The private and public hospitals (“hospitals”) and the physicians produce every day a big amount of data concerning their patients. They are not always able or do not always wish to store themselves this amount of data. The hosting of these data by an external service provider - such as a software editor, an eHealth service provider or a medical device company – can be the right solution. The hosting of health personal data is regulated in France by Law No. 2002-303 dated 4 March 2002 which aims at protecting the confidentiality, the integrity and the availability of patients’ data. According to his Law, this hosting activity needs the previous approval of the Ministry of Health to be exercised. Seven years after the implementation of this Law (2006) and after the grant of 44 approvals by the Ministry of Health at the end of January 2013, it seems interesting to come back to the health data hosting system.
The hosting criteria
Pursuant to Article L.1111-8 of the French Public Health Code, the host must fulfill three cumulative conditions: he/it is the physical person or the company where (1) the healthcare professionals or the healthcare establishments (hospitals) or the concerned person (2) register personal health data (3) collected or produced within the framework of prevention, diagnosis or treatment activities. The first and the third conditions raise questions, for example, when the data is not registered by a healthcare professional or a hospital but is registered by a monitoring device. The ASIP Santé (the Agency of the Ministry of Health for shared information systems relating to Health) published on its website a note dated 21 March 2012 relating to the situation of home service providers and medical device distributors. According to the ASIP Santé, the approval is not required for home service providers and medical device distributors when healthcare professionals have only access to the data for consultation but cannot register the data within the hosting system themselves. As for the hospital that hosts itself the health data of its patients, the producer of data and the host are, in this case, the same entity. The regulation on health data hosting does therefore not apply. Moreover, in a note dated 10 May 2011, the legal Department of the Ministry of Health and Social Affairs considered that the regulation on health data hosting applies neither to databases constituted during clinical trials by a research entity nor to databases constituted in view of a clinical trial since these data processing are regulated by specific legal provisions. The choice of the entity, which will within the value chain apply for the approval as health data host, is an important decision.
The status of health data host implies a legal liability
It must be kept in mind that the status of health data host implies a legal liability. The approved host is liable for the compliance of the global hosting system with the legal requirements. The host can use a subcontractor but it will remain liable in the same conditions as if it was carrying out the subcontracted services itself. Companies may choose which entity within the value chain of their services (from the technical operation of the server to the final service to healthcare professionals/hospitals) will have the status of health data host.
The data must be located in the European Union subject to exceptions
The Law requests that the data is located in France. The data can be hosted in every Member State of the European Union, in the eight countries recognized by the European Commission as providing an adequate level of protection as well as outside of the European Union through the means of Binding Corporate Rules, Contractual clauses and Safe Harbor. Moreover, Cloud Computing seems possible if the above condition of localization is fulfilled. Finally, pursuant to Article L.1111-8 of the French Public Health Code, the approval is not granted in a general way but it is granted based on a hosting proposal which is framed by contractual terms. A great attention should consequently be brought to such a hosting agreement on a legal point of view. The agreement will have to specify the obligations of the host, of the client (which can be a healthcare profession or a hospital) and of the patient. The companies should bear in mind that the approval granted to health data hosts is not a mere administrative declaration of activity but an important decision for companies which has impacts on the constitution of the dossier but also once the approval is granted.
The constitution of the approval dossier represents a great amount of work
The constitution of the health data host dossier represents a great amount of work. Firstly, the hosting system project will have to be confronted with the legal requirements of the Decree dated 4 January 2006, and then the existing system will have to be explained and documented. An active involvement of the IT and Legal Departments will, in our view, constitute the key of the success. Decree dated 4 January 2006 provides that the host must designate a physician involved in the hosting activity, who will be responsible of the respect of medical secret. The activity of the physician exercising with the host is very new and consequently not well organized. Unless the company has an internal physician who can exercise this function, the companies should anticipate this point early in the preparation of the file. According to Decree dated 15 May 2007 called “confidentiality”, the use of the health professional card (“Carte de Professionnel de Santé”, CPS) or of any equivalent mean is mandatory in case of access by healthcare professionals to personal health information stored on electronic supports. This requirement is fully applicable to the data hosted. The implementation of the CPS is still ongoing. It appears that the Host Approval Committee (“Comité d’agrément des Hébergeurs”) is aware of this situation. The companies will however be asked to use a strong authentication and a traceability of each access.
In conclusion, this type of dossier takes generally more time than initially foreseen and it requests a real involvement of the concerned team.