Patient health data: regulation is gaining momentum in France and Europe

March 2025 marks a turning point for patient health data. While the CNIL is opening a public consultation on the management of electronic patient records, the European Union is publishing the EHDS regulation, establishing a common framework for the secure use of health data across the continent.

The protection of patient data is at the crossroads of several major imperatives: their sensitivity, the growing security requirements and the potential for innovation they represent for healthcare systems. Faced with these challenges, legislators and regulators are striving to provide a clear and protective framework for the patients and professionals concerned.

In a context of growing cyber threats to healthcare institutions, these initiatives take on a very particular meaning. In fact, the CNIL has noted an explosion in notifications of data breaches from health institutions, from 16 in 2018 to 196 notifications in 2022. This figure, although linked to an increase in the number of notifications in recent years, testifies to the structural vulnerability of the health sector.

The creation, preservation and access to medical records therefore constitute a major issue of sovereignty, compliance and trust, both nationally and in Europe.

How do these two initiatives, national and European, relate to each other? What are the impacts for healthcare professionals and institutions? This article provides elements for analysis.

The management of the computerized patient file in France

The CNIL has published the draft of Recommendation devoted to the compliance and security of the electronic patient record (EHR). In an approach of transparency and collaboration, she chose to submit this project to public consultation initially, inviting professionals in the sector to share their observations until 26 May 2025.

This consultation is part of a context of increased vigilance. In fact, between 2020 and 2023, the CNIL carried out 13 checks in health institutions, revealing significant flaws in data security and breaches of medical confidentiality, such as access by professionals to patient records without authorization. These observations led the CNIL to put the establishments concerned on notice. In February 2024, the authority also publicly recalled the confidentiality and access requirements for electronic medical records.

This draft Recommendation aims to clarify and consolidate the rules relating to the preservation, accessibility and security of medical records. Elle Will regroup, in a single document, the requirements from the Public Health Code, of RGPD And of the Data Protection Act, in order to offer professionals a simplified and operational reading of the applicable framework.

The document, structured in 16 practical sheets on 47 pages, addresses all the dimensions of the computerized patient record: typology of the data concerned, relationships with subcontractors and software publishers, security measures, storage periods, storage periods, transmission methods, and patient information obligations. These sheets are based on concrete examples from the controls carried out by the CNIL.

Management of electronic medical records in the European Union

Adopted on February 11, 2025 and published in March of the same year, the Regulation (EU) 2025/327, known as the EHDS regulation (European Health Data Space), is a major pillar of the digital transformation of the health sector in Europe. It has a twofold objective: to facilitate access to health data while strengthening European digital sovereignty.

This ambitious text is based on three main areas:

● European access to health data for healthcare (primary use): The EHDS Regulation provides that every European patient will be able to access, online, their electronic medical record (EMR), store, consult and share it securely, regardless of the Member State where they are located. This bouts And this interoperability aim to ensure the continuity of care, including in the event of displacement.

● Harmonization of the framework applicable to EMR manufacturers: EMR manufacturers will now be subject to strict requirements of documenting, of certification, and of conformity to common European technical standards, in particular in terms of security and of interoperability. The placing on the market of a DME will be subject to obtaining the CE mark, guaranteeing its regulatory compliance. Otherwise, sanctions may be imposed, in particular if the system presents a risk to the safety of persons or in the absence of technical documentation.

● A framework for the secondary use of health data: The EHDS Regulation enshrines the concept of “secondary use” of health data, i.e. their exploitation for purposes other than care: research, study, artificial intelligence, improvement of public health policies, etc. In this context, researchers will in particular be able to access anonymized data, via a one-stop shop, according to strictly supervised methods.

The entry into force of the EHDS Regulation will be gradual, starting on 27 March 2027, with some provisions deferred until 2031, in order to leave the time necessary for the actors concerned to adapt and bring them into compliance.

A double regulatory impetus to be anticipated

In December 2024, The Belgian Data Protection Authority imposed a fine of 200,000 euros on a hospital, following a cyberattack by ransomware. An unprecedented sanction in the health sector, which recalls how medical data has become sensitive, exposed and highly strategic assets. Healthcare institutions are on the front line and must integrate cybersecurity issues and the management of access to patient records into their daily organization, otherwise they may risk significant sanctions.

In this context, the CNIL Recommendation and the EHDS Regulation are part of a converging dynamic: better manage and secure the use of health data, at the service of patients and professionals.

By bringing together in a single document the main obligations applicable to the computerized patient record, the CNIL offers a structured, legible and operational tool. This effort at clarification should be welcomed, which meets a concrete need for institutions and their advice.

On the European Union side, the regulatory effort, although beneficial, is confronted with an increasing complexity of the applicable legal framework, marked by a proliferation of texts, risks of contradiction And a heterogeneity of terminologies. The simple example of the patient record — referred to as the “computerized patient record” in France and “electronic medical record” in the Union — illustrates this difficulty. Ce lack of harmonization semantics affects overall readability and risks hampering the compliance of actors.

One thing is certain: regular monitoring of legislative and regulatory developments is becoming essential. Health institutions will have to keep informed of future adaptations, anticipate new obligations and, where necessary, adjust their practices to ensure compliance with all these developments.

Let's remain attentive and attentive to developments and future updates of the CNIL Recommendation!

 

For any questions or support, do not hesitate to contact us by writing to cbeaussier@squairlaw.com.

Clémentine Beaussier, partner lawyer at Squair

Read the article
Listen to the episode
Read the press release
Watch the video
Learn more
April 1, 2025
Say, hey!
Cta Arrow
Saturday - Thursday:
8:30am - 10:45pm
Call for an appointment

hello@libertylaw.com

Brand logo

© 2024

Squair

Pages
Home
Activities
Team
News
Contact
Legal information
Legal notices
General conditions of use
Privacy policy