France is one of the rare countries outside the U.S. to create a special legal status for entities that process and store patient health data. A 2002 law created this status, and in 2009 the law took effect. In essence, entities that are neither licensed health care establishments nor HCPs must obtain an authorization from the French Ministry of Health in order to lawfully store patient health data originating from such establishments or HCPs. The authorization requires implementation of rigorous measures to ensure security and confidentiality of patient health data at all phases of the data lifecycle; these requirements are generally seen as the most robust in all of Europe and indeed throughout most the world. A bill now pending in French Parliament would simplify the requirements to obtain authorization and notably align the security requirements with globally-recognized standards, such as PCI DSS. 

Since 2002, Article L. 1111-8  of the Public Health Code has set forth specific rules for entities hosting patient health data (excluding licensed health care establishments and HCPs that host their own data). An entity that wishes to host patient health data must obtain a specific authorization (valid for three years) from the French Ministry of Health. To obtain the authorization the entity must (i) comply with a specific procedure managed by French government agency ASIP Santé, and (ii) obtain an opinion from the French data protection authority (CNIL). In addition, the patient must expressly consent to hosting of his/her health data. Entities applying for authorization must provide extensive information demonstrating that their hosting system is secure and sophisticated enough to ensure that the rules on privacy, access and confidentiality are satisfied and more generally that that health data is secure, especially in light of the risk of inappropriate or unlawful disclosure of such data.

ASIP Santé and the market have significantly matured over the past five years, with agency wait times shrinking and industry actor sophistication growing. For example, a set of FAQ developed by ASIP Santé on its web site explain many aspects of the agency’s approach to managing authorization requests, and interpretation of criteria to obtain authorization.

However, the authorization procedure remains long (almost eight months to obtain a decision), remains complicated (no more than six forms to complete), and every three years the authorization must be updated.

A bill on modernization of the French health system is currently being debated in the French Parliament and it contains several provisions that could significantly change the regulatory landscape for companies wishing to obtain an authorization.

Among the key changes proposed:

  • patient consent to the transfer of his/her data to a host would no longer be required;
  • a new definition of the scope of hosting requirements. Any person who wants to host personal health data collected or generated in connection with the prevention, diagnosis or treatment of health conditions or illness or in connection with social welfare activities, whether given by a natural person or legal person, would need to be compliant with the hosting requirements.
  • the obligation instituted by ASIP Santé for the host company to engage an HCP responsible for ensuring that professional secrecy requirements are met, would be codified. 

Most importantly, the draft law gives the French government twelve months from the adoption of the law to replace the authorization procedure with an accreditation system.

Specifically, it has been proposed that a technical compliance assessment would be conducted by an accredited certification body. This assessment would encompass the applicant’s procedures, organization and material and human resources.  The security standard to be adopted may be PCI DSS, which would facilitate the security aspects of the accreditation. Nonetheless, data protection laws would still apply in addition to the accreditation.

Finally, it is possible that either ASIP Santé or the CNIL would no longer be implicated in the accreditation.