French DPA (CNIL) has launched a public consultation on the security of patients’ medical records

In 2024, the CNIL received 196 data breaches notifications from hospitals — a sharp increase compared to just 16 in 2018. In addition, the CNIL received multiple complaints and alerts concerning unauthorized access to patient data stored in electronic patient records, as well as breaches of medical secrecy. These incidents highlight the critical need to reinforce the security and governance of electronic patient records.

In this context, the CNIL has published a draft recommendation (French only) in which it pays particular attention to electronic patient records, because they serve as a central repository for all data related to a patient’s care within a healthcare facility. Due to the sensitive nature and volume of the information they hold — including healthcare consultation notes, lab results and prescriptions — these records require robust and enhanced security measures. 

Objectives of the CNIL’s draft recommendation 

The main objective is to provide clarity for stakeholders on the minimal security measures expected by the CNIL. The final version of the recommendation is intended to serve as a reference for both compliance efforts and potential litigation related to electronic health records. This document is designed for use by Data Protection Officers (DPOs), legal advisors specializing in data protection, physicians responsible for medical information, and IT stakeholders such as Chief Information Officers and their teams. In addition, the CNIL has communicated that this recommendation is also intended for general management and boards, to raise awareness about cybersecurity of patients’ data. 

Content of the CNIL’s draft recommendation

To support healthcare institutions following record-breaking year for data breaches in 2024, the CNIL has brought together in this recommendation key measures for electronic health records, along with legal and technical recommendations. In particular, it consolidates rules stemming from the GDPR and guidelines from the CNIL and the French Cybersecurity Agency (“ANSSI”). 

Numerous provisions of the draft recommendation are directed at IT teams. For example, the CNIL advises that backups be encrypted in accordance with the General Security Framework established by the ANSSI. Specific procedures should be put in place to protect access to encryption keys and ensure their availability during data restoration. Measures also include use of role-based access controls, tracking and regular monitoring of logs, back-up and dedicated storage systems. Multi-factor authentication is also an element to which the CNIL pays particular attention. The CNIL is also insisting on sub-processor obligations. 

In the event of a data breach, an investigation or a complaint for example, the CNIL may assess whether these technical, organizational and contractual safeguards have been properly implemented. 

The recommendation also addresses specific and practical questions, such as the limited categories of data that can be shared and exchanged among members of a healthcare team, as part of their medical secrecy and in compliance with the provisions of the French Public Healthcare Code (in particular, Art. L1110-12). 

The CNIL clarifies that this draft recommendation does not include for now the patients’ rights under GDPR and how they can exercise their rights. This will be addressed in subsequent work of the CNIL, in particular to take into account the provisions of the European Health Data Space (EHDS) regulation. 

Next steps 

Considering the broad scope of the CNIL’s draft recommendation and its dense content, it is essential for all relevant stakeholders in the healthcare sector to carefully review the draft recommendation and actively participate in the public consultation process, as the forthcoming rules and recommendations will directly impact their responsibilities and practices. 

The public consultation is opened until May 16, 2025. The CNIL specified that participants in the public consultation do not have to provide comments on all provisions of the recommendation. Contributors can choose which parts they wish to answer, and comments on only some parts of the recommendation are also welcomed. 

Authored by Julie Schwartz, Rémy Schlich, and Sarina Singh.