Health data hosting, to a new certification repository

Marguerite Brac from La Perrière, TUESDAY 08 NOVEMBER 2022

20 years after the Kouchner law of 2 March 2002[1] Once established, the legal regime for hosting health data is about to evolve again with a version V.1.1 in consultation with the HDS Certification Requirements Repository.

The project proposes definitions, in particular regarding the famous activity 5 “The administration and operation of the information system containing health data” art. R1111-9 of the Public Health Code, defined as structured around:

Supervision and management of occasional access by third parties appointed by the client of the organization (e.g. the host), for example for purposes of auditing, expertise, deployment or maintenance, necessary to access the Application via the HDS infrastructure base corporate (.);

“The safe maintenance of the HDS Infrastructure Base [l’application métier étant exclue par la définition du Socle d’Infrastructure] and the Customer Service Center “ (.);

The documentation kept up-to-date on the consistency and completeness of the security guarantees provided by the various actors who contribute to the realization of the service. “(.)

These provisions have the advantage of clearly excluding from this activity 5 the maintenance and support operations of the publishers of business applications.

The scope is defined as relating to the ” organizations with health data hosting activities “which” contribute in particular to the implementation of a digital health service “, thus linking with its common object” digital health service “the system relating to the hosting of health data, to the one that has given legislative force to safety and interoperability standards, aimed at guaranteeing exchange, sharing, safety and the confidentiality of personal health data.

The draft reference document also provides details on the scope without changes in this regard, but without prejudice to details relating to what does not constitute a hosting activity, or “Short term” exception. art. R1111-8-8 of the Public Health Code: the transitory processing of data when they transit through a public network, and the ” exception of transcription intended mainly for mail printing services or for the insertion of reports, both by operators and voice recognition “.

The draft also introduces additional requirements in this regard risk assessment, inviting in this regard the organization to consider the risks incurred by the interested party in the event of loss of integrity, confidentiality or availability, in particular loss of opportunities, reputational risks or discrimination, and to take into account the risks incurred by the interested party people and organizations that provide medical care, including their medical liability and reputational risks. The requirement proposes a minimum list of events to consider.

The draft standard proceeds with reference to some requirements of ISO 27001 and the SecNumCloud (with the addition of a matching matrix with the SecNumCloud repository), but neither ISO 20000 nor ISO 27018.

Also, it introduces a reminder of contractual requirements, including those referred to in art. R1111-11 of the Public Health Code, and information concerning in particular the sovereignty of data: the host must allow the customer to “choose from the list of accommodation places offered by the host, the countries in which such data can be effectively processed “, it is specified that the accommodation places offered to the Client by the host must be located in member countries of the European Economic Area, or countries that guarantee an adequate equivalent level of protection by virtue of an adequacy decision, to the exclusion of other guarantees (contractual clauses type or BCR). If the legitimacy of these provisions can be questioned, they do not exclude the use of operators subject to non-EU regulations (think of the Cloud Act), provided that the customer and the data controller are informed of the non-EU regulations to which the guest is subject, and of the measures put in place by the guest to mitigate the risks of violation of personal health data induced by these regulations, and communicate the description of the residual risks .

As for the reversibilityin addition to the commitment to return the data, mandatory minimum information must now be included in the contract, including the commitment to destroy the copies at the end of the return, the methods, costs and terms of such return and the destruction of the copies, the return, readable and usable for the purposes of portability of health data, and possibly the methods that allow the handling of virtual machines (or containers).

Health data hosting contracts will therefore need to be clarified and integrated in view of the renewal of health data hosting certification.

Your keyboards,

[1] Law no.2002-303 of 4 March 2002 relating to patients’ rights and the quality of the health system, art. 11

The author

Marguerite Brac de La Perrière is a lawyer, partner of the LERINS firm, expert in Digital Health. She supports healthcare professionals in their regulatory compliance, development and growth, particularly in terms of healthcare data processing and secondary use, and IT contracts.

#HDS# health data#safety#digital#privacy

Leave a Reply

Your email address will not be published. Required fields are marked *