The consultation phase for a new Health Data Hosting (HDS) standard was completed a few days ago. At the same time, a 2022 version of the digital health doctrine has been put out to consultation and has created a stir among those who are concerned about the removal of the exemption from the health data hosting regime that was included – subject to conditions – for establishments in a Groupement Hospitalier de Territoire (GHT). Marguerite Brac de La Perrière, associate lawyer in IT/Data, expertise in digital health offers an insight on this last topic, from a legal point of view, and adds the analysis of the famous CISO Cédric Cartau on the operational vision of the CISO.
Read the article below:
Health data hosting: what’s new?
At the time of writing, the consultation phase for a new HDS standard (discussed in a recent article[1]) has been completed for a few days? For the record, this standard defines the certification requirements that are imposed under Article L1111-8 of the Public Health Code on “any person who hosts personal health data collected during preventive, diagnostic, care or social and medico-social monitoring activities, on behalf of individuals or legal entities that produce or collect this data […]”. At the same time, a 2022 version of the digital health doctrine has been put out to consultation[2] and has caused concern among those who are worried about the removal of the exemption from the health data hosting regime that was included – subject to conditions – for establishments in a territorial hospital grouping (GHT). The purpose of this paper is to enlighten the reader on this last subject, first from a legal point of view, and then from the operational point of view of the CISO.
The legal view of the GHT exemption
The exemption in the 2021 digital health doctrine was as follows:
“The GHT’s hosting institution is exempt from the HDS certification obligation if and only if the GHT’s constitutive agreement establishes joint responsibility and entrusts it with hosting. The GHT agreement must explicitly provide, by means of an amendment, for the delegation of hosting activities to the hosting establishment. Indeed, in such a case, all the establishments party to the GHT agreement can be considered as joint data controllers within the meaning of the RGPD.
Should we be concerned, then, that this exemption relating to the GHT hosting establishment is not to be found in the Digital 2022 doctrine under consultation?
As a preliminary point, it should be noted that the digital health doctrine has no regulatory value. Thus, the exemption that appeared in the doctrine was simply intended to state the interpretation of the law, in its ambition to “keep the digital health ecosystem informed of the developments and progress of each project, and to provide information on future priorities and the technical implications that they underlie”.
Thus, the value of the exemption was not derived from its presence in a version of the digital health doctrine, but from the application of legal texts. However, these texts have not changed, so the exemption should remain perfectly applicable.
In essence, the reasoning, which stems from the articulation of various legal texts concerning GHTs, the care team and data protection, is as follows:
All the health professionals in a GHT work together on a shared medical project for the benefit of joint patient care, with a computerized patient file that is convergent or common to all the establishments, under conditions that comply with interoperability and security standards, recreating a “security bubble” comparable to that which prevails in an establishment. Moreover, GHTs constitute a care team, in the sense of its very extensive legal definition[3].
It is therefore consistent to consider the establishments of a GHT as constituting, together, an entity within which the purposes and means are determined jointly, and therefore as joint data controllers within the meaning of article 26 of the GDPR. In this approach, none of the joint data controllers acts on behalf of the others, and all have a role to play in the design and implementation of the data processing necessary for the care, according to a division of tasks that is not necessarily equal, allowing one of the institutions to assume sole responsibility for hosting the data.
Thus, as the hosting institution does not act “on behalf of” the others, according to the terms of article L1111-8 of the Public Health Code, but as the joint manager of the other institutions in the GHT, the criterion for the application of the regime relating to the hosting of health data, which is based on its outsourcing, is not met, thus making it impossible for one of the institutions to be responsible for the hosting of data, is not fulfilled, thus rendering the legal regime relating to the hosting of health data inapplicable, provided of course that the constitutive agreement of the GHT expressly provides for the joint responsibility of the establishments that are parties to the GHT and formalizes a delegation of hosting activity to the establishment that carries it out.
Although this analysis ensures consistency between the legal provisions relating to GHTs, the care team and the hosting of health data, its relevance may still be questioned, particularly in the light of the results of GHTs and the reality of coordinated care.
In any event, provided that the institutions in a GHT wishing to claim it have ensured that it is appropriate to their operations and responsibilities, the exemption remains just as applicable whether or not it is included in the doctrine of digital health.
It should be remembered, however, that even if this exemption is considered relevant and applicable to a given GHT, it can in no way allow the hosting institution to avoid the security requirements set out in the certification framework, which lists the “appropriate technical and organizational measures” that must be implemented in accordance with the RGPD.
It must be noted that the regime relating to the hosting of health data will continue to be the subject of much ink, as it always has been, particularly as a result of the 2018 decree and its provisions relating to activity 5, defined as “The administration and operation of the information system containing the health data”.
The operational vision of the CISO
The curious (or historians?) may wish to read the series of articles presenting, on the technical side, the limits of the current framework[4][5][6], in particular a very twisted trick based on the misappropriation of renting bare premises to escape HDS qualification. That said, criticism is easy, and this framework has at least had the merit of putting an end to the Wild West. The law being a fundamentally living matter, its evolution is natural. More recently, Mr. Brac de La Perrière published an analysis[7] that discusses the evolution of activity 5, the scope of which is now clarified.
In substance, with respect to the exemption of the regime with respect to GHTs, it is normal to consider that :
– The main purpose of GHTs is cooperation, so that the relationship between the institutions of a GHT and their support institution cannot be viewed in the same way as that between a company and its hosting provider (SaaS, IaaS or PaaS);
– The texts relating to GHTs and the care team have positioned the establishments as joint data processing entities necessary for patient care, within the meaning of the “classic” provisions of the RGPD;
– The legal texts relating to the HDS, which consider the host as acting “on behalf” of a data controller, do not a priori apply in the context of the GHT, as the partnership relationship between the institutions of a GHT takes precedence over that of data controller/subcontractor;
It is strange that there are so many debates on this subject, especially as several legal experts have recently taken the view that, in other areas (purchasing, HR, etc.), the aforementioned case law tends to consider that the health establishments in a GHT should be seen as a single legal entity, even though in reality GHTs do not have a legal personality. This is especially true since, for those who have never undertaken the process, obtaining HDS certification from scratch requires at least 18 months of work and represents a significant Build and Run workload, in a context of tense resources and cyber issues that are far more important.
Clearly, today the challenges of GHT IS revolve around the following issues:
– Professionalization of the processes of maintenance in operational condition;
– Taking into account Cyber by Design;
– Target architecture of converged IS.
On this last point, which software bricks should converge and how? For a CIO alone, there are several possible scenarios, depending on which HDS constraints vary enormously. This means that HDS certification is only a means to an end, not an end in itself, and that it is the need that drives.