.National Information Security Standardization Technical Committee. The Guidelines for Categorization and Classification of Network Data. https://www.tc260.org.cn/front/postDetail.html?id=20211231160823.(Accessed, October 17, 2025).
49.National Standardization Administration. Information security technology—Personal information security specification. https://openstd.samr.gov.cn/bzgk/std/newGbInfo?hcno=4568F276E0F8346EB0FBA097AA0CE05E. (Accessed, October 17, 2025).
50.Ministry of Industry and Information Technology of the People`s` Republic of China. APP (SDK) notification on infringement of user rights and interests. https://wap.miit.gov.cn/jgsj/xgj/gzdt/art/2024/art_a6f9db30756c4464804355afb64723ff.html. (Accessed, July 20, 2025).
51.Madhusudhanan S, Jose AC. Privacy preservation techniques through data lifecycle: A comprehensive literature survey. Computers Secur. 2025;55:104473. 10.1016/j.cose.2025.104473. [Google Scholar]
52.Xiao C. The Nature of Privacy Policies and Legal Regulation. http://www.legaldaily.com.cn/IT/content/2022-07/05/content_8743317.html. (Accessed, July 20, 2025).
53.Lagan S, Sandler L, Torous J. Evaluating evaluation frameworks: A scoping review of frameworks for assessing health apps. BMJ Open. 2021;11(3):e047001. 10.1136/bmjopen-2020-047001. [DOI] [PMC free article] [PubMed] [Google Scholar]
54.Mia MR, Shahriar H, Valero M, et al. A comparative study on HIPAA technical safeguards assessment of android mHealth applications. Smart Health. 2022;26:100349. 10.1016/j.smhl.2022.100349. [DOI] [PMC free article] [PubMed] [Google Scholar]
55.Lamonica HM, Roberts AE, Lee GY, et al. Privacy practices of health information technologies: privacy policy risk assessment study and proposed guidelines. J Med Internet Res. 2021;23(9):e26317. 10.2196/26317. [DOI] [PMC free article] [PubMed] [Google Scholar]
56.Jiang J, Zheng Z. Medical information protection in internet hospital apps in china: scale development and content analysis. JMIR mHealth uHealth. 2024;12:e55061. 10.2196/55061. [DOI] [PMC free article] [PubMed] [Google Scholar]
57.Hongyu L, Research on Personal Information Protection on Chinese Websites. 10.27670/d.cnki.gcqdu.2019.000182.
58.Ruixian Y, Jianing S, Fan X, et al. Evaluation index system for social media app privacy policies and empirical research (J). Inform Theory Pract. 2023;46(01):81–9. 10.16353/j.cnki.1000-7490.2023.01.010. [Google Scholar]
59.Jiam T, Pie L, Leo B et al. The Role of Data Anonymization in Protecting Customer Data: Examining the techniques and benefits of data anonymization in ensuring compliance with data protection regulations. https://www.researchgate.net/publication/386381702. (Accessed, July 20, 2025).
60.Gadotti A, Rocher L, Houssiau F, et al. Anonymization: the imperfect science of using data while preserving privacy. Sci Adv. 2024;10(29):eadn7053. 10.1126/sciadv.adn7053. [DOI] [PMC free article] [PubMed] [Google Scholar]
61.Paul M, Maglaras L, Ferrag MA, et al. Digitization of healthcare sector: A study on privacy and security concerns. ICT Express. 2023;9(4):571–88. 10.1016/j.icte.2023.02.007. [Google Scholar]
62.Demirol D, Das R, Hanbay D. A key review on security and privacy of big data: issues, challenges, and future research directions. Signal Image Video Process. 2023;17:1335–43. 10.1007/s11760-022-02341-w. [Google Scholar]
63.Austin C. Data Lifecycle Management: A Complete Guide. Available at: https://www.splunk.com/en_us/blog/learn/dlm-data-lifecycle-management.html. (Accessed, July 20, 2025).
64.Ritinder K. What is Data Lifecycle Management? Key Components, Stages and Best Practices. Available at: https://www.selecthub.com/big-data-analytics/data-lifecycle-management/. (Accessed, July 20, 2025).
65.Contextual Integrity NM. Explained: A more usable privacy Definition.IEEE security and privacy magazine.2022; pp(99):2–9. 10.1109/MSEC.2022.3201585.
66.Wisniewski PJ, Page X. Privacy theories and frameworks. In: Knijnenburg BP, Page X, Wisniewski P, Lipford HR, Proferes N, Romano J, editors. Modern Socio-Technical perspectives on privacy. Cham: Springer; 2022:15–41. 10.1007/978-3-030-82786-12.
67.Sargiotis D. Data security and privacy: protecting sensitive Information. In data governance. Springer Nat Press. 2024;217–45. 10.1007/978-3-031-67268-2_6.
68.Grundy Q, Chiu K, Held F, et al. Data sharing practices of medicines related apps and the mobile ecosystem: Traffic, content, and network analysis. BMJ. 2019;364:l920. 10.1136/bmj.l920. [DOI] [PMC free article] [PubMed] [Google Scholar]
69.Bookert N, Bondurant W, Anwar M. Data practices of internet of medical things: A look from privacy policy perspectives. Smart Health. 2022;26:100342. 10.1016/j.smhl.2022.100342. [Google Scholar]
70.National Bureau of Statistics of China. China’s population aged 60 and above exceeds 300 million for the first time in 2024. Available at: https://laoling.cctv.com/2025/01/17/ARTI1YQU2WRMlO75bKSmmyLY250117.shtml. (Accessed, July 20, 2025).
71.Ni Z, Wang Y, Qian Y. Privacy policy compliance of chronic disease management apps in china: scale development and content evaluation. JMIR mHealth uHealth. 2021;9(1):e23409. 10.2196/23409. [DOI] [PMC free article] [PubMed] [Google Scholar]
72.Bardus M, Al Daccache M, Maalouf N, et al. Data management and privacy policy of COVID-19 Contact-Tracing apps: systematic review and content analysis. JMIR Mhealth Uhealth. 2022;10(7):e35195. 10.2196/35195. [DOI] [PMC free article] [PubMed] [Google Scholar]
73.Jiang J, Zheng Z. Personal information protection and privacy policy compliance of health code apps in china: scale development and content analysis. JMIR mHealth uHealth. 2023;11:e48714. 10.2196/48714. [DOI] [PMC free article] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

