Health Data Hosting

In France, Health Data Hosting plays a very important role in the management and processing of healthcare data. They enable healthcare organizations to store data considered sensitive by the CNIL (National Commission for Information Technology and Civil Liberties), while guaranteeing confidentiality and a very high level of security. How do Health Data Hosts work? And what are the challenges involved in using them?

📌 Hébergeur de Données de Santé: What is it?

Considered sensitive, health data is personal data that is subject to special protection to guarantee respect for the privacy of the individuals concerned. Health data (or health information) concerns the pathologies and physical characteristics of patients. It is processed by health establishments, doctors and other services. Individual rights are specific to this type of data and data storage.

While the best practices and usages concerning their collection and processing are defined by the Health Code, their hosting, meanwhile, is provided for by the new rules of the GDPR (General Data Protection Regulation). 

✅ Security and data protection

Health data hosting providers have facilities with the security conditions they need to host servers and network equipment.

What's more, in terms of physical security, healthcare data hosts are equipped with surveillance cameras and fire detection systems, so they are able to protect their equipment as well as the data they store. System security is strong.

In terms of network security, particularly for the system's hardware infrastructure, security measures are in place to protect personal data in transit. This includes the use of virtual private networks (VPN),

firewalls, data encryption, etc. Techniques that help prevent intrusions and cyber-attacks. 

This is a guarantee of reliability for these servers.

✅ Real-time system monitoring and clients support

Healthcare data hosts have the ability to monitor, in real time, the use of data by users, while guaranteeing that data use complies with the privacy policies defined by each organization. This is also known as a surveillance audit.

To achieve this, healthcare data hosting providers need to be able to detect performance problems and resolve them more quickly.

As part of its risk management process, the hosting provider implements preventive activities to anticipate potential data security problems. They must be vigilant in maintaining their sites operational.

They must also prove their ability to maintain servers in operational condition.

✅ HDS certification and certification procedure

The main purpose of HDS certification is to reinforce the protection of healthcare data, and thus build an environment of trust for everything to do with eHealth and patient monitoring.

HDS certification secures the data of those concerned, against any leakage or loss of their personal data. HDS-certified health data hosts are obliged to ensure compliance and traceability of all personal health data.

Certain conditions must be met before an organization can host personal health data.

Each hosting provider must hold thehealth data hosting authorization that corresponds to the service it intends to offer.

The certification body follows a certification procedure and carries out a two-stage audit to gather information: 

• Documentary audit: a documentary review of the host's information system is carried out. The aim of this stage is to determine the documentary conformity of the system, based on the requirements set out in the certification standards;
• On-site audit: Audit evidence is collected in accordance with the conditions defined in the accreditation standards . 

Several certification bodies are authorized to issue HDS certificates: AFNOR Certification (Accredited on 29/08/2019), BSI GROUP France SARL (Accredited on 20/06/2019), Bureau Veritas Certification France (Accredited on 17/04/2019), etc. 

📋 Health data hosting in France

Personal health data must be hosted on HDSs located in France or the European Union. Otherwise, sufficient guarantees must be provided to demonstrate a high level of protection.

Personal data considered sensitive by the CNIL (National Commission for Information Technology and Civil Liberties) includes all medical data, and identifying information, that is collected and processed by an organization. This may be in the context of healthcare services, prevention or diagnosis, the healthcare system or a third-party healthcare provider.

Any healthcare organization (healthcare professional, healthcare facility, research organization) or health administration is obliged to ensure that the data it processes is hosted on an HDS server in France, or at least in Europe, unless sufficient guarantees are provided. The various certification bodies empowered to issue certificates are responsible for verifying that hosting providers comply with security and confidentiality rules, based on the regulations and rules in force. 

🔥 Two companies concerned by the obligation to host their healthcare data on an HDS

👩‍⚕️ Docorga, one of Doctolib's main competitors, offers a platform that enables healthcare professionals to simplify the management of their patients' care pathways, from the request for treatment, through the various secure document management tools, right up to the billing of procedures. All this on a secure application, which takes into consideration the protection of the privacy of the people concerned, while enabling data sharing.

It should be noted that Docorga hosts the personal health data it processes on an HDS located in France.

Among the tools offered by the health platform:

• A secure messaging system for exchanging sensitive files;
• Patient files that allow you to personalize patient care and add your own observations;
• Notes and reminders to reduce the number of consultations forgotten by patients by sending them SMS reminder notifications.

Through its personal health data processing service, Docorga processes health data considered sensitive by the CNIL (National Commission for Information Technology and Civil Liberties). CNIL (National Commission for Information Technology and Civil Liberties) . This means that we need to take into account the various rules governing the hosting of health data, as laid down by law.

