Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2025 Apr 17:13:e63754.
doi: 10.2196/63754.

Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study

Christine Riou  1 Mohamed El Azzouzi  2 Anne Hespel  1 Emeric Guillou  1 Gouenou Coatrieux  3 Marc Cuggia  2
Affiliations

Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study

Christine Riou et al. JMIR Med Inform. .

Abstract

Background: The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management.

Objective: This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains.

Methods: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91).

Results: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research.

Conclusions: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives.

Keywords: France; French; applicability; clinical data warehouse; compliance; data hub; experiential analysis; legislation; operational challenge; personal data; personal data protection; privacy; security; university hospitals.

PubMed Disclaimer

Conflict of interest statement

Conflicts of Interest: None declared.

Similar articles

See all similar articles

References

    1. Cuggia M, Combes S. The French Health Data Hub and the German Medical Informatics Initiatives: two national projects to promote data sharing in healthcare. Yearb Med Inform. 2019 Aug;28(1):195–202. doi: 10.1055/s-0039-1677917. doi. Medline. - DOI - PMC - PubMed
    1. Sheikh A, Anderson M, Albala S, et al. Health information technology and digital innovation for national learning health and care systems. Lancet Digit Health. 2021 Jun;3(6):e383–e396. doi: 10.1016/S2589-7500(21)00005-4. doi. Medline. - DOI - PubMed
    1. National Academy of Medicine. The Learning Health System Series . In: Health Data Sharing to Support Better Outcomes: Building a Foundation of Stakeholder Trust. Carman KL, Grossmann C, Zirkle M, Adams I, Siddiqi S, Ahmed M, editors. National Academies Press (US); 2021. - PubMed
    1. Arrêté du 29 novembre 2019 portant approbation d’un avenant à la convention constitutive du groupement d’intérêt public "Institut national des données de santé" portant création du groupement d’intérêt public "Plateforme des données de santé" [Web page in French] Légifrance. [19-06-2023]. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000039433105/ URL. Accessed.
    1. Décret n° 2021-848 du 29 juin 2021 relatif au traitement de données à caractère personnel Dénommé “système national des données de santé” [Web page in French] Légifrance. [19-06-2023]. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000043715694 URL. Accessed.

MeSH terms

LinkOut - more resources