On 21 March 2019, the Parliamentary Office for the Assessment of Scientific and Technological Choices (OPECST) published the report of a public hearing1 on the subject of artificial intelligence and health data, as part of the draft French law on the organisation and transformation of the health system.

Then Law No. 2019-774 on the organization and transformation of the health system was adopted on 24 July 20192. Title III of the law is devoted to the "development of digital ambition in the health sector", a challenge to be met quickly.


The debate at OPECST focused on the 2 pillars of the health 4.0 section of the draft law, namely the creation of (i) a Health Data Platform (HDP) or "Health Data Hub" replacing the INDS3 and (ii) a Digital Health Space (DHS) for the patient succeeding the DMP (Shared Medical Record), as envisaged in articles 11 and 12 of the draft law.

This debate has shown the following :

A) the need for this Health Data Hub platform was widely accepted

This is an obvious statement:

  • Health professionals are increasingly using tools to support analysis based on artificial intelligence, which can only be developed on very large volumes of patient health data;
  • SNIIRAM's medico-administrative data are an exceptional source for developing algorithms adapted to the French population;
  • the quality and cost of care can benefit from the widest possible collection of health data if the patient has confidence in the guarantees given by the future platform on access and use of these data.

B) there are several actions to be carried out until an operational implementation

  1. ensure the interoperability of information systems (need to structure SNIIRAM data to make them operational and interoperable with other sources and generalize the use of the Social Security number as the only national health identifier (NHI4);
  2. recruit professionals with a high technological profile (data scientists, computer scientists, AI developers, etc.)
  3. give a suitable legal status to this platform; the form of the GIP (Groupement d'intérêt public) intended to guarantee a protective public control of health data was finally chosen instead of the form of a simplified public limited company (with a public shareholding) which had been preferred by the participants at the hearing of 21 March 2019 for its best ability to meet the needs of evolving governance, ease of partnerships and international attractiveness.
  4. Design a system that is sufficiently powerful in terms of storage capacity and computing power to develop algorithms whose reliability must be verifiable and their use supervised since they will be increasingly predictive and prescriptive of care.


A) Advancing knowledge and techniques with AI

  • Diagnostic and treatment definition tools are making rapid progress, particularly in the field of imaging and simulation. Learning software trained on thousands of images has been developed in dermatology, radiology and ophthalmology to qualify an image (suspicious or normal) in a diagnostic context5. In addition, surgical robotics is nowadays essential and digital communication facilitates the advent of telemedicine and telediagnosis.
  • Medical research must go beyond current clinical trials that focus on specific diseases and are often long and costly. The development of databases or data warehouses6 and more generalist platforms will facilitate basic health research in addition to operational research.

The performance of these new AI tools and the confidence of professionals and patients in their relevance depends on the volume and quality of data on which the algorithm is trained. The primary objective of the Health Data Hub is to accelerate the implementation of these health data collection projects by enriching SNIIRAM's medico-administrative data with medical analyses and medical diagnostics7.

B) The construction of a health data network

It is necessary because the sources of health data are multiple, disparate, in public and private databases and geographically fragmented.

This sector must be structured around new businesses and tools in terms of secure data circulation, authentication, accessibility and hosting. The use of security and interoperability standards makes it possible to move forward, but it involves verifying their effectiveness and enforceability.

The security of data storage and hosting is a complex equation due to the multiplication of providers, multiple access requests, the development of new data sources via connected objects and conflicting regulations8.

Integrating ethics and clear and complete information for patients both for the acceptance of diagnosis and treatment and for the exercise of their rights over their personal data is an essential guarantee of trust in the supply chain.


After the adoption of the Health Law in July 2019, the Health Data Hub was officially inducted on 1 December 2019. The component of the digital transformation of the health system includes 3 axes: the new health data platform (art.41-43); the creation of the digital health space (art.44-52); the deployment of telemedicine and telecare (art.53-55). In this article we consider only the first 2 aspects.

A) The Health Data Platform (PDS) or Health Data Hub

  • Its purpose is to collect clinical data collected by all health professionals9 as part of their activities related to reimbursed care, medical and administrative databases managed by the National System of Health Data -SNDS- (SNIIRAM, PMSI, BCMD, etc.10), including data processed by business software for professionals 11.
  • All data will be anonymized or pseudonymized irreversibly12.
  • Access to the platform's data will be possible for the data processing operations of a public interest nature, which are not limited to projects for research, study and evaluation purposes, and which should allow the creation of health data warehouses and the development of new uses derived from AI. The Ethics and Scientific Committee for Research, Studies or Evaluations in the Field of Health (CEIP), which succeeds CEREES, will advise on the public interest of these studies.
  • The CNIL will have to give its authorization for all processing operations "concerning health", which do not include (i) the processing of data of health professionals belonging to SNDS, but do include (ii) the processing of NIR (Social Security Number) as NHI (National Health Identifier) in the context of databases (such as warehouses) used for subsequent research purposes. Standard processing operations may be supervised by data repositories and reference methodologies, of which the CNIL already has good practice.
  • The CNIL indicated in its opinion n° 2019-008 of 31 January 2019 that it will apply the principles of the Data Protection Act and the GDPR requiring determined, explicit and legitimate purposes and information/consent of the patient for all treatments subject to its authorization. It also notes the likely increase in the number of applications for authorisations of sub-systems containing data from the SNDS, the creation of which could be regulated in future implementing legislation.
  • The access to data for processing health data concerning health is free of charge when requested by the public authority or for the exclusive needs of public administrative services (art L 1461-5 CSP/ Public health Code) and therefore a priori subject to a charge for private actors, the CNIL stressed in its opinion the importance of clearly defining the status of each applicant.
  • The governance of the platform is provided by a "GIP" ("Public Interest Group") constituted between the State, entities representing patients and users, producers of health data, public and private users, including health research organizations. In particular, it will ensure the development of standards and methodologies in collaboration with the CNIL and will promote standardisation standards and calls for projects13.

