The Decree No 2018-137 of 26 February 2018 on the hosting of personal health data has been published on 28 February 2018 in the Official Journal.  The Decree defines notably the arrangements for implementing the procedure for certifying hosts of health data.

Context

The Decree has been adopted pursuant to Order No 2017-27 of 12 January 2017 on the hosting of personal health data which substantially modified Article L1111-8 of the French Public Health Code (FPHC).  As a reminder, this updated version of the Article, which will enter into force on 1st April 2018, sets out a transition from an approval procedure – currently governed by the Decree No 2006-6 of 4 January 2006 – to a certification procedure by accredited bodies for certifying hosts of personal health data in digital format.

It should be noted that an approval procedure will remain applicable for hosting health data in paper form and for hosting in digital format as part of an electronic archiving service.

The new mechanism of certification is defined notably by the Shared Healthcare Information Systems Agency (“Agence des Systèmes d’Information Partagés de Santé (ASIP)”) – previously in charge of issuing the approvals – which drew up the certification reference systems of which the draft versions can be consulted on the website esante.gouv.fr and will be approved by order of the Minister for Health.  Those reference systems are composed of the Certification reference system for hosts and the Accreditation reference system for bodies wishing to issue a certification.

Thus, the new certification procedure meets the objectives of transparency and predictability because it relies on existing international standards, known by the professionals.  Furthermore, the current extensive bureaucracy should be replaced by shorter delays.

This new procedure is part of the general approach initiated by the Law of 26 January 2016 on the modernisation of our health system to make the health data hosting system more flexible.  This approach has also replaced the obligation to obtain the patient’s consent to the hosting of his health data with an obligation to provide prior information and the possibility for the patient of objecting to hosting for a legitimate reason.

The key elements of the certification procedure

The choice of an accredited certification body

The host must choose a certification body accredited by the French Accreditation Body (or any equivalent national accreditation body at European level).

The certification body is accredited in accordance with the Accreditation reference system which is based on the ISO 17021 standards “Certification of management systems” and ISO 27006 “Requirements for bodies providing audit and certification of information security management systems”.

The accreditation “demonstrates the competence, the impartiality and the reliability of a body to check the conformity with the established and formalized requirements”.

The scope of application of the certification

The Decree and the Certification reference system define the scope of hosting activities subject to certification.

New Article R1111-8-8 FPHC:

• states that the certification procedure is applicable to any person hosting personal health data collected during prevention, diagnosis, treatment or social or socio-medical monitoring on behalf of persons responsible for processing the production or collection of such data or on behalf of the patient;
• indicates that temporary health data hosting during services of processing, formatting, materialization or dematerialization of such data on behalf of the health actor, does not constitute a hosting activity as defined in Article L1111-8 FPHC;
• provides for the obligation for data controllers who entrust health data hosting to third parties to ensure that said third parties hold a certificate of conformity.

The services of hosting health data in digital format that fall within the scope of the certification procedure are defined by the Decree (Article R1111-9 FPHC) and by the Certification reference system:

1° The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the health data;
2° The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the health data;
3° The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the health data;
4° The provision and maintenance in operational condition of the platform for hosting information system applications;
5° The management and operation of the information system containing the health data;
6° The backup of the health data.

The conditions for issuing the certification

The certification of health data hosts in digital format is now mandatory and it replaces the former approval.

Only accredited bodies are allowed to issue the certificate of conformity on the basis of the Certification reference system and subject to compliance with the conditions set forth in the Decree.

The Certification reference system is based on the requirements of the ISO 27001 “Information security management systems”, ISO 20000 “Service management system”, ISO 27018 “Protection of personally identifiable information “, and on the specific requirements for health data hosting.

Two types of certifications can be issued:

• a certification for “hosts of physical infrastructure” for the provision of physical hosting sites and hardware infrastructure (Article R1111-9 1° and 2° FPHC);
• a certification for “outsourcing hosts” for the provision of virtual infrastructure and software platform, the provision of health data outsourcing and backup services (Article R1111-9 3° to 6° FPHC).

The Certification reference system specifies the requirements applicable to each type of certification.  When the host performs hosting services both as a host of physical infrastructure and an outsourcing host, it must obtain the two certifications and is evaluated for compliance with all the relevant corresponding requirements.

The accredited body conducts a two-step audit to assess compliance of the host with the requirements of the Certification reference system:

• an audit of documents during which the accredited body carries out a document review of the information system to verify compliance with the requirements of the Certification reference system;
• an on-site audit during which the accredited body gathers audit evidence.

The certification is delivered for a period of 3 years and, every year, the certification body performs a surveillance audit.

The certified hosts must submit an application for recertification to the accredited body no later than three months before the expiry date of the certification.

The health data hosting contract

The Decree amends the minimum clauses which must be contained in the hosting contract concluded between the certified host and its client.  We invite you to consult new Article R1111-11 FPHC that enumerates those clauses.

Entry into force and transitional provisions

The certification procedure will enter into force on 1st April 2018.

The Decree defines the arrangements for the period between the approval procedure and the certification procedure.  The approval procedure is maintained during a transitional phase:

• the current approval procedure remains applicable to applications for approvals received before 31 March 2018;
• the certification procedure applies to any new application received as from 1st April 2018;
• where the approvals expire before 31 March 2019, the duration is extended for six months to allow the host to take the necessary steps in compliance with the new certification procedure.