Health Data Hosting (HDS) Certification: Key Takeaways From a Recent Case
In addition to the EU’s golden standards of privacy set by the GDPR, France has always had exceptionally high local privacy standards in relation to sensitive health data, dating from the earliest days of digitising patient medical records.
In a recent Nîmes Court of Appeal case it was confirmed that unlawful hosting of health data is a breach of GDPR and a basis for a breach of contract. In this article, we will take a closer look at the HDS requirements and what we have learned from the recent case.
What Is A HDS Certification and Why Is It Important?
As of April 2018, the French Public Health Code (Article L.1111-8) has required what is known as a ‘HDS’ certificate for any IT service provider that hosts sensitive medical data on its servers. A HDS (in French “hébergeurs de données de santé” or health data hosting) certificate demonstrates appropriate security and confidentiality standards from hosting service providers that handle health data.
This certification requirement is only applicable to IT service providers that are not directly responsible for the data themselves. Hospitals, doctors, and those that host the data themselves directly on behalf of patients are not obliged to get this certification.
The certificate requires strong secrecy commitments from host providers, including requirements that data cannot be sold or used for any other purpose. The health data must also be fully returned at the end of the hosting service.
Certification of these IT service providers must be done by one of the bodies that have been authorised to do so by COFRAC in France (Comité Francais D’Accréditation or French Accreditation Committee). The certification process involves having an independent assessment of the hosting provider’s IT systems and physical infrastructure, including a documentary audit and on-site audit, to determine whether their standards meet those established by the Agence Numérique en Santé (ANS). The certification awarded can be one of two types of certificate: "Physical Infrastructure Host" or "Hosting Providers", both valid for three years with annual follow-up audits.
Breaching the French Public Health Code’s requirement for a HDS certificate can be punishable by up to 3 years imprisonment and a fine of €45,000 for individuals and €225,000 for legal entities. Processing of personal data without meeting privacy requirements under GDPR can also incur a separate fine of up to €20 million or 4% of worldwide turnover, as well as a court order to stop hosting the health data.
In addition to these fines and penalties, a recent ruling in the Nîmes Court of Appeal case has now confirmed that failure to obtain HDS certification when handling health data can void the IT contract with customers (making it invalid, as if it never existed).
Key Teachings From a Recent Nimes Court of Appeal Case
In 2013, a self-employed nurse decided to use software that would remotely transmit patient care sheets to health insurance companies. The nurse used the service for about five years without issue, until discovering that the software provider was not HDS certified and the company had outsourced their data hosting to a third party that was also not HDS certified when the nurse had originally signed up.
The third-party host provider had eventually become certified two years after the contract had started. The nurse sued the software provider to cancel the contract and receive a refund. The Court of Avignon ruled in favour of the nurse in 2021, stating that the contract was void.
The software provider tried to appeal this decision, however, the Nîmes Court of Appeal ruled on 15 December 2022 that the previous judgment was to be upheld. Health data transmitted through the software requires an approved host and the software provider had an obligation to make sure that the HDS certificate was in place with their host provider.
This ruling confirmed the contract with the customer was void, although a token payment was allocated to the software provider for what the court deemed was fair based on the overall benefit the nurse had enjoyed from being able to use the software for five years.
“This ruling is a reminder that health data hosting for French residents must comply with the French Public Health Code by having the correct HDS certification. In addition, unlawful hosting of health data is a breach of GDPR and a basis for contract breach.
If a software provider hosts health data, they must be HDS certified. If they use a third party, that third party must have a binding contract with the software provider and a HDS certificate. It is the software provider’s responsibility to check that this is in place.”
- Charlotte Gerrish of Gerrish Legal
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.