Doctors, dentists, physiotherapists, nurses: you handle some of the most sensitive data that exists on a daily basis. The GDPR places health data in a special category, subject to enhanced protections. Where should you host your emails, appointment calendars, and patient communications? This article provides an overview of legal obligations and practical solutions.
Health Data: What Are We Talking About Exactly?
The GDPR defines health data as any information relating to the physical or mental health of a person, past, present, or future. This definition is intentionally broad and encompasses far more than the medical record in the strict sense.
Specifically, the following are considered health data:
- Information collected during a medical consultation
- Test and analysis results
- Prescriptions
- Social security numbers (which may reveal health information)
- Medical appointments (which reveal that a person is consulting a particular specialist)
- Email exchanges concerning a patient\'s health
This last category is often overlooked. Yet when a patient writes to describe their symptoms or sends you their test results, those emails contain health data under the GDPR.
The French Regulatory Framework
In France, health data is subject to a dual regime: the European GDPR and French regulations on Health Data Hosting (HDS – Hébergement de Données de Santé).
HDS Certification: Mandatory or Not?
HDS certification is mandatory for hosting providers that store health data on behalf of third parties (healthcare facilities, laboratories, etc.). However, the situation is more nuanced for self-employed healthcare professionals.
Are You Subject to the HDS Requirement?
If you host your patients\' data yourself (local server, NAS), you are not subject to the HDS certification requirement. However, if you entrust hosting to a third party, that third party must be HDS-certified for health data specifically.
That said, for basic email (appointment scheduling, general exchanges), a GDPR-compliant hosting provider without HDS certification may suffice, provided you do not store sensitive medical data there.
The distinction is important: your practice management software (with patient records) must be hosted with an HDS-certified provider. But your general professional email can be hosted with a GDPR-compliant provider like Infomaniak.
CNIL Recommendations
The CNIL (French Data Protection Authority) regularly reminds healthcare professionals of their data security obligations. Recommended measures include:
- Using strong, unique passwords
- Encrypting sensitive data
- Performing regular backups
- Limiting access to authorized personnel only
- Preferring European hosting providers to avoid transfers outside the EU
This last point strongly favors a hosting provider like Infomaniak, whose servers are located in Switzerland, a country recognized as providing an adequate level of protection by the European Commission.
The Problem with Consumer Email Services
Too many healthcare professionals still use Gmail or Outlook for their professional communications. This is problematic for several reasons.
Automatic Content Analysis
Google analyzes the content of Gmail emails to personalize advertising and improve its services. Even though the company claims it stopped using email content for ad targeting since 2017, automatic analysis remains active for other features (filtering, suggested replies).
For a healthcare professional, the idea that symptoms described by a patient could be analyzed by algorithms is difficult to accept, even if this analysis is automated.
The US Cloud Act
As we discussed for lawyers, the risk is identical for healthcare professionals. Data hosted by American companies is potentially accessible to US authorities, which poses a problem for medical confidentiality.
Lack of Appropriate Contractual Guarantees
The general terms of consumer services are not designed for health data. They do not provide the confidentiality and security guarantees that a healthcare professional has the right to expect.
Infomaniak: A Solution Suited to Healthcare Professionals
Infomaniak is not HDS-certified (this certification specifically concerns hosting providers for medical records), but the Swiss hosting provider offers all the necessary guarantees for email and collaboration tools used by healthcare professionals.
Swiss Hosting: Neutrality in Service of Confidentiality
Switzerland is subject neither to the US Cloud Act nor to European data retention directives. Foreign authorities cannot demand access to data hosted in Switzerland without going through official diplomatic procedures.
For a doctor, this means that communications with patients remain truly confidential. No foreign authority can access them without the professional\'s knowledge.
High-Level Technical Security
Infomaniak\'s data centers are ISO 27001 certified, the international benchmark standard for information security. They are located in Switzerland, powered by 100% renewable energy, and subject to the strictest controls.
