Health data hosting, decoding recent developments
Skip to main content
Select location France
  • Insights
  • Health data hosting, decoding recent developments
Insight

Health data hosting, decoding recent developments

Marguerite Brac de La Perrière
19/03/2025
A woman's profile is digitally overlaid with binary code (0s and 1s), data particles, and a glowing sphere, creating a futuristic and technologically advanced aesthetic. The image blends human and digital elements in a high-tech conceptual design.

Locations

France

The health data hosting regime has been evolving regularly since 2009, when the regime - created by the Kouchner Law of 2002 - came into force. As a reminder, the regime requires certification for "any person who hosts personal data concerning health collected during prevention, diagnosis, care, or social and medico-social follow-up activities, on behalf of individuals or legal entities responsible for the production or collection of this data or on behalf of the patient himself."

Although originally a French specificity, several European countries have adopted similar new requirements in recent years, starting with Germany.

Text evolution

By Order of April 26, 2024, the V.2 certification and accreditation frameworks were adopted, modifying the V.1 frameworks.

New applicants for Health Data Host ("HDS") certification have been assessed since November 16, 2024, according to this new version of the HDS certification framework, while already certified HDS must obtain their certification according to the new framework by May 16, 2026, at the latest.

The framework specifies its scope, notably that it applies to any person (i) providing one or more of the 6 hosting activities and (ii) who is a processor within the meaning of Article 28 of the GDPR.

Furthermore, the framework provides a definition of the famous health data hosting activity 5 " administration and operation of the information system containing health data", thus providing answers regarding the scope of the activity, but also raising new questions.

Finally, the certification framework introduces changes aimed at:

  • Improving the clarity of the guarantees provided by a certified host on the services it performs for a given client, i.e., transparency towards clients,
  • Clarifying the contractual obligations of the Host defined in the public health code, notably as to how they relate to GDPR obligations, or to provide clarifications (e.g., conditions of reversibility),
  • Strengthening personal data protection requirements regarding transfers of personal data to a third country.

In terms of data sovereignty, a new requirement imposes the storage of health data exclusively within the European Economic Area (EEA); without prejudice to remote access cases from a country outside the EEA, in compliance with appropriate guarantees, and with the greatest transparency towards the client, notably on security measures intended to mitigate the risks of access under extra-territorial laws, and residual risks.

In the same vein, the "SREN" Law of May 21, 2024, has subjected state administrations and their operators to the obligation (except as to already engaged projects and exemption requests), when they use a cloud computing service provided by a private provider, to ensure the implementation of security and data protection criteria that exclude any risk of access by public authorities of third countries not authorized by EU law or a member state.

Text interpretation

The French digital health agency recently provided clarifications on the interpretation of legal and regulatory provisions related to health data hosting activities, through its FAQ, first on February 12, 2025, without the exemption regarding regional hospitals groups, and then on March 4, incorporating this exemption and its conditions of application.

In this respect, regional hospitals groups ("GHT") can still claim exemption from the certification obligation if (i) the GHT convention provides for the delegation of hosting to a member establishment, (ii) a joint responsibility agreement is concluded between all members, and (iii) compliance with the security level called "hosting health data" defined in the certification framework.

Apart from this exemption, many clarifications provide a better understanding of this regime, by the scope of prevention referred to in art. L1111-8, that of activity 5 again, the obligation for the host to be certified regarding all activities in its offer, even those entrusted to a certified subcontractor...

But the scope of the health data hosting regime remains an endless subject, with many gray areas, particularly in the context of AI...

Areas of Expertise

Tech and Data