Storage and Hosting

Article L.1111-8 of the French Public Health Code regarding the hosting of health data aims to organise and supervise personal data storage and data recovery, for personal data collected during prevention, diagnosis, treatment, care and medical/social support, in such a way as to guarantee its confidentiality and security.

Through this framework, the legislator wishes to guarantee trust in third parties to whom organisations and professions in the health, social, and medical-social sector entrust the health data that they produce or collect, primarily by measuring the impact of the service provider's activity in data protection, using state-of-the-art security criteria "availability, integrity, confidentiality and audibility (DICA)", which come under ANSSI and ISO norms.

This trust in third parties acting on behalf of healthcare, social, and medical-social operators is provided by the obligation to be HDS authorized or certified. 

The obligation to be authorized or certified mentioned in article L.1111-8 of the French Public Health Sector Code applies to all entities that propose a hosting service.

It concerns personal health data obtained through activities of consultation, diagnosis, treatment, care, social and medical/social support on behalf of the patient or healthcare professional, healthcare establishments and services, and any other organisation carrying out prevention, care, and social and medical/social support at the origin of this data.

The conditions are cumulative. It concerns all persons (natural or legal), whether governed by private of public law.

In this respect, the possible situation of in-house provision defined in article 17 of Ordonance no.2015-899 of the 23 July 2015 regarding public contracts issued by certain entities, which allows public buyers to award contracts without advertising or forcing an existing provider to compete against other providers, but without questioning the analysis in respect to the application of legislation on health data hosting.

Example: Professionals working with personal health data defined by article 4-15 of the European Regulation regarding personal data protection, are not systematically required to apply legislation regarding hosting. It concerns all health professionals, all establishments and health services, any other organisations undertaking prevention, treatment, care, social/medical support (natural or legal persons) who produce above-mentioned data in the scope of their activities in prevention, diagnosis, care and social/medical support. Anyone in these categories must assess on a case-by-case basis whether the data health data he or she entrusts to a third-party originates from their activity of prevention, diagnosis, treatment, care or social/medical support. 

For example, a healthcare establishment operating a database for the purposes of research carried out in the scope of patient care is required to use an HDS certified host when the database is externally hosted. 

The following organisations are excluded from the obligation to use an HDS certified host:

• Mandatory and complementary public health insurers in the scope of their healthcare cost reimbursement activity; these organisations process, but are not originators of health data; 
• Health research organisations, when their databases are not initially designed for prevention, diagnosis, treatment, care and social/medical support; 
• Sports clubs who offer activities to handicapped persons. These clubs process, but are not originators of health data.