Services for hosting personal health data collected during prevention, diagnosis, treatment, or social or socio-medical monitoring

Decree on the hosting of personal health data and amending the French Public Health Code

This draft Decree is issued pursuant to Article L1111-8 of the French Public Health Code, as amended by Order No 2017-27 of 12 January 2017 on the hosting of health data. It clarifies in particular that the hosting of personal health data collected during prevention, diagnosis, treatment, or social or socio-medical monitoring must be performed by a certified or approved hosting provider.

More specifically:

• Article 1 II defines the scope of hosting activities subject to certification;

• Article 3 defines:

- the scope of certification for hosting personal health data in digital format;

- hosting provider obligations, particularly those that must be listed in the hosting contract agreed with the customer;

- the conditions for certifying providers of hosting services for personal health data: only hosting providers certified by a certification organisation accredited by the French Accreditation Body [comité français d’accréditation] or the national accreditation body of another Member State of the European Union that is a member of the European co-operation for accreditation and has signed multilateral mutual recognition agreements covering the certification in question, may offer services for hosting personal health data in digital format.

Hosting providers are certified based on a certification standard drawn up by the public interest group mentioned in Article L1111-24 of the French Public Health Code (Shared Healthcare Information Systems Agency) approved by order of the Minister for Health after consultation with the French Data Protection Authority [Commission nationale de l’informatique et des libertés].