B) The user managing his Digital Health Space (DHS)

The ENS (DHS) is a user's digital personal health account allowing him/her to group together mainly his/her administrative data, health data from his/her DMP (medical shared file), reimbursement data and access several current and future services (Enhancement, agenda, secure messaging...).

In the bill, only the user or his legal representative could open this account. The Senate opted for an automatic and free opening unless the person refuses. The account holder will be the sole manager and user; he/she will be able to configure access to his/her account by reserving it to one or other health actor for all or part of its content, for the duration and purpose(s) of his/her choice. It will also be able to organize means of authentication, shared access and content extraction.

In its above-mentioned opinion, the CNIL considered that this offer of an ENS/DHS is a processing of personal data and that it should therefore be consulted for an opinion on the future decree in the Council of State which will specify its modalities. It also emphasizes that the ENS/DHS, as a service and data aggregator, must comply with the rules of authentication, authorization and traceability defined for each of the aggregated services. Finally, the ENS/DHS must be hosted by a certified health data provider of hosting services.

A decree in the Council of State will determine the modalities of design, implementation, administration, hosting and governance of the ENS by 1 January 2022 at the latest.


Medicine today must integrate the digital transformation and artificial intelligence that place data at the heart of the health system and its expected progress. Paradoxically, personalized medicine is flourishing thanks to the processing of billions of health data whose definition is evolving and which are gradually being decompartmentalized from their geographical, administrative and regulatory conditioning. .

Recommendations are multiplying to channel the excesses14 and in an inexorable international context, the initiative of a national Health Data Hub is an encouraging first step to promote a model of a federating, collaborative and secure platform.


* Update of the initial article posted on the LinkedIn site of UGGC Avocats. Author Elisabeth Logeais

1. A large panel of representatives of health professionals (practitioners, institutions), digital companies (INRIA, Syntec Numérique), institutions (CNIL, CNAM,...) and AI researchers discussed, under the leadership of Gérard Longuet and Cedric Villani, 2 main themes; (i) nature, collection, legal issues and health data protection and (ii) flows from care to data and vice versa.

2. https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038821260&categorieLien=id

3. National Institute of Health Data which assists helps organizations wishing to access health data for research, study or evaluation purposes.

4. The NHI (succeeding the NIR or Social Security Number ) is the unique mandatory identifier used to reference the health and administrative data of people under care in the health and medico-social field (art. L1111-8-1 CSP). The Decree n°2019-341 of 19 April 2019 lists the treatments authorised to use the NIR.

5. The FDA, Food & Drug Administration, has for the first time authorized the use of software to diagnose retinal disorders, without the image being seen by the ophthalmologist.


6. In France, there are specialized databases such as a network of tumour libraries, which are banks of biological samples of tumours, stored at very low temperatures to preserve the DNA and RNA properties of these samples. The objective is twofold: to refine diagnoses and facilitate cancer research. There are also several health data warehouses: the AP-HP warehouse; France Life Imaging, which is a network of partners in biomedical imaging; DRIM France IA created by the Conseil National de Radiologie Française, mentioned at the public hearing.

7. This work has begun. With more than one billion care sheets processed each year by the CNAM (Caisse Nationale de l''Assurance Maladie/ National Health Insurance Entity) and thanks to the complex work carried out over the past four years in cooperation with Polytechnique to restructure the SNIIRAM database, the CNAM has been able to conduct studies demonstrating the harmful side effects of certain drugs or identifying certain pathologies based on drug prescriptions

8. See the more or less strict regulations on the status of health data host and the problems of extraterritoriality of laws (in relation to article 48 of the RGDP and the American Cloud Act).

9. Health professions (dentists, midwives, pharmacists) and para-medical professions (nurses, physiotherapists, chiropodists), in the hospital sector and in town medicine

10. SNIIRAM: National Inter-regime Health Insurance Information System; PMSI (Medical Information Systems Programme; BCMD Database on Medical Causes of Death; PIM (Maternal and Child Protection Services Data); School Medicine Health Data. The Senate added on June 6, data on the levels of loss of autonomy of older people

11. Data warehouses set up by private operators and cohort studies outside medical care or reimbursed procedures would not a priori be included in the platform. In this respect, the Constance cohort, which is a "generalist" epidemiological cohort on the health status of the French population, could nevertheless join the Health Data Hub. This cohort includes more than 200 volunteers aged 18 to 69 years old who will be followed throughout their lives.

12. The separate storage of data allowing for the re-identification of persons is deleted.

13. Nine first projects out of 19, requesting data exploitation within the framework of the Health Data Hub were selected in April 2019 and will be presented in early 2020. The Health Data Hub is also a partner in a second call for projects scheduled in 2020 on the theme of "4-P medicine" (personalized, predictive, preventive and participatory) and based on AI.

14. Council of Europe Recommendation on Health Data CM/Rec (2019) of 27 March 2019

Opinion of the National Consultative Ethics Council of 29 May 2019 on "Massive data and health: current situation, prospective and new ethical issues" www.ccne-ethique.fr

Code of Conduct for data-driven health and care technology, 19 February 2019, UK Gov. https://www.gov.uk/government/publications/code-of-conduct-for-data-driven-health-and-care-technology/initial-code-of-conduct-for-data-driven-health-and-care-technology

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.