France has made itself one of the champions for the protection of personal data,1 and has established for both medical data2 and the body hosting them, a very specific set of policies, since regulations set the principle that all bodies hosting such medical data must apply for official accreditation.3
The concepts of “personal data”4 and “medical data”5 are broad under French law: one covers all data that permits a direct or indirect identification6, the other comprises all information regarding psychical and physical aspects of one person’s health.7
The act of hosting such data is defined by law as “filing personal medical data, collected through prevention, diagnosis and care activities performed by an authorised body.”8 The conditions therefore are strict: one of them is obtaining the express consent of the relevant person, except where the aim of the data exchange is to facilitate the provision of medical care, or when the access to the data is limited to those who filed it.9
Concretely, this implies that when medical data is hosted during a prevention, diagnosis or treatment activity – the scope of which covers most of the activities of the health care industry, which is experiencing and will experience a considerable development with telemedicine in the broad sense – the issue of the accreditation of the hosting services will be raised.
What are the situations where it will be necessary to use authorised hosting services?
Health care professionals (HCPs), health care service providers, and suppliers of medical devices, who file data locally or leave it for the HCP to consult without having the possibility to add or modify them, are not under an obligation to apply for an accreditation.
But the accreditation is necessary when the data is filed with a third-party hosting service, whether the body is an HCP or a technological third party that is either an authorised software publisher or an authorised body third party.10 Notably, this is the case not only for all contractors for telemedicine systems (telecardiology, telediagnosis, etc.), but also for sectors in which the development of e-commerce was liberalised (optical industry, in particular).
The application process for an accreditation11 is long12 and difficult. The application includes forms, declarations, and commitments.13 The French Code of Public Health goes as far as imposing the presence of a doctor at the candidate body,14 entrusted with the mission to ensure that the data is confidential and that the conditions to access the files are abided by.
The accreditation is issued by the Ministry of Health for a renewable period of three years15 if a favourable opinion is given by the “comité d’instruction” of the ASIP-Santé16, the French Data Protection Authority (CNIL), and the Hosting System Accreditation Committee.
The only other alternative to the accreditation application is to form a contract for the hosting and holding of medical data17 with an already accredited thirdparty data host. This solution appears to be the most convenient for medical e-commerce.
Health centres and HCPs, which are to be considered as the data controllers, will in any case have to obtain the express consent of the patient for the contract with the hosting system to be formed, as in telemedicine18.
The hosting system is under French law bound to an obligation to provide the hosting service that can only be waived because of the data controller’s (Health Centre, HCP) or any intervening third party’s gross negligence, or in case of Force Majeure (so-called “obligation de résultat”)19. The hosting system also bears an obligation of confidentiality20, as well as a strict obligation to preserve the data security and integrity21. The conditions in which the hosting system can access the medical data are controlled by the system’s appointed doctor.
Violating the law or the agreement causes the accreditation to be withdrawn by the ASIP-Santé22. The French Ministry of Health also has the possibility to adjourn the hosting activity if the hosting system discloses data without accreditation, or commits a serious breach of its obligations. Operating without a licence is punished by three years’ imprisonment and a fine of €45,000, in addition to the annulation of the hosting contract23.
Moreover, in addition to the aforementioned regulations, the medical data hosting activity will be subject to data protection regulation imposing notification obligations with the French Data Protection Authority, the CNIL, as well as to specific regulatory obligations (health care, telemedicine, etc.).
The issues in medical data hosting are therefore obviously complex in a health sector that experiences a real technological revolution.