Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
France: CNIL publishes notice on security of health data
On February 9, 2024, the French data protection authority (CNIL) published a notice on the security of health data. In particular, CNIL highlighted that it has notified several health care establishments to take measures to ensure the security of computerized patient files (DPI), a centralized health data file for patients that allows health care professionals to access their medical information. CNIL carried out 13 checks on health establishments between 2020 and 2024 owing to the sensitivity of data contained within the DPI and found that the authorization policy in many cases allowed non-health care professionals to access the data within the DPI.
Recommended security measures
CNIL recommended corrective measures for health care establishments to implement relating to the DPI, including:
- secure access through a robust authentication policy, including sufficiently complex passwords;
- specific authorizations such that health care professionals only access files that they need to know, which includes the combination of two criteria:
- employees responsible for welcoming patients must only be capable of accessing administrative files, not medical data;
- authorizations must also take into account the care team so that professionals involved in actually caring for the patient have access to information covered by medical confidentiality;
- enhanced confidentiality measures for specific files;
- tracing access or logging to the DPI, indicating who accessed data, what data was accessed, and automated mechanisms to identify which access appeared abnormal; and
- emergency measures that allow administrative and medical professionals to access patient data in the event of an emergency.
You can read the press release, only available in French, here.