The Association of Approved Personal Healthcare Data Hosts (AFHADS) – continually continuously improving the security of personal health data

Ethics | 21 Jun 2011
 The view of François Kaag, President of the French Association of Approved Personal Healthcare Data Hosts.
 
The legislation specifying the approval conditions for personal healthcare data hosts has significantly changed the relationship between the different stakeholders within the health information system.
 
 
Before now, data handlers, as defined in the data protection act, were only responsible for security and legal compliance vis-a-vis the data handling tools they were implementing, relying in so doing on their chosen publishing and (if applicable) hosting solutions. Traditionally, the host was merely a supplier of resources – a service provider.

Now, approved hosts have an entirely different role. They must conduct a security risk analysis based on the data entrusted to them and then put the appropriate security measures in place. The risk analysis has to cover every aspect of data handling, because major security risks rarely come from hosting alone. In parallel, hosts are now also tasked with ensuring that data hosting complies with legal provisions protecting users and patients. Formerly a technical service provider, the host is now an essential assistant to the data processor.

The emergence of this new role inevitably throws up certain questions. For this reason, as soon as the first data hosts were approved, via a process defined by ASIP Santé, they felt the need to share their experiences within the framework of the Association of Approved Personal Healthcare Data Hosts (AFHADS). This association, which was set up in September 2010 by the first seven approved hosts and now includes almost all of the others, of all statuses and areas of activity, has the following aims :
 
  • To ensure that guarantees are adhered to and that improvements are made to the security of personal healthcare data hosting, a duty we owe to every single person;
  • To promote the approval of personal healthcare data hosts;
  • To help establish unified interpretations of approval requirements;
  • To represent approved hosts in dealings with legislative, administrative or regulatory bodies;
  • To defend the interests of approved personal healthcare data hosts.
 
The first objective forms the very basis of approval, but should not of course be limited to that framework. The data host approvals process is just one driver of a more global approach, structured by the general security policy for health information systems (PGSSI), as defined by ASIP Santé, to which the AFHADS is committed.

Awarding approval requires the demonstration, beyond the restrictive scope of the law, of the specificities and added value offered by the approved hosts.

The reference framework for approval established by ASIP Santé in consultation with industry representatives, in its current form, is an excellent tool. By focusing on risk management, rather than imposing solutions, it enables a flexible, continuously evolving approach to be taken to problems specific to each application. However, shared experience has shown that certain points have caused substantial confusion and need to be clarified.

Lastly, the AFHADS allows approved hosts to work out and express common positions towards both its natural institutional partners and the stakeholders who previously did not consider the security of personal healthcare data to be a significant challenge.

The AFHADS is now recognized as a representative and relevant body. By working in partnership with all of the stakeholders concerned, we hope to use our day-to-day experience to help continuously improve the security of personal healthcare data.
 
 
 
François Kaag, President of the French Association of Approved Personal Healthcare Data Hosts (AFHADS).