I.-Any person who hosts personal health data collected in the course of preventive, diagnostic, care or social and medico-social monitoring activities, on behalf of the natural or legal persons responsible for producing or collecting this data or on behalf of the patient him/herself, shall do so under the conditions set out in this article.
Hosting, on whatever medium, paper or digital, is carried out after the person being cared for has been duly informed and unless there is an objection for a legitimate reason.
The hosting of personal health data is the subject of a contract.
II – The host of the data mentioned in the first paragraph of I on a digital medium must hold a certificate of compliance. If it stores data as part of an electronic archiving service, it is subject to the provisions of III.
This certificate is issued by certification bodies accredited by the French accreditation body or the national accreditation body of another Member State of the European Union mentioned in Article 137 of Law No. 2008-776 of 4 August 2008 on the modernisation of the economy.
The conditions for issuing this certificate are laid down by decree in the Conseil d’Etat after consultation with the Commission nationale de l’informatique et des libertés and the national councils of the health professions.
III – The host of the data mentioned in the first paragraph of I is approved by the Minister of Culture for the storage of this data on paper or digital media as part of an electronic archiving service.
The conditions for approval are laid down by decree in the Conseil d’Etat after consultation with the Commission nationale de l’informatique et des libertés and the national councils of the health professions.
Approval may be withdrawn, in accordance with the conditions set out in Articles L. 121-1, L. 121-2 and L. 122-1 of the Code of Relations between the Public and the Administration, in the event of a breach of the legislative or regulatory requirements relating to this activity or of the requirements set out in the approval.
IV – The nature of the hosting services mentioned in II and III, the roles and responsibilities of the host and the natural or legal persons on whose behalf the personal health data is stored, as well as the stipulations that must appear in the contract mentioned in I are specified by decree in the Conseil d’Etat, issued after consultation with the Commission nationale de l’informatique et des libertés and the national councils of the health professions.
V.-Access to hosted data is provided in accordance with the terms and conditions set out in the contract, in compliance with articles L. 1110-4 and L. 1111-7.
Hosting providers may not use the data entrusted to them for any purpose other than the performance of the hosting service. When the hosting service is terminated, the host returns the data to the persons who entrusted it to them, without keeping any copies. Personal health data hosts and persons placed under their authority who have access to the data deposited are bound by professional secrecy under the conditions and subject to the penalties laid down in Article 226-13 of the French Penal Code.
VI – Hosting providers of personal health data or who offer this hosting service are subject, under the conditions laid down in articles L. 1421-2 and L. 1421-3, to supervision by the Inspectorate General of Social Affairs and the agents mentioned in articles L. 1421-1 and L. 1435-7, with the exception of hosting providers certified under the conditions defined in II. The inspectors may be assisted by experts appointed by the Minister for Health.
VII -Any act of transferring directly or indirectly identifying health data for consideration, including with the consent of the person concerned, is prohibited, subject to the penalties laid down in Article 226-21 of the French Penal Code.
