The processing of personal health data:

Health data is personal data that is considered valuable and sensitive. It is subject to regulations that need to be taken into account right from the design stage of your digital service or as part of your research work in the event of the collection, storage or other form of processing of this data. 

In terms of legislation, you can refer in particular to: the General Data Protection Regulation (RGPD) on a European scale, and the Data Protection Act as well as the Public Health Code and the Social Security Code on a French scale.

Coming into force in May 2018, the RGPD is a European regulation that aims to strengthen and harmonize the protection of individuals' personal data within the European Union. It applies to all organizations that carry out processing on personal data located on EU territory or targeting people present on EU territory. 
To protect users' rights and the confidentiality of the patient-caregiver relationship, the regulatory framework linked to digital healthcare is specific: There is a RGPD Sensitive Data, which corresponds to the General Data Protection Regulation applied to the healthcare sector.

Health data is data relating to a person's state of health, which is why its processing is rigorously regulated. 
The concept of health data includes three categories of data: 
- those which are health data by nature such as previous facts concerning the health of the patient or a person in his family such as illnesses or treatments undertaken, etc. 
- those which, because of their cross-referencing with other data, become health data because they induce a plausible conclusion about a person's state of health or health risk: cross-referencing a weight measurement with other data (number of steps, calorie intake measurement...), cross-referencing blood pressure with effort measurement, etc. 
- those that become health data because of their destination, i.e. the medical use made of them.

The RGPD aims to strengthen people's rights and make players more accountable. In the event of data processing, organizations' data controllers must therefore constantly be able to demonstrate its compliance with RGPD requirements by justifying all the steps taken or in progress.

Health data protection is based on a principle of prohibition of processing accompanied by exceptions. Article 9 of the Data Protection Regulation states that the processing of health data is prohibited unless a specific exception authorizes it. A list of exceptions allowing the processing of sensitive data is erected in Article 9 § 2 of the GDPR. 

The aim of the European Data Protection Committee (EDPS) is to ensure that the RGPD is applied within organizations in the member countries of the European Union. It publishes opinions and guidelines to follow up on the work of developing the common doctrine of data protection authorities. Organizations must constantly be able to demonstrate their compliance with the requirements of the RGPD to ensure the protection of individuals' rights. Thus,theInformatique et Libertés law translates it into French law, applying national leeway. 

The Public Health Code and the Social Security Code deal with issues specific to these sectors. Article L. 1110-4 of the public health code lists the categories of professionals who may be involved in the processing of personal health data.

How can G_NIUS help me understand the regulatory requirements related to the processing of health data?

G_NIUS saves you time, on the one hand by directing you to the players and the applicable laws and regulations, and, on the other, by offering tools to help you identify the formalities required for health data processing.

The CNIL (Commission Nationale de l'Informatique et des Libertés) is a key player here, given its mission to defend personal data and support innovation. The CNIL plays a crucial role in preserving individual freedom. 
G_NIUS invites you to consult the CNIL fact sheet to understand what formalities to apply if you process personal health data. 
The section on the CNIL can provide information on the need to set up a register of processing operations, carry out impact analyses, ensure that patients and users are informed, formalize the roles and responsibilities of the data controller, provide information on actions taken to guarantee data security, etc.

G_NIUS also invites you to consult the texts to be applied to comply when processing data: the RGPD, la Loi Informatique et Libertés, the Décret Informatique et Libertés as well as various sector-specific regulations. 
Finally, G_NIUS provides 3 time-saving tools: the regulatory-diagnostics to identify the regulations to which your solution is subject, the sensitive data RGPD fact sheet to decipher the regulations specific to this data and episodes of his podcast 100 days to success in connection with the issues of health data processing and CNIL compliance.
The regulatory diagnostic tool offered by G_NIUS materializes via the possibility of performing two types of diagnosis: a "purpose of my service"diagnostic, which identifies whether your service is subject to medical device (MD) regulation, and a "data and treatment", which identifies whether your service is subject to regulatory topics particularly related to health data processing. 
To complete these diagnostics, it's important to consult the specific regulations relating to your project, such as the Code of Ethics of the Conseil National de l'Ordre des Médecins (CNOM) and the Code de la Santé Publique (CSP).

In addition, G_NIUS points you to documentation related to your personal health data processing issues such as, for example, the CNIL's MOOC on the General Data Protection Regulation. 
Beyond the health data processing aspects, you can find on G_NIUS the doctrine compass which reports on the actions of the ministerial roadmap for the digital shift "Putting digital at the service of healthcare" over the period 2023-2027.