Supplementary Material 1.^{(43.2KB, xlsx)}

Supplementary Material 2.^{(17.4KB, xlsx)}

Data Availability Statement

All data generated or analysed during this study are included in this published article and its supplementary information files.

[CR1] 1.Mbunge E, Batani J, Gaobotse G, et al. Virtual healthcare services and digital health technologies deployed during coronavirus disease 2019 (COVID-19) pandemic in South africa: a systematic review. Glob Health J. 2022;6:2. 10.1016/J.GLOHJ.2022.03.001. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR2] 2.Lee SM, Lee D. Opportunities and challenges for contactless healthcare services in the post-COVID-19 era. Technol Forecast Soc Change. 2021;167:120712. 10.1016/j.techfore.2021.120712. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR3] 3.Kondylakis H, Katehakis DG, Kouroubali A, et al. COVID-19 mobile apps: a systematic review of the literature. J Med Internet Res. 2020;22(12):e23170. 10.2196/23170. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR4] 4.Bokolo AJ. Application of telemedicine and eHealth technology for clinical services in response to COVID-19 pandemic. Health Technol (Berl). 2021;11(2):359–66. 10.1007/s12553-020-00516-4. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR5] 5.Junaid SB, Imam AA, Balogun AO, et al. Recent advancements in emerging technologies for healthcare management systems: a survey. Healthc (Basel). 2022;10(10):1940. 10.3390/healthcare10101940. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR6] 6.Trenfield SJ, Awad A, McCoubrey LE, et al. Advancing pharmacy and healthcare with virtual digital technologies. Adv Drug Deliv Rev. 2022;182:114098. 10.1016/j.addr.2021.114098. [DOI] [PubMed] [Google Scholar]

[CR7] 7.Yaqoob I, Salah K, Jayaraman R, et al. Blockchain for healthcare data management: opportunities, challenges, and future recommendations. Neural Comput Appl. 2022;34:11475–90. 10.1007/S00521-020-05519-W. [Google Scholar]

[CR8] 8.Grand View Research. Pharmacy Market Size, Share & Trends Analysis Report. https://www.grandviewresearch.com/industry-analysis/pharmacy-market-report/segmentation. (Accessed, July 21, 2025).

