FAQ – Find answers to the most frequently asked questions about health data hosting
What is considered as personal data ?
The EU General Data Protection Regulation (GDPR) defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
What is considered as personal health data ?
The EU General Data Protection Regulation (GDPR) gives a definition of personal heath data since April 2016.
Personal health data are the data from the past, present and future that are related to a physical person health (mental health or physical health), including the healthcare services provision and exposing information on the health state of the person. More details and clarification are listed on the CNIL website.
Who is affected and must deploy a specifi health data hosting solutions ? (HDS in France)
Article L.1111-8 of the French Public Health Code specifies that: “Any natural or legal person that hosts personal health data collected during an activity of: prevention, diagnostic, social and medico-social care and monitoring for the account of natural or legal person originating the production and collection of these data on behalf of the patient itself, must be accredited and certified for this activity.”
The French Ministry of Health specifies that the legal or natural persons affected by the Health Data Hosting Solutions, are on one hand the patients that assign the hosting of their personal health data to a third party, and on another hand the entities responsible for the handling of personal health data with as a finality: the prevention, the healthcare (care and diagnostic), the social or medico-social care of the persons.
What do we mean by processing personal data ?
According to article 2 of the French Data Protection Law (loi informatique et Libertés)* « handling personal data refers to any processing of personal data whatever system or process used, and essentially collecting, saving, structuring, adapting, modifying, extracting, consulting, using, communicating etc or any other form of handling including interconnection, locking, erasing or destroying.. »
*this translation is informative only and is not a legal translation nor has any legal value….
Who is the data controller ?
According to article 3 of the French Data Protection Law (loi informatique et Libertés)* Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; therefore, to determine who between the software editor and the software user is the data controller, it is important to determine how and why data are processed through the software.
*this translation is informative only and is not a legal translation nor has any legal value….
Is the software publisher the “data controller”
The French data protection body (CNIL) has had to consider on a number of occasions that in principle, the software publisher is not responsible for the data processing done using the software : one common example would be a practitionner or health care facility using a software to manage the medical practice or medical files edited by a third party editor ; in both cases the data controller would be the practionner or the medical practice using the software ;
Clients of the publisher will be the data controller, the editor himself being the client of the legal entity hosting the health data and therefore, the data controllers contracting with the publisher could be located on the territory of France or other territories.
What is the role of the health data hosting provider ?
The main objective of Article L.1111-8 of the french public health code on health data hosting is to regulate conservation and restitution of personal health data in such conditions as to guarantee safety and confidentiality.
This is meant to secure the trust in any third parties to which healthcare, social and medico-social structures and professionals transfer the health data they produce or collect, in particular by measuring the impact of the service provider activity on the protection of data, through security criteria «availability, integrity, confidentiality and auditability».
This trust in third parties acting on behalf of these healthcare and social and medico-social stakeholders is given through the obligation to be approved and / or certified «HDS».
What are the requirements to obtain the HDS certification ?
1. The provision and maintenance in operational condition of physical sites for hosting the
Hardware infrastructure of the information system used to process health information.
2. The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process health information.
3. The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process health information.
4. The provision and maintenance in operational condition of the platform for hosting information system applications.
5. The management and operation of the information system containing health data information.
6. Outsourced backup of health data.
Who builds a global “HDS” contractual framework dedicated to customer projects ans constraints ?
Within the framework of Health Cloud® Hybrid solution, Euris Health Cloud implements a global HDS contractual framework according to the constraints of the customers while assisting them in their compliance with the regulation. The Support of Euris Health Cloud teams throughout the deployment process, enable the creation of a customized project and in line with customer specificities.
Who can have an access to the health data ?
The Health Data can be accessed by the patient and the Healthcare Professional. The collection of health data and the exploitation of medical device data are subjected to a very strict regulation under the RGPD. The latter is intended to ensure confidentiality, the security of such data and the protection of the patient’s privacy.
Is the GDPR applicable to health data ?*
The General Data Protection Regulation (GDPR) treats health data as a «special category» of personal data which is considered to be sensitive by its nature.
The GDPR makes clear that health data should be processed for health-related purposes, only where necessary to achieve those purposes for the benefit of natural persons and society as a whole. This purpose limitation principle is to be linked with the consent provided by the data subject. Organizations should ensure that they define a clear, compatible and legitimate purpose to protect against misuse of the individuals’ data.
