Due to their sensitive nature, health data must be processed in accordance with certain binding rules. In this sense, their access but also the way they should be hosted are strictly regulated.
What is a health data host? What does the legislation provide for?
Simply hosting health data does not make it possible to obtain de facto data hosting status. Indeed, obtaining this status is subject to a number of obligations.
1. Who is affected by this status? Which data should be processed?
As specified in article L1111-8 of the Public Health Code, a health data host is a person who hosts personal health data collected during prevention, diagnosis, care or social and medico-social follow-up activities, on behalf of natural or legal persons who are responsible for producing or collecting such data or on behalf of the patient himself.
3 conditions are therefore required:
On the other hand, the Public Health Code also specifies that in the context of short-term data hosting, in order to carry out data entry, formatting and materialization processing of these data, it is not necessary to obtain the status of data host. Similarly, the processing of data carried out on behalf of a controller requires this status to be obtained. Processing carried out internally is not subject to these formalities.
2. Is the status of data host an exception in France?
France seems to be the exception in this respect. Countries such as Belgium, Spain and the Netherlands seem to favour the shared medical file, which thus makes it possible to guarantee sufficiently secure processing and hosting of health data. Articles L. 1111-8 and R. 1111-9 et seq. of the Public Health Code apply to personal health data produced or collected in France. Thus, only data subjects of French nationality are concerned. A processing of health data from persons of foreign nationality carried out on behalf of a French controller will not be subject to French legislation in this area.
Once these conditions are met, it is also necessary to obtain an accreditation or certification.
3. Accreditation or certification?
When the data is hosted on a digital medium except in the case of electronic archiving, the host must obtain a certificate of conformity, issued by certification bodies accredited by the French accreditation body.
When the data is hosted on paper or digital media as part of an electronic archiving service, the host must obtain approval from the Ministry of Culture.
Decree n°2018-137, 26 February 2018, OJ 28 February 2018, specifies that the conditions for issuing a certificate or approval are set by decree in the Conseil d’Etat, after consulting the CNIL and the national councils of the health professions’ orders.
The scope of the health data hosting activities covered by the certification is set out in Article R.1111-9 of the Public Health Code.
A simplification of the procedures listed above was carried out in 2018. From now on, only the host certification must be obtained. The certification bodies check that the host complies with the certification standard. The latter must specify his activity in his application, which are listed in Article R. 1111-9 of the Public Health Code
Finally, the establishment of a hosting contract is essential, as indicated in article L1111-8, I, para. 3 of the Public Health Code. This must include all the mandatory information set out in Article R1111-11 of the Public Health Code.
Even though these formalities are binding, the person who wishes to be exempt from this certification is subject to a number of sanctions.
4. What are the risks in the event of non-compliance with these conditions?
Failure to comply with the approval conditions is punishable by three years’ imprisonment and a fine of €45,000 in accordance with Article L. 1115-1 of the Public Health Code.
On 7 June 2017, a doctor from the Assistance Public-Hôpitaux de Marseille (AP-HM) was fined €5,000.00 for unlawful processing of health data when one of his patients was able to find his medical file on the Internet through a search engine. He could also access and modify his medical file via the platform on which it was located without having to identify or authenticate himself. The host of the database in question was not approved to host health data.
Obtaining the status of data host is therefore essential in order to protect against this type of sanction. Healthcare institutions are not the only ones concerned by this status, Microsoft, AWS or Google are now part of the list of certified hosting providers, which is no longer so small.
 TGI de Marseille, 6e ch. corr., jugement du 7 juin 2017. Le Procureur de la République, AP-HM / M. X., Mme Y. et M. Z.
By Floriane Collombel