Key Benefits:
The Commission, which was seized on 20 November 2006 by the Minister of Health and solidarities of a draft decree in the State Council taken pursuant to the provisions of the Article L. 1110-4 of the Public Health Code relating to the confidentiality of medical information stored in computer media or transmitted electronically,
Given the Council of Europe Convention No 108 of 28 January 1981 for Protection of persons with regard to the automatic processing of personal data;
Having regard to Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons in respect of the The processing of personal data and the free movement of such data;
Given the law n ° 78-17 of 6 January 1978 relating to computers, files and freedoms, as amended by Act No. 2004-801 of 6 August 2004 on the Protection of natural persons with regard to the processing of personal data;
Given the code of public health, and in particular Article L. 1110-4;
In view of the Social Security Code, and in particular Articles L. 161-36-1 A and L. 161-36-2;
In view of the release of CNIL n ° 2005-209 of 11 October 2005 concerning a draft decree in the Council of State concerning the confidentiality of personal health data taken pursuant to Article L. 1110-4 of the Public Health Code;
After hearing Mr. Jean-Pierre de Longevialle, Commissioner, in his report and Ms. Pascale Compagnie, Commissioner of the Government, in his observations,
Emet the following opinion:
The Minister of Health and Solidarities before the National Commission on Informatics and Freedoms of a new version of the draft decree in the Council of State concerning the confidentiality of medical information stored on computer media or transmitted by way of transmission Electronic. This text is taken in accordance with the provisions of the fourth paragraph of Article L. 1110-4 of the Public Health Code (derived from Article 3 of the Act of 4 March 2002 on the rights of patients and the quality of the health system) which
: In order to ensure the confidentiality of the medical information referred to in the preceding paragraphs, their storage in electronic form such as their electronic transmission between professionals shall be subject to rules defined by Council of State decree taken after public and reasoned opinion of the National Commission on Informatics and Liberties. This decree determines where the use of the occupational health card referred to in the last paragraph of Article L. 161-33 of the Social Security Code is compulsory. "
This provision was inserted in Article L. 161-36-1 A of the Social Security Code by the Act of 13 August 2004 on health insurance, which provides in particular for the creation of the personal medical file (DMP) and specifies that the postponement in This file by the health professionals of the medical information they generate takes place in accordance with the safety rules laid down in Article L. 1110-4 of the Public Health Code.
On Referral to Repositories Defined by order
While the first draft decree adopted pursuant to Article L. 1110-4 of the Public Health Code, of which the Committee was seized and on which it ruled on 11 October 2005, Referred to the precise definition of safety rules applicable to the storage and transmission on electronic media of personal health data to " Privacy policies " Logged in " Privacy protocols " Established by health professionals and institutions, this text provides that the conditions of confidentiality and security to be complied with by health professionals and institutions shall be specified in " Repositories " Defined by order of the Minister of Health taken after notice of the CNIL and in conformity with the general security repository established by the order of 8 December for public health institutions and those participating in a public hospital service 2005 on electronic exchanges between users and administrative authorities and between administrative authorities.
The Committee fully agrees with the development of the new system which no longer bases the
It also welcomes the fact that, in accordance with the request set out in its previous opinion, the text before it now contains at 1 °, 2 °, 3 ° and 4 ° of draft Article R. 1110-1 of the Public Health Code the list that it had wished for the categories of measures to be adopted in order to arrive at a satisfactory content of the safety
. Sought a consistency between the benchmarks relating to the conditions of confidentiality and security applicable to the medical information and the general security repository established by the order of 8 December 2005, it considers that, In the case of health data that is protected by legal confidentiality, the security rules need to be strengthened in relation to those applicable in the field of electronic administration.
In any case, it observes that the repository General security provided for in Article 9 of the order of 8 December 2005 " Lays down the rules to be complied with by the functions of information systems contributing to the security of information exchanged electronically ... ' Whereas the purpose of the benchmarks for health data should be wider and cover not only the transmission of these data but also their preservation in electronic form.
Finally, it should be recalled that the Private health care facilities are not outside the scope of the security rules. However, as far as they are concerned, the draft decree contains no indication.
But the problem that has caught the attention of the committee in particular is that of the date of entry into force of these provisions. Under Article 2 of the draft decree, this date should take place within a maximum period of three years from the publication of the decree of the Minister of Health, which will define the security repository applicable to data from the Health. As, as it has just been stated, this latter repository itself will have to be (partly) in compliance with the general security repository of the order of 8 December 2005 and that it has foreseen that " The conditions for the preparation, approval, modification and publication of this repository are laid down by decree ", to date not published, it is clear that the effective implementation of the security rules to be laid down in application of a provision Legislation dating back to 2002 has in fact been postponed to a date that is likely to be very remote.
To ensure that these deadlines are compatible with the timetable for the implementation of the DMP and the stated objective of " Generalization " On 1 July 2007, the Commission therefore considers it necessary to provide for transitional provisions on the safety rules to be applied during the period between the publication of the decree and The entry into force of the repositories approved by the Minister of Health.
On the use of the health care professional card
Regarding the use of the health care professional card, which Will constitute only one element of the security repositories applicable to health data, but a particularly important element, Article L. 1110-4 already mentioned provides that the decree adopted for its application " Determines the cases in which such use is required. "
Draft article R. 1110-3 of the Public Health Code makes this use mandatory or the use of an individual identification device offering Guarantees and similar functionality approved by the Minister of Health in all cases of access to an automated file containing personal health data or transmission of health data by electronic means.
In particular, No distinction is made by this text for the electronic transmission of health data according to whether this transmission takes place between health professionals or health care institutions and within a health facility within or outside health care Exercise structure.
The Commission can only be in favour of as broad a job as possible of the CPS, which allows its holder to attest to his or her identity and professional quality, to be recognized for an application in order to Access medical information in accordance with the rights associated with its function, electronically sign and encrypt messages to ensure the confidentiality of the exchange.
However, the Commission notes that the CPS Is still poorly used in health care facilities. Thus, if the provisions of Article R. 1110-3 would be applicable immediately to health professionals, they would only enter into force for health care facilities. Within a time limit which may not exceed three years from the date of publication "
this point as well, the Committee can only reiterate the issues raised above and the observation that has been made of the need to provide for a mechanism which would apply until the rules are put in place Finally
to the extent that the CNIL is an independent administrative authority which, inter alia, has the task of ensuring respect for the security of personal data, it appears useful that the approval of the Minister should be Issued after notification of the CNIL.
The President,
A. Türk