Processing is prohibited unless exceptions apply such as the provision of the individual’s explicit consent, where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or where Member States have inserted further conditions or limitations. The collection of the data subject’s consent remains the most common exception that organisations processing health data will be able to rely on provided that it has been explicitly provided and the purpose for processing the data has been explicitly defined. Where relying on consent, organisations should ensure that the consent meets the new GDPR.
Under the GDPR, both the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
What are the sanctions for non-compliance with the regulation on the protection of personal health data ?
Breach of Article L.1111-8 of the Public Health Code is sanctioned by up to 3 years imprisonment and a fine of € 45,000 in case of individuals and € 225,000 in case of legal entities.
Processing of personal data in such circumstances may also be sanctioned by the French data protection authority (the “CNIL”), that can impose a fine of up to € 3 million (and after 25 May 2018, up to €20 million or 4 % of the worldwide turnover), as well as an injunction to cease processing. Sanctions are made public. The CNIL has already issued a sanction in relation a health data hosting service provider.
Breaches to data protection regulations or to professional secrecy can also give rise to criminal fines.
It is essential that Article L.1111-8 be taken into account when dealing with certain types of health data of French residents.
What are the recommended measures regarding strong authentication when accessing personal health data including by patients even if they only access their own health data?
We are interested here in personal health data, a particular case of personal data, which legislators consider sensitive data and require high security measures to guarantee their security, confidentiality and integrity.
In France, the organizations in charge of giving concrete content to these high security requirements on access and security of personal data are the CNIL (www.cnil.fr) and the ASIP, which has become the ANS (Digital Health Agency, (https://esante.gouv.fr).
The constant policy of these organizations for nearly ten years concerning the authentication of actors accessing personal data has always been to require a high level of security for authentication, including for patients only accessing their own personal and health data. Indeed, it has always been recommended and required that the authentication of patients accessing personal health data be a strong authentication and that it is not limited to a login / password.
The HDS platform approval procedures instructed by ASIP, submitted to the CNIL and decided on to the CAH (ASIP Approval Committee) for the Minister’s decision, have always required strong authentication in the event of patient access. . This was obviously also the case for Euris Health Cloud. In the list of Certified Health data hosting providers not all are approved for patient access because this technical requirement does not appear in their approval file.
The documents cited below are the documents to consider on the subject of authentication, and in this case the authentication of patients.
Patients must obtain access to applications running on the HDS platform in which they will have access to health data or they will be able to deposit health data (always exclusively their personal and health data), data that they may possibly share with health personnel (doctor, nurse, coach, etc.). The HDS standard requires compliance with the PGSSI-S, of which the cited standards are part. The PGSSI-S is made enforceable by article L1110-4-1 created by law n ° 2016-41 of January 26, 2016 – art. 96 (V).
Reference documents (French legal framework):
- PGSSI-S Principes_Fondateurs
- PGSSI-S grille d’applicabilite des référentiels v1_0
- PGSSI-S Référentiel d’authentification des acteurs de santé _v.2.0
- PGSSI-S Référentiel d’imputabilité _v1.0_0
Also consider this extract from the CNIL opinion on the AntiCovid application:
“Regarding the methods of authenticating people, the Commission notes that the system provided for by the draft decree authorizes authentication by username and password alone, which does not comply with the recommendations of the PGSSI-S and Commission recommendations on access to health data. The Commission considers it preferable that all persons authorized to access the processed data use a strong authentication mechanism comprising several authentication factors “.
What is Euris health cloud ?
Euris Health Cloud is a recognized expert in Health Digital and Cloud solutions, certified for Health Data hosting activities and managed services.
• EU : GDPR compliance (General Data Protection Regulation) , HDS 2018 (Health Data Hosting) & ISO 27001 :2013) (International Organization for Standardization) ;
• USA : HIPAA compliance ( Health Insurance Portability and Accountability Act)
• China/PRC : CSL ( China’s Cybersecurity Law).
Thanks to its unique model of marketplace services, Euris Health Cloud also offers a full range of services and interconnected solutions helping the launch of E-health projects : strong authentication, drive, archiving, Big Data, Business Intelligence, IoT etc…