[CR9] 9.Haleem A, Javaid M, Singh RP, et al. Telemedicine for healthcare: capabilities, features, barriers, and applications. Sens Int. 2021;2:100117. 10.1016/j.sintl.2021.100117. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR10] 10.Almeman A. The digital transformation in pharmacy: embracing online platforms and the cosmeceutical paradigm shift. J Health Popul Nutr. 2024;43(1):60. 10.1186/s41043-024-00550-2. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR11] 11.Cheng-Kai K, Andrew M, Ankur B. Mobile health apps: Current state, barriers, and future directions.in The Digital Doctor, ed. Chayakrit Krittanawong, Academic Press. 2025;53–67. 10.1016/B978-0-443-15728-8.00019-7.

[CR12] 12.Tangari G, Ikram M, Ijaz K, et al. Mobile health and privacy: cross sectional study. BMJ. 2021;373:n1248. 10.1136/bmj.n1248. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR13] 13.Rowland SP, Fitzgerald JE, Holme T, et al. What is the clinical value of mHealth for patients? NPJ Digit Med. 2020;3(1):4. 10.1038/s41746-019-0206-x. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR14] 14.Pang PCI, McKay D, Chang S, et al. Privacy concerns of the Australian my health record: implications for other large-scale opt-out personal health records. Inf Process Manag. 2020;57:102364. 10.1016/j.ipm.2020.102364. [Google Scholar]

[CR15] 15.Alfawzan N, Christen M, Spitale G, et al. Privacy, data sharing, and data security policies of women’s mHealth apps: scoping review and content analysis. JMIR MHealth UHealth. 2022;10(5):e33735. 10.2196/33735. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR16] 16.Murdoch B. Privacy and artificial intelligence: challenges for protecting health information in a new era. BMC Med Ethics. 2021;22:122. 10.1186/s12910-021-00687-3v. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR17] 17.Davis J. Walgreens Reports Data Breach from Personal Mobile Messaging App Error. Health IT security. https://healthitsecurity.com/news/walgreens-reports-databreach-from-personal-mobile-messaging-app-error. (Accessed, July 21, 2025).

[CR18] 18.Lomas N. Flo gets FTC slap for sharing user data when it promised privacy. TechCrunch. https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-user-data-when-it-promised-privacy/. (Accessed, July 21, 2025).

[CR19] 19.McGee MK. FTC Fines Fertility App Vendor, Bars It From Data Sharing. 2023. https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-userdata-when-it-promised-privacy/.(Accessed, July 21, 2025).

[CR20] 20.Healthcare Readers. The Privacy and Security of Health Information: Safeguarding Your Personal Data in the Digital Age. https://healthcarereaders.com/insights/healthcare-data-privacy-and-security. (Accessed, July 21, 2025).

[CR21] 21.Lee I. An analysis of data breaches in the U.S. Healthcare industry: diversity, trends, and risk profiling. Inform Secur J. 2022;31:346–58. 10.1080/19393555.2021.2017522. [Google Scholar]

[CR22] 22.Nurgalieva L, O’Callaghan D, Doherty G. Security and privacy of mHealth applications: a scoping review. IEEE Access. 2020;8:104247–68. 10.1109/ACCESS.2020.2999934. [Google Scholar]

[CR23] 23.Pool J, Akhlaghpour S, Fatehi F, et al. A systematic analysis of failures in protecting personal health data: a scoping review. Int J Inf Manag. 2024;74:102719. 10.1016/j.ijinfomgt.2023.102719. [Google Scholar]

[CR24] 24.Alder S. April 2025 Healthcare Data Breach Report. The HIPAA Journal. https://www.hipaajournal.com/april-2025-healthcare-data-breach-report/. (Accessed, July 21, 2025).

