Before the entry into force of the GDPR on 25 May 25 2018, healthcare professionals and facilities and professionals in medico-social sectors empowered by law in France had to comply with the provisions stated in the single authorization AU-037 and sign a compliance commitment to this single authorization prior to using a secured messaging system (“MSSanté”) [1] .
In order to make controllers more accountable, the GDPR has removed most prior filing obligations. As a result, the AU-037 no longer has any legal value since 25 May 25 2018.
However, the French Data Protection Authority (CNIL) has decided to keep single authorizations accessible in order to allow controllers to direct their first compliance actions until the publication of new standards, in particular a standard relating to a secured messaging system currently being developed by the CNIL in collaboration with the French Agency for Digital Health (ASIP Santé).
This future standard will make it possible to document the compliance of health data processing carried out by means of a secured messaging system in records of processing activities, and in particular to implement the necessary actions to guarantee patients’ rights.
MSSanté, the French secured health messaging system
The MSSanté system consists of a “Trusted Space”, developed in accordance with Article L.1110-4 of the French Public Health Code relating to the conditions of exchange and sharing health data, in which health professionals involved in the care of a patient can exchange health data relating to this patient in a dematerialized and secured way.
The use of a secured health messaging system reinforces the protection of health professionals’ responsibility, insofar as it promotes respect for medical confidentiality and of the legal framework laid down by the GDPR and the French Public Health Code (protection of patient data through exchanges’ traceability and recipients’ authentication). In addition, a secured health messaging system intends to improve the coordination of health path, as well as cooperation between laboratories, healthcare facilities and professionals from different specialties (in particular, through instantaneous exchanges, for instance by sending a hospitalization or medical biology report). The aim is that email exchanges are simplified, fast, secured and confidential.
To integrate the Trusted Space, messaging service providers are subject to a verification process of legal, technical and functional requirements. In particular, the ASIP Santé ensures compliance with provisions of the GDPR, the amended French Data Protection Act[2] and the French Public Health Code (in particular, provisions relating to medical confidentiality and the hosting of health data). If the requirements are met, then an agreement is concluded.
Single authorization AU-037 for secured health messaging systems
Pending the upcoming standard, messaging service providers wishing to integrate the “Trusted Space” and complete their contractualization process should continue to take into account requirements contained in AU-037.
In this respect, it applies only to specific purposes and authorized persons: “only processing of personal data for the purpose of allowing exchanges of health data by means of a secured health messaging system between authorized professionals may be subject to a commitment of compliance with this single authorization”.
In particular, provisions of AU-037 relating to the purpose of the processing, the nature of personal data, their storage period, the recipients of the personal data, the information to data subjects, their rights of access, rectification and opposition, and the security of devices should therefore be respected.
The secured health messaging system is in addition subject to high security and confidentiality requirements. Regarding access to and use of a user account, messaging service providers must provide for the authentication of authorized professionals by means of a health professional card or an equivalent device approved by the ASIP Santé.