Blog details

Processing of health data by complementary health insurance providers: CNIL calls for further clarification

Processing of health data by complementary health insurance providers: CNIL calls for further clarification

CNIL calls for clarification regarding the processing of health data by complementary health insurance providers in the face of several complaints.


CNIL calls for clarification regarding which conditions under which complementary health insurance providers are allowed to collect health data, after receiving several complaints regarding the legality of these insurance providers receiving data generated by health professionals for various reasons. Currently, individual consent from the patient is at times required. However, CNIL recommends the adoption of a law as current texts addressing this are not always clear. The hundreds of complaints received by CNIL were relating to approximately fifty complementary health insurance organizations who received data for patient follow-up, prescriptions, and the reimbursement of health expenses, in the form of specific codes. Due to the numerous complaints, CNIL explored the possibility for complementary health insurance providers to collect and use this data not just in accordance with the GDPR and the Data Protection Act, which govern the processing of sensitive data of this nature, but also with the professional confidentiality usually applicable to health data.


CNIL believes that the use of health data by these complementary health insurance providers should be possible, but under specific conditions.


While all health data being processed by health insurance providers can be considered special category data and is protected by the GDPR as well as patient confidentiality, Article 9 of the GDPR provides for certain situations in which this special category data may be processed. In principle, the collection and use of health data is prohibited, unless it is covered by one of the exceptions provided for in Article 9 of the GDPR or if a specific text, such as a law, allows it. Taking this into consideration, CNIL notes that the complementary health insurance providers may use health data in order to reimburse their policyholders. However, given the very sensitive nature of this data, CNIL is also of the opinion that the texts governing this are incomplete, and that the texts should affirm this possibility more clearly, by providing appropriate supervision and guarantees. 


CNIL also notes that complementary health insurance providers are required to comply with the rules set by the GDPR, including data minimisation. 


Under the principle of data minimisation, complementary health insurance providers are to only process the data they need to provide their services. As Article 5(1)(c) states, the data processed must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” In addition to this, health data that is processed should be protected by a level of medical confidentiality. CNIL notes however, that there is an inadequacy of the texts regulating medical confidentiality. While the information transmitted to complementary health insurance providers is covered by medical confidentiality, If this data is transmitted directly by health professionals to complementary health insurance providers, a waiver of medical confidentiality is necessary. 


CNIL believes that it is necessary to supplement the law to facilitate and better guide derogations.


According to CNIL, exemptions are either very implicit or non-existent. It is therefore necessary to clarify or supplement the law in order to facilitate this derogation by providing a framework and providing appropriate guarantees. CNIL has communicated its findings with both the Minister of Health and Prevention, as well as complementary health insurance providers, and believes that in the absence of more comprehensive rules, transmissions may continue to be made for so-called “responsible” contracts. In some cases, patients may have to transmit information to their complementary health insurance providers themselves. CNIL also reiterated its wish to adopt a law that will secure and regulate the transmission of this information to guarantee the privacy of individuals and ensure the legal security of health professionals as well as insurance companies .

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
GPS tracking must be appropriate and necessary
November 17, 2022
Next post
Guidance on international transfers from the ICO
November 24, 2022

Leave a Comment