Patient Health Data: Regulation gains momentum in France and Europe

March 2025 marks a turning point for patient health data. While the CNIL is opening a public consultation on the management of electronic patient records, the EuropeanUnion is publishing the EHDS Regulation, establishing a common framework for the secure use of health data throughout the continent. 

The protection of patient data is at the crossroads of several major imperatives: its sensitive nature, growing security requirements and the potential for innovation it represents for healthcare systems. Faced with these challenges, legislators and regulators are striving to provide a clear and protective framework for the patients and professionals concerned.

Against a backdrop of growing cyberthreats to healthcare establishments, these initiatives take on a particular significance. The CNIL has in fact noted an explosion in data breach notifications from healthcare establishments, rising from 16 in 2018 to 196notifications in 2022. While linked to an increase in the number of notifications in recent years, this figure testifies to the structural vulnerability of the healthcare sector. 

Thus, the creation, storage and access to medical records represent a major issue of sovereignty, compliance and trust, both at a national and European level.

How do these national and European initiatives fit together? What impact will they have on healthcare professionals and establishments? This article offers some elements of analysis.

Managing electronic patient records in France 

The CNIL has published a draft of Recommendation on the compliance and security of electronic patient record (EHR). In a spirit of transparency and collaboration, the CNIL chose to submit this draft to public consultation, inviting industry to share their observations until 26 May 2025. 

This consultation comes at a time of increased vigilance. Between 2020 and 2023, the CNIL carried out 13 inspections at healthcare facilities which revealed major data security flaws and breaches of medical confidentiality, such as unauthorized access to patient records by professionals. These findings led the CNIL to issue formal notices to the establishments. In February 2024, the authority also publicly reiterated the requirements for confidentiality and access to electronic medical records.

This draft Recommendation aims at clarifying and consolidating the rules governing the retention, accessibility and security of medical records. It will combine in a single document, the requirements arising from the French Public Health Code, the GDPR and of the French Data Protection Act(Loi Informatique et Libertés), to provide professionals with a simplified and operational reading of the applicable framework.

With 16 practical information sheets on 47 pages, the document covers all aspects of the electronic patient record: typology of data concerned, relationships with subprocessors and software editors, security measures, retention periods, transmission methods, and patient information obligations. These sheets are based on concrete examples drawn from the inspections carried out by the CNIL. 

Managing electronic medical records in the European Union

Adopted on February 11, 2025 and published in March of the same year, the Regulation (EU) 2025/327, known as the EHDS regulation (European Health Data Space), is a major pillar of the digital transformation of the health sector in Europe. Its dual aim is to facilitate access to health data while strengthening European digital sovereignty.

This ambitious text is built around three main axes:

● European access to health data for healthcare (primary use): The EHDS Regulation provides that every European patient will be able to securely access store, consult and share their electronic medical record (EMR) online regardless of the Member State in which they are located. Such access and interoperability aim to ensure the continuity of care, even when travelling.

● Harmonization of the framework applicable to EMR manufacturers: EMR manufacturers will now be subject to strict requirements in terms of documentation, certification, and compliance with common European technical standards, particularly with regard to security and interoperability. Also, before an EMRis placed on the market, it will need to obtain the CE label, thus guaranteeing its regulatory compliance. Failure to do so may result in sanctions, particularly if the system poses a risk to the safety of individuals or if technical documentation is missing.

● A framework for the secondary use of health data: The EHDS Regulation establishes the concept of “secondary use” of health data, i.e. its exploitation for purposes other than healthcare: research, study, artificial intelligence, improvement of public health policies, etc. Within this framework, researchers will be able to access anonymized data via a one-stop shop, under strictly defined conditions.

Starting on 27 March2027, the EHDS Regulation will progressively come into force, with some provisions deferred until 2031, to allow time for the players concerned to adapt and comply.

A double regulatory impetus to be anticipated

In December 2024, The Belgian Data Protection Authority fined a hospital 200,000 euros following a ransomware cyberattack. This unprecedented sanction in the healthcare sector serves as a reminder of how medical data have become sensitive, exposed and highly strategic assets. Healthcare establishments are on the front line and must integrate cybersecurity and patient records access managements issues into their day-to-day organization, otherwise they may risk significant penalties. 

In this context, the CNIL Recommendation and the EHDS Regulation are part of a converging dynamic: to provide a better and more secure framework for the use of health data, for the benefit of patients and professionals alike.

By bringing together in a single document the main obligations applicable to the electronic patient record, the CNIL offers a structured, readable and operational tool. This effort at clarification is to be commended, as it meets a concrete need of healthcare establishments and their boards.

As for the European Union, while the regulatory effort is welcomed, it is hindered by the growing complexity of the applicable legal framework, which is marked by a proliferation of texts, risks of contradiction and heterogeneity of terminologies. The simple example of the patient record — referred to as the “electronic patient record” in France and “electronic medical record” in the Union — illustrates this difficulty. This lack of semantics harmonization is detrimental to the overall readability and risks slowing the players’ compliance process.

One thing is certain:regular monitoring of legislative and regulatory developments is becoming essential. Healthcare establishments will need to keep informed of upcoming changes, anticipate new obligations and, where necessary, adjust their practices to ensure compliance with all these developments. 

Let's keep a close eye on future changes and updates of the CNIL’s Recommendation! 

 

For any questions or support, contact us by writing to cbeaussier@squairlaw.com. 

Clémentine Beaussier, Partner at Squair

Read the article
Listen to the episode
Read the press release
Watch the video
Learn more
April 1, 2025
Say, hey!
Cta Arrow
Saturday - Thursday:
8:30am - 10:45pm
Call for an appointment

hello@libertylaw.com

Brand logo

© 2024

Squair

Pages
Home
Activities
Team
News
Contact
Legal information
Legal notices
General conditions of use
Privacy policy