[CR25] 25.Seh AH, Zarour M, Alenezi M, et al. Healthcare data breaches: insights and implications. Healthc (Basel). 2020;8:133. 10.3390/healthcare8020133. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR26] 26.Elhoseny M, Thilakarathne NN, Alghamdi MI, et al. Security and privacy issues in medical internet of things: overview, countermeasures, challenges and future directions. Sustainability. 2021;13:11645. 10.3390/su132111645. [Google Scholar]

[CR27] 27.Congress US. The Health Insurance Portability and Accountability Act. https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996.(Accessed, October 17, 2025).

[CR28] 28.Federal Trade Commission. The Health Breach Notification Rule. https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule. (Accessed, October 17, 2025).

[CR29] 29.Federal Trade Commission. The Children’s Online Privacy Protection Rule. https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa. (Accessed, October 17, 2025).

[CR30] 30.Bernstein S, Geoghegan S, Alive, Kicking. Washington State’s My Health My Data Act Goes into Effect Today. EPIC.org. 2024. https://epic.org/alive-and-kicking-washington-states-my-health-my-data-act-goes-into-effect-today/. (Accessed, July 21, 2025).

[CR31] 31.Francis AM, My Health, My Dolla Amazon’s Health Data Troubles in Washington. The National Law Review. 2025. https://natlawreview.com/article/going-beyond-hipaa-washington-health-privacy-law-enacted-broad-reach-amorphous-scope. (Accessed, July 21, 2025).

[CR32] 32.Benjumea J, Ropero J, Rivera-Romero O, et al. Assessment of the fairness of privacy policies of mobile health apps: scale development and evaluation in cancer apps. JMIR MHealth UHealth. 2020;8:e17134. 10.2196/17134. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR33] 33.Hatamian M, Wairimu S, Momen N, et al. A privacy and security analysis of early-deployed COVID-19 contact tracing android apps. Empir Softw Eng. 2021;26:36. 10.1007/s10664-020-09934-4. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR34] 34.Ying L. Translation of act on the protection of personal information of Japan. Beijing Foreign Stud Univ Law Rev. 2021;2:217. [Google Scholar]

[CR35] 35.Jun L, Research on APP Privacy and Security Issues and Protection Strategies. Netw Secur Technol Application. 2023;12:82–3. 10.3969/i.issn.1009-6833.2023.12.035. [Google Scholar]

[CR36] 36.Zhecheng W, Qi Z, Suggestions on Permission to Collect Personal Information Based on Mobile Internet Apps. Risk analysis and. Netw Secur Technol Application. 2023;5:82–3. 10.3969/i.issn.1009-6833.2023.05.035. [Google Scholar]

[CR37] 37.Penpai. Police focus on illegal collection of personal Information, 100 apps taken down. Accessed; 2025; 20. https://www.thepaper.cn/newsDetail_forward_5138636.

[CR38] 38.Guangdong Communications Administration. 209 Apps ordered to be rectified or shut down by Guangdong Communications Authority (Nov-Dec 2020). https://gdca.miit.gov.cn/xwdt/gzdt/art/2021/art_56d961693e12484d84818f92245543d1.html. (Accessed, July 20, 2025).

[CR39] 39.Xinhua News Agency. National Computer Virus Emergency Response Center monitors and finds more than 20 offending mobile apps. https://www.gov.cn/xinwen/2020-04/10/content_5500961.htm. (Accessed, July 20, 2025).

[CR40] 40.Nan W. A number of medical and health apps had been notified for illegal collection of personal information. https://news.qq.com/rain/a/20220722A03N2400. (Accessed, July 20, 2025).

[CR41] 41.Ministry of Industry and Information Technology of the People`s` Republic of China. APP circulars on infringement of users’ rights and interests (first batch in 2020). https://www.gov.cn/xinwen/2020-05/17/content_5512332.htm. (Accessed, July 20, 2025).

[CR42] 42.Cyberspace Administration of China. The Method for Identifying Illegal and Non-compliant Collection and Use of Personal Information by Apps. https://wap.miit.gov.cn/jgsj/waj/wjfb/art/2020/art_8663d2afe61b40c3beb7c65bf6ec2a64.html. (Accessed, October 17, 2025).

