FRANCE: New rules for processing patient health data

France’s Law for the Modernization of the Health System, adopted earlier this year, applies to all processing of health data for the purpose of evaluating or analyzing medical treatments and preventive actions.

The Law amends the Data Protection Law of 1978, creating a new framework for obtaining authorization to process health data, as well as a new consent requirement.

Requirements for processing interventional and non-interventional human biomedical research data (such as clinical trial data) are not affected by the new law.

New Authorization Procedure

There are four steps to the new authorization procedure:

  1. Processing personal data for research, study or evaluation purposes will require authorization from a new agency, the National Health Data Institute, created by the Law for the Modernization of the Health System.
  2. The request for authorization will be relayed to the new Expert Committee on Health Research, Study and Evaluation, which must within a month issue an opinion on the project methodology, the necessity of processing personal data, the pertinence of such data in light of the purposes of processing, and the scientific value of the project. The Committee replaces the soon to be defunct CCTIRS, Consultative Committee for the Processing of Health Research Data. In conjunction with the Expert Committee opinion, the French Data Protection Authority (the CNIL) or the Health Ministry has the option of petitioning the newly created INDS (National Health Data Institute) for an opinion on the public interest in the research, study, or evaluation that justifies the data processing. Alternatively, INDS can take the initiative to issue an opinion. In all cases, INDS has one month to issue its opinion.
  3. The CNIL must authorize the project, taking into consideration data protection principles and the benefits of the project. In particular, for each authorization request, the CNIL will verify whether the project is consistent with the petitioner’s organizational purpose, the need to process personal data, the security measures deployed, and the guarantees provided in terms of medical secrecy. The CNIL will also determine the appropriate data retention period. For-profit entities – in particular entities that market health products, credit institutions, insurers and reinsurers – must meet additional requirements to obtain an authorization. These entities must demonstrate that their methodology precludes any use of the data for any prohibited purpose. Failing that, these entities must contract with a public or private research laboratory or research center to undertake the data processing. The research laboratory or center must certify compliance with a standard setting forth requirements for confidentiality, expertise, and independence.
  4. If the processing requires access to data in the new National Health Data System, then the petitioner must provide INDS the CNIL’s authorization and a statement of interest related to the purpose of the processing and the project protocol, specifying the means for evaluating the validity and results of the study. The INDS will publish the CNIL authorization, the statement of interests and the results and method.

Several exceptions to the authorization requirement are contemplated, including processing of medical data or therapeutic data used by persons who administer treatment for their sole use, or processing for reimbursement or monitoring by organizations responsible for managing the national health insurance system.

The CNIL may decide to simplify the authorization procedure by issuing standard methodologies and security standards.

These methodologies and standards (including security standards) will be developed by the CNIL with input from the Expert Committee and public and private institutions representing relevant stakeholders. The CNIL followed a similar procedure for establishing a reference methodology for processing clinical trial data (the so-called MR-001), the reference methodology for non-interventional studies of in vitro diagnostic devices (MR-002), and, most recently, a reference methodology for research that does not require explicit or written consent of the patient (MR-003).

The CNIL is also empowered to simplify the authorization procedure by issuing so-called Single Authorizations.

Single Authorizations are one-time authorizations issued by the CNIL. Any controller that complies with the conditions set forth in a Single Authorization can certify its compliance therewith and within a few days obtain an authorization to process data. The CNIL has already adopted, after consultation with ASIP-Santé, a Single Authorization for the processing of health data by secured messaging systems. Other Single Authorizations already issued by the CNIL relate to cancer diagnoses, pharmacovigilance, and temporary use authorizations.

The CNIL can also determine exceptions to the authorization requirement, in particular for aggregated data sets.

New Notice Requirements

Finally, a forthcoming decree will set forth notice requirements to patients regarding the use of their indirectly identifying data for research or evaluation. The CNIL will be issuing an opinion on the decree, which it is hoped will be adopted by the Supreme Administrative Court before the end of the year.

Learn more about these developments by contacting either Jeanne Bossi Malafosse or Carol Umhoefer.