Infomaniak Security Measures
- TLS encryption for all communications
- Two-factor authentication available
- Built-in anti-spam and antivirus
- Automatic daily backups
- 24/7 infrastructure monitoring
Tools Suited to Daily Medical Practice
Infomaniak\'s email integrates seamlessly into the daily routine of a medical practice. The shared calendar allows you to manage appointments, the address book centralizes patient contacts and correspondents, and the webmail is accessible from anywhere.
kDrive allows you to store and share documents securely. Does a patient need to send you their test results? Create a secure upload link rather than receiving files by email.
kMeet offers the possibility of conducting telemedicine consultations securely. The video stream passes exclusively through Infomaniak\'s Swiss servers, without going through American third parties.
Best Practices for Patient Communications
Beyond choosing a hosting provider, several best practices strengthen the security of your digital communications.
Limit Sensitive Data in Emails
Email, even when secured, is not the ideal channel for exchanging sensitive medical data. Use the secure messaging feature of your practice management software when possible.
For standard email exchanges, avoid detailing diagnoses or treatments. Prefer general wording and suggest that the patient discuss the details during an appointment.
Use Secure Sharing for Documents
Rather than sending email attachments, use kDrive\'s secure sharing features. You can password-protect the link and set an expiration date. The document is never stored in the patient\'s email inbox, reducing risks in case their account is hacked.
Train Your Practice Staff
Data security also depends on raising awareness among the entire team. Medical receptionists, assistants: everyone must know best practices and the risks associated with health data.
Enable Two-Factor Authentication
This simple but effective measure protects your account even if your password is compromised. Infomaniak offers several methods: authentication app, SMS, physical security key.
Migrating from Gmail or Outlook: How to Proceed?
Are you currently using an American email service and want to migrate to Infomaniak? Here are the main steps.
1. Create Your Infomaniak Account
Subscribe to the Mail Hosting or kSuite plan depending on your needs. For a solo practice, Mail Hosting is usually sufficient. For a multi-practitioner practice with collaboration needs, kSuite offers more features.
2. Configure Your Domain
If you already use your own domain name (e.g., dr-martin.com), you keep it. Simply modify the DNS records to point to Infomaniak. If you\'re using a @gmail.com address, this is the perfect opportunity to professionalize your communications with a custom domain.
3. Import Your Existing Emails
Infomaniak\'s migration tool automatically transfers your emails from Gmail or Outlook. Your entire history is preserved, including the folder structure.
4. Configure Your Devices
Desktop, smartphone, tablet: all your devices can connect to your new email service. The settings are standard (IMAP/SMTP) and configuration takes just a few minutes.
5. Inform Your Patients
If you\'re changing email addresses, plan for a transition period. Set up an auto-reply on the old address to inform your contacts.
Cost Comparison
Is Swiss hosting more expensive than American alternatives? Not necessarily.
| Solution | Price/month | Storage | Advantages |
|---|---|---|---|
| Gmail (Google Workspace) | €5.75/user | 30 GB | Google ecosystem |
| Outlook (Microsoft 365) | €5.60/user | 50 GB | Office integration |
| Infomaniak Mail | €1.50/address | 20 GB | Swiss hosting, FR support |
| kSuite Standard | €5.87/user | 3 TB shared | Complete suite, generous storage |
For a solo practitioner, the Mail Hosting plan at €1.50 per month is unbeatable. For a group practice with collaboration needs, kSuite remains competitive against the American giants while offering superior confidentiality guarantees.
Conclusion
Health data deserves protection commensurate with its sensitivity. While your practice management software must be hosted with an HDS-certified provider, your professional email can be hosted with a GDPR-compliant provider like Infomaniak.
Swiss hosting provides confidentiality guarantees that American giants cannot match. For an equivalent or even lower cost, you effectively protect your patient communications and comply with CNIL recommendations.
Migration is straightforward and can be guided by professionals. Why continue taking risks with hosting providers subject to the Cloud Act?
Ready to migrate to Infomaniak?
Contact us for a free 15-minute audit. We will analyze your situation and provide you with a personalized quote.
Request a free audit