[CR43] 43.Telecommunications Terminal Industry Association. Guidelines for the Minimum Necessary Evaluation of Personal Information Collection and Use by Apps. https://wap.miit.gov.cn/jgsj/xgj/APPqhyhqyzxzzxd/zcbz/art/2021/art_f438a606b92e40ada9c611139f297300.html.(Accessed, October 17, 2025).

[CR44] 44.Cyberspace Administration of China. The Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Apps. https://www.gov.cn/zhengce/zhengceku/2021-03/23/content_5595088.htm. (Accessed, October 17, 2025).

[CR45] 45.The Beijing News. Medical App Privacy Leak, More Important Than Technical Fixes Is Mechanism Improvement. https://m.bjnews.com.cn/detail/1669038797169080.html. (Accessed, July 20, 2025).

[CR46] 46.Liming W, Xiaodong D. On the Highlights, features and application of the personal information protection act. Jurist.2021;6,1–16 + 191.10.16094/j.cnki.1005-0221.2021.06.001

[CR47] 47.Jia Y. The system of rights of subjects of personal information: A multidimensional observation based on the rights of individuals in the digital age. ECUPL J. 2022;2:87–99. [Google Scholar]

[CR48] 48.National Information Security Standardization Technical Committee. The Guidelines for Categorization and Classification of Network Data. https://www.tc260.org.cn/front/postDetail.html?id=20211231160823.(Accessed, October 17, 2025).

[CR49] 49.National Standardization Administration. Information security technology—Personal information security specification. https://openstd.samr.gov.cn/bzgk/std/newGbInfo?hcno=4568F276E0F8346EB0FBA097AA0CE05E. (Accessed, October 17, 2025).

[CR50] 50.Ministry of Industry and Information Technology of the People`s` Republic of China. APP (SDK) notification on infringement of user rights and interests. https://wap.miit.gov.cn/jgsj/xgj/gzdt/art/2024/art_a6f9db30756c4464804355afb64723ff.html. (Accessed, July 20, 2025).

[CR51] 51.Madhusudhanan S, Jose AC. Privacy preservation techniques through data lifecycle: A comprehensive literature survey. Computers Secur. 2025;55:104473. 10.1016/j.cose.2025.104473. [Google Scholar]

[CR52] 52.Xiao C. The Nature of Privacy Policies and Legal Regulation. http://www.legaldaily.com.cn/IT/content/2022-07/05/content_8743317.html. (Accessed, July 20, 2025).

[CR53] 53.Lagan S, Sandler L, Torous J. Evaluating evaluation frameworks: A scoping review of frameworks for assessing health apps. BMJ Open. 2021;11(3):e047001. 10.1136/bmjopen-2020-047001. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR54] 54.Mia MR, Shahriar H, Valero M, et al. A comparative study on HIPAA technical safeguards assessment of android mHealth applications. Smart Health. 2022;26:100349. 10.1016/j.smhl.2022.100349. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR55] 55.Lamonica HM, Roberts AE, Lee GY, et al. Privacy practices of health information technologies: privacy policy risk assessment study and proposed guidelines. J Med Internet Res. 2021;23(9):e26317. 10.2196/26317. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR56] 56.Jiang J, Zheng Z. Medical information protection in internet hospital apps in china: scale development and content analysis. JMIR mHealth uHealth. 2024;12:e55061. 10.2196/55061. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR57] 57.Hongyu L, Research on Personal Information Protection on Chinese Websites. 10.27670/d.cnki.gcqdu.2019.000182.

[CR58] 58.Ruixian Y, Jianing S, Fan X, et al. Evaluation index system for social media app privacy policies and empirical research (J). Inform Theory Pract. 2023;46(01):81–9. 10.16353/j.cnki.1000-7490.2023.01.010. [Google Scholar]

[CR59] 59.Jiam T, Pie L, Leo B et al. The Role of Data Anonymization in Protecting Customer Data: Examining the techniques and benefits of data anonymization in ensuring compliance with data protection regulations. https://www.researchgate.net/publication/386381702. (Accessed, July 20, 2025).