Dipeeo is their referent at the CNIL (National Commission for Information Technology and Civil Liberties) and manages all of the startup's GDPR issues.

👨‍⚕️ Viabeez is a platform that makes it easier for healthcare professionals to come to workplaces and communities. According to them, 59% of French people give up healthcare due to lack of time and access. 

With more than 10,000 employees benefiting from its health services, the platform offers : 

• A simple, automated appointment scheduling tool for your employees;
• Access to France's most sought-after specialties;
• Better health cover for your employees.

This also requires consideration of the rules laid down by law for thehosting of personalhealth data.

Dipeeo is their referent at the CNIL (National Commission for Information Technology and Civil Liberties) and manages all of the startup's GDPR issues.

Turn the GDPR
into a business asset Request a demo

Which healthcare data hosting provider (HDS) should you choose?

The list of healthcare data hosting providers is now quite long. Most of the major providers have launched a healthcare data hosting service, providing you with support in securing your data.

These include OVHCloud, AWS, Azure, Hisi, Claranet, Blue, A2COM Foliateam, which offers hosting solutions for personal health data, enabling secure data storage.

It should be noted that prices are much higher than for a standard server.

⚡ Global GDPR compliance is not ensured by Health Data Hosts.

GDPR compliance is a key point for any structure especially in the healthcare field. It means putting in place practices and customs that comply with the rules laid down by the GDPR, particularly with regard to human resources practices, commercial prospecting, subcontracting (personal data management), employee awareness, etc.

Furthermore, it should be pointed out that the GDPR has laid down other rules and requirements to be taken into consideration. In other words, hosting your personal health data is just one point among others for achieving GDPR compliance. 

In addition to health data hosts, any other organization that processes, collects and manages personal data is obliged to comply with GDPR. 

As you will have understood, using an HDS hosting provider is not enough to be GDPR and secure your information. It's key to ensure your overall compliance, notably via the support of a DPO.

✅ Digital platform compliance: Bringing a digital platform into GDPR compliance is crucial, since this is often where the most personal data transits. As a result, the risks of privacy breaches are increasingly high. Saas that handle GDPR compliance, such as Dipeeo in the context of GDPR compliance for a digital platform, first carry out an audit, in order to take stock of any elements that need to be taken into consideration for proper GDPR compliance. In this regard, it should be noted that what is strongly recommended is to think about privacy right from the design of the digital platform. This is known as Privacy by Design. 

✅ Commercial Prospecting: GDPR compliance must be taken into consideration for any Commercial Prospecting activity, given that this has the effect of handling personal data. Respecting GDPR rules means effectively protecting the privacy of your prospects, and doing so by protecting the data that concerns them.  

1. to avoid the risk of sanctions or loss of reputation.
2. so as not to be limited in its commercial practices!

By following all these rules, you won't have any complaints or claims, for the simple reason that you'll be more likely to respect your prospects' privacy. Take a look at our article on rules for effective prospecting . 

✅ Employee awareness : Admittedly, it's difficult to monitor all personal data protection practices and all employees within a structure. But on the other hand, it is, quite possible to raise awareness among employees of GDPR best practices and this, so that they can have knowledge in terms of rules and standards to comply with. 

On the one hand, employers must comply with basic rules, such as only collecting data that is necessary for proper operation, and carrying out an impact analysis to ensure that they are authorized to collect certain data. On the other hand, it is mandatory to inform employees about the collection and processing of data concerning them, the rights they have, and the duration of Data retention.

A comprehensive privacy policy must be put in place to ensure that clear and transparent information is provided to all employees. 

✅ Respect for consent :

According to the CNIL (National Commission for Information Technology and Civil Liberties), Commercial Prospecting in B2B is based on, what the CNIL (National Commission for Information Technology and Civil Liberties) calls, "the legitimate interest" of the company. However, to comply with the GDPR, any organization must inform data subjects that their personal data will be used for commercial prospecting purposes, and give them the opportunity to easily object to this use, by offering an unsubscribe button.

As a result, all BtoB commercial prospecting can be carried out without prior consent, as long as the companies you contact are likely to be interested in your product or service.

✅ Compliance with Data retention periods: The CNIL (National Commission for Information Technology and Civil Liberties) has defined maximum Data retention periods that must not be exceeded to be compliant. Given that prior consent is not required for B2B prospecting, there are no Data retention limits for personal data.

On the other hand, for B2C prospecting, the period defined by the CNIL (National Commission for Information Technology and Civil Liberties) is 3 years from the last contact. It's important to set up data administration processes.