The hosting of personal health data is regulated under French law by Act n°2002-303 dated 4 March 2002 and which aimed at protecting the confidentiality, integrity and availability of patients’ data (“Act”).
Pursuant to this Act, such hosting activity can only be implemented by a hosting service provider (“HSP”) previously approved by the Shared Healthcare Information Systems Agency (“ASIP”), a department within the Ministry of Health, following a strict accreditation procedure in accordance with the dispositions of Decree n°2006-6 of 4 January 2006.
When must health data be stored by a certified HSP?
Pursuant to Article L.1111-8 of the French Public Health Code, health professionals (e.g. doctors and physicians), healthcare establishments (e.g. clinics and hospitals), and data subjects themselves are under the obligation to use the services of an accredited HSP if:
- health data is not stored on the health professional’s own information systems;
- health data is collected or produced within the framework of prevention, diagnosis or care activities.
The potential scope of application of this legal framework is therefore quite broad and is subject to evolution considering the new uses of this type of data by the health sector, as well as new storage and access mediums. For instance, there has been a debate on whether health data stored within a research program or for the insurance sector fells within the scope of the accreditation procedure.
How to obtain accreditation from the ASIP
Firstly, the HSP must obtain the accreditation of the ASIP, which may be a complex process, since the HSP must complete an application; and the accreditation will only be granted after reasoned opinions from the Accreditation Committee of Hosts (CAH) and the Data Protection Authority (the “CNIL”) have been issued. This accreditation scope is also limited since it is only granted for a three years period. Furthermore, the certification is only granted to the HSP for one specific health data hosting project that the HSP must explain and describe in its application. Consequently, it won’t cover all its information systems and current or future projects.
In addition, the application must include numerous elements listed in Article R1111-12 of the French Public Health Code:
- identity, address and when applicable, articles of incorporation of the responsible of the hosting service;
- names, functions and qualifications of the operators in charge of carrying out the service, as well as the categories of persons who, because of their function, or for the requirements of the service, have access to the hosted data;
- location(s) in which the hosting and/or storage will take place;
- description of the service offered;
- models of contracts that must be concluded, pursuant to paragraph 2 of Article L.1111-8, between the health data host and the individuals or the legal entities that are at the origin of the personal health data deposit; these models must include the mandatory provisions listed in Article R.1111-13;
- measures taken to ensure the security of the data and the guarantee of the secrets protected by law, notably the presentation of the confidentiality and security policy set forth in Article R. 1111-9;
- when applicable, the indication of the use of external technical providers and the contracts concluded with them;
- a document presenting the forecast trading figures of the hosting activity and, possibly, the last three balance sheets and the share-ownership composition of the applicant. Additionally, in the case of a renewal request, the income statements and the balance sheets related to this hosting activity since the last accreditation.
The applicants that have been approved are given recommendations on how to improve their offer, and those who have been rejected are provided with the reasons for the refusal, for future applications.
What are the prior requirements that must be met by the HSP?
The obligation of entering into an agreement
Article L.1111-8 of the French Public Health Code requires the conclusion of a contract between the HSP and the healthcare professional. However, the law does not prescribe any particular contractual form but lists the mandatory provisions that must be included.
The HSP (and therefore all its employees and subcontractors) are bound by professional secrecy and subject to the penalties stipulated in Article 223-13 of the French Penal Code. The HSP must designate a physician involved in the hosting activity, who will be responsible of upholding this secrecy element. The activity of the physician exercising with the host is very new and consequently not well organised. Unless the company has an internal physician who can exercise this function, the companies should anticipate this point during the early stages of preparing the aplication.
Health professional cards:
The use of the health professional card (i.e. “Carte de Professionnel de Santé” also known as “CPS”) or an equivalent, is mandatory in cases of access by healthcare professionals to personal health information stored on electronic supports (Art. R.1110-3 of the Public Health Code). The implementation of CPS is still ongoing, and though CPS are now dispatched among medical services, it has not yet been adopted by each doctor on an individual basis. The CNIL is aware of this situation but companies will still be asked to use a strong authentication system and a traceability method when it comes to each access point. On this point, the CNIL guide on personal data security considered that authentication is strong enough when it uses the combination of at least two methods of identification (e.g. password and smart card, or, password and fingerprint).
An important part of the application for accreditation is dedicated to the description of the measures and security policies implemented by the applicant (e.g. authentication, authorisations, backup procedures, traceability or encryption). It is therefore essential for the candidate to base its request for approval on the largest combination of security measures.
What is the level of enforceability of this legal framework?
Any certified HSP is liable for the compliance of the global hosting system with the legal requirements. The HSP can use a subcontractor but it will remain liable as if it was carrying out the subcontracted services itself.
Strong penalties are provided by law in the event of noncompliance: up to three years of imprisonment, and/or a €45,000 fine (Article L. 1115-1 of the French Public Health Code). Furthermore, the CNIL recently issued a blame against a HSP about a false statement in the application for approval, as it falsely claimed to encrypt the medical data hosted.