[CR60] 60.Gadotti A, Rocher L, Houssiau F, et al. Anonymization: the imperfect science of using data while preserving privacy. Sci Adv. 2024;10(29):eadn7053. 10.1126/sciadv.adn7053. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR61] 61.Paul M, Maglaras L, Ferrag MA, et al. Digitization of healthcare sector: A study on privacy and security concerns. ICT Express. 2023;9(4):571–88. 10.1016/j.icte.2023.02.007. [Google Scholar]

[CR62] 62.Demirol D, Das R, Hanbay D. A key review on security and privacy of big data: issues, challenges, and future research directions. Signal Image Video Process. 2023;17:1335–43. 10.1007/s11760-022-02341-w. [Google Scholar]

[CR63] 63.Austin C. Data Lifecycle Management: A Complete Guide. Available at: https://www.splunk.com/en_us/blog/learn/dlm-data-lifecycle-management.html. (Accessed, July 20, 2025).

[CR64] 64.Ritinder K. What is Data Lifecycle Management? Key Components, Stages and Best Practices. Available at: https://www.selecthub.com/big-data-analytics/data-lifecycle-management/. (Accessed, July 20, 2025).

[CR65] 65.Contextual Integrity NM. Explained: A more usable privacy Definition.IEEE security and privacy magazine.2022; pp(99):2–9. 10.1109/MSEC.2022.3201585.

[CR66] 66.Wisniewski PJ, Page X. Privacy theories and frameworks. In: Knijnenburg BP, Page X, Wisniewski P, Lipford HR, Proferes N, Romano J, editors. Modern Socio-Technical perspectives on privacy. Cham: Springer; 2022:15–41. 10.1007/978-3-030-82786-12.

[CR67] 67.Sargiotis D. Data security and privacy: protecting sensitive Information. In data governance. Springer Nat Press. 2024;217–45. 10.1007/978-3-031-67268-2_6.

[CR68] 68.Grundy Q, Chiu K, Held F, et al. Data sharing practices of medicines related apps and the mobile ecosystem: Traffic, content, and network analysis. BMJ. 2019;364:l920. 10.1136/bmj.l920. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR69] 69.Bookert N, Bondurant W, Anwar M. Data practices of internet of medical things: A look from privacy policy perspectives. Smart Health. 2022;26:100342. 10.1016/j.smhl.2022.100342. [Google Scholar]

[CR70] 70.National Bureau of Statistics of China. China’s population aged 60 and above exceeds 300 million for the first time in 2024. Available at: https://laoling.cctv.com/2025/01/17/ARTI1YQU2WRMlO75bKSmmyLY250117.shtml. (Accessed, July 20, 2025).

[CR71] 71.Ni Z, Wang Y, Qian Y. Privacy policy compliance of chronic disease management apps in china: scale development and content evaluation. JMIR mHealth uHealth. 2021;9(1):e23409. 10.2196/23409. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR72] 72.Bardus M, Al Daccache M, Maalouf N, et al. Data management and privacy policy of COVID-19 Contact-Tracing apps: systematic review and content analysis. JMIR Mhealth Uhealth. 2022;10(7):e35195. 10.2196/35195. [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR73] 73.Jiang J, Zheng Z. Personal information protection and privacy policy compliance of health code apps in china: scale development and content analysis. JMIR mHealth uHealth. 2023;11:e48714. 10.2196/48714. [DOI] [PMC free article] [PubMed] [Google Scholar]

PERMALINK

Personal medical data protection of mobile pharmacy apps in China 2025: scale development and content analysis

Ting Chen

Rengui Guo

Abstract

Background

Method

Result

Conclusion

Supplementary Information

Introduction

Background

Objective

Methods

Study design

Sample selection and inclusion criteria

Fig. 1.

Development of the compliance evaluation scale

Overview

Comprehensive review

Indicator development

Indicator elaboration

Table 1.

Scoring and evaluation procedure

Results

Sample distribution

Compliance evaluation

Fig. 2.

Table 2.

Fig. 3.

Fig. 4.

Fig. 5.

Fig. 6.

Fig. 7.

Fig. 8.

Discussion

Principal findings

Strengths and limitations

Conclusions and suggestions

Supplementary Information

Acknowledgements

Abbreviations

Authors’ contributions

Funding

Data availability

Declarations

Ethics approval and consent to participate

Consent for publication

Competing interests

Footnotes

References

Associated Data

Supplementary Materials

Data Availability Statement

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases