France has made itself one of the champions for the protection of personal data,¹ and has established for both medical data² and the body hosting them, a very specific set of policies, since regulations set the principle that all bodies hosting such medical data must apply for official accreditation.³

The concepts of “personal data”⁴ and “medical data”⁵ are broad under French law: one covers all data that permits a direct or indirect identification⁶, the other comprises all information regarding psychical and physical aspects of one person’s health.⁷

The act of hosting such data is defined by law as “filing personal medical data, collected through prevention, diagnosis and care activities performed by an authorised body.”⁸ The conditions therefore are strict: one of them is obtaining the express consent of the relevant person, except where the aim of the data exchange is to facilitate the provision of medical care, or when the access to the data is limited to those who filed it.⁹

Concretely, this implies that when medical data is hosted during a prevention, diagnosis or treatment activity – the scope of which covers most of the activities of the health care industry, which is experiencing and will experience a considerable development with telemedicine in the broad sense – the issue of the accreditation of the hosting services will be raised.

What are the situations where it will be necessary to use authorised hosting services?

Health care professionals (HCPs), health care service providers, and suppliers of medical devices, who file data locally or leave it for the HCP to consult without having the possibility to add or modify them, are not under an obligation to apply for an accreditation.

But the accreditation is necessary when the data is filed with a third-party hosting service, whether the body is an HCP or a technological third party that is either an authorised software publisher or an authorised body third party.¹⁰ Notably, this is the case not only for all contractors for telemedicine systems (telecardiology, telediagnosis, etc.), but also for sectors in which the development of e-commerce was liberalised (optical industry, in particular).

The application process for an accreditation¹¹ is long¹² and difficult. The application includes forms, declarations, and commitments.¹³ The French Code of Public Health goes as far as imposing the presence of a doctor at the candidate body,¹⁴ entrusted with the mission to ensure that the data is confidential and that the conditions to access the files are abided by.

The accreditation is issued by the Ministry of Health for a renewable period of three years¹⁵ if a favourable opinion is given by the “comité d’instruction” of the ASIP-Santé¹⁶, the French Data Protection Authority (CNIL), and the Hosting System Accreditation Committee.

The only other alternative to the accreditation application is to form a contract for the hosting and holding of medical data¹⁷ with an already accredited thirdparty data host. This solution appears to be the most convenient for medical e-commerce.

Health centres and HCPs, which are to be considered as the data controllers, will in any case have to obtain the express consent of the patient for the contract with the hosting system to be formed, as in telemedicine¹⁸.

The hosting system is under French law bound to an obligation to provide the hosting service that can only be waived because of the data controller’s (Health Centre, HCP) or any intervening third party’s gross negligence, or in case of Force Majeure (so-called “obligation de résultat”)¹⁹. The hosting system also bears an obligation of confidentiality²⁰, as well as a strict obligation to preserve the data security and integrity²¹. The conditions in which the hosting system can access the medical data are controlled by the system’s appointed doctor.

Violating the law or the agreement causes the accreditation to be withdrawn by the ASIP-Santé²². The French Ministry of Health also has the possibility to adjourn the hosting activity if the hosting system discloses data without accreditation, or commits a serious breach of its obligations. Operating without a licence is punished by three years’ imprisonment and a fine of €45,000, in addition to the annulation of the hosting contract²³.

Moreover, in addition to the aforementioned regulations, the medical data hosting activity will be subject to data protection regulation imposing notification obligations with the French Data Protection Authority, the CNIL, as well as to specific regulatory obligations (health care, telemedicine, etc.).

The issues in medical data hosting are therefore obviously complex in a health sector that experiences a real technological revolution.

1. The law of 6 January 1978 on Data Protection is one of the oldest on the matter, and France was the only G20 country that put the topic on the agenda of an international meeting of Heads of States in November 2011
2. It should be born in mind that this data cannot be processed
3. Law 2002-303 of 4 March 2002 on Patients’ Rights and the Quality of the Health System
4. See art. 2, Directive 95/46/CE; see art. 2, Law of 6 January 1978 on Data Protection
5. See art. L. 1111-7, Code of Public Health; see Opinion of the National Conference on Health, adopted 19 October 2010
6. Opinion of the National Conference on Health, adopted 19 October 2010
7. Case C-101/01 Bodil Lindqvist [2003] ECR I-12971
8. Art. L. 1111-8, French Code of Public Health
9. Art. L. 1110-4 and art. L. 1111-8 ss. 5, French Code of Public Health
10. Which must abide by art. L. 1111-8 of the French Code of Public Health
11. Regulation (Décret) n° 2006-6 of 4 January 2006; art. R. 1111-10, French Code of Public Health
12. Actualités JuriSanté, n° 74-July 2001: average length of application process is five to eight months
13. Available on: http://esante.gouv.fr/services/referentiels/securite/le-referentiel-de-constitution-desdossiers-de-demande-d-agrement-des : « P1 » to « P6 », « C1 » and « C2 ».
14. Art. R. 1111-9 6° of the French Code of Public Health
15. Art. R. 1111-15 of the French Code of Public Health
16. Agency of the French Ministry of Health
17. Art. R. 1111-8 of the French Code of Public Health; and see Art. R. 1111-13 of the French Code of
    Public Health
18. Regulation (Circulaire) n° 2012-114 of 13 March 2012
19. Contrats informatiques et électroniques, Dalloz référence 2012/2013, p. 411
20. C. Debost, « L’appréhension juridique de la relation de soin au prisme des nouvelles technologies » (“The legal policy on the relationship in the perspective of the new technologies”), Jurisdoctoria n°8, 2012, p. 122
21. Contrats informatiques et électroniques, Dalloz Référence 2012/2013, p. 346
22. See art. 1111-8, ss. 4 French Code of Public Health
23. Art. L. 1115-1, French Code of Public Health

Client Alert 2013-169