Marguerite Brac de La Perrière

20 years after the Kouchner Law of March 2, 2002[1] which established it, the legal regime relating to the hosting of health data is about to evolve again with a version V.1.1 in consultation with the HDS certification requirements.

The project proposes definitions, in particular concerning the famous activity 5 “Administration and operation of the information system containing health data” of art. R1111-9 of the Public Health Code, which is defined as being based on:

– “The supervision and management of occasional access by third parties mandated by the organization’s client (i.e. the hosting provider), for example for audit, expertise, deployment or maintenance purposes, brought to access the business Application via the HDS infrastructure base” (.);

– Maintaining the security of the HDS Infrastructure Foundation [the business application being excluded by the definition of the Infrastructure Foundation] and the Customer support center” (.);

– “The documentation maintained of the consistency and completeness of the security guarantees provided by the various actors contributing to the implementation of the service.” (.)

These provisions have the merit of clearly excluding from this activity 5, maintenance and support operations of business application publishers.

The scope of application is defined as concerning “organizations that host health data” and “contribute to the implementation of a digital health service”, thus linking the common purpose of the “digital health service” to the regime governing the hosting of health data, which has given legislative force to the security and interoperability standards designed to guarantee the exchange, sharing, security and confidentiality of personal health data[2].

2] The draft reference framework also contains details of the scope of application, without any changes in this respect, except for details concerning what does not constitute a hosting activity, or the “short period” exception in art. R1111-8-8 of the Public Health Code: the fugitive processing of data when it is in transit on a public network, and the “transcription exception aimed primarily at services for printing letters or entering minutes, whether by operators or voice recognition”.

The draft also introduces additional requirements for risk assessment, requiring the organization to consider the risks to the individual in the event of loss of integrity, confidentiality or availability, including loss of opportunity, reputational risks or discrimination, and to take into account the risks to the individuals and organizations providing medical care, including their medical liability and reputational risks. The requirement proposes a minimum list of events to be considered.

The draft standard cross-references some of the requirements of ISO 27001 and SecNumCloud (with the addition of a correspondence matrix with the SecNumCloud standard), but not ISO 20000 or ISO 27018.

In addition, it introduces a reminder of contractual requirements, including those mentioned in art. R1111-11 of the Public Health Code, and new ones concerning data sovereignty: the host must allow the customer to “choose from the list of hosting locations proposed by the host, the countries in which the data may be effectively processed”, it being specified that the hosting locations proposed to the Customer by the host must be located in member countries of the European Economic Area, or countries providing an equivalent level of protection adequate under an adequacy decision, to the exclusion of other guarantees (standard contractual clauses or BCR). While the legality of these provisions may be questioned, they do not preclude the use of operators subject to non-EU laws (such as the Cloud Act), provided that the customer and the data controller are informed of the non-EU laws to which the hosting provider is subject, and of the measures implemented by the hosting provider to mitigate the risks of breach of personal health data induced by these laws, and communicates the description of the residual risks.

With regard to reversibility, in addition to the commitment to return the data, the contract will now have to include minimum requirements, including a commitment to destroy copies once the data has been returned, the procedures, costs and deadlines for returning and destroying copies, the formats in which the data is returned, which are readable and usable for the purposes of portability of health data, and, where applicable, the methods for moving virtual machines (or containers).

Health data hosting contracts will thus have to be specified and completed in view of the renewal of the health data hosting certification.

To your keyboards,

[1] Law no. 2002-303 of March 4, 2002 on the rights of patients and the quality of the health system, art. 11

[2] L1470-5 CSP

Click here for the entire article