确保大学医院临床数据仓库中的一般数据保护法规合规性和安全性：实施研究。

IF 3.1 3区医学 Q2 MEDICAL INFORMATICS

JMIR Medical Informatics Pub Date : 2025-04-17 DOI:10.2196/63754

Christine Riou, Mohamed El Azzouzi, Anne Hespel, Emeric Guillou, Gouenou Coatrieux, Marc Cuggia

{"title":"确保大学医院临床数据仓库中的一般数据保护法规合规性和安全性：实施研究。","authors":"Christine Riou, Mohamed El Azzouzi, Anne Hespel, Emeric Guillou, Gouenou Coatrieux, Marc Cuggia","doi":"10.2196/63754","DOIUrl":null,"url":null,"abstract":"Background: The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management.Objective: This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains.Methods: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91).Results: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research.Conclusions: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives.","PeriodicalId":56334,"journal":{"name":"JMIR Medical Informatics","volume":"13 ","pages":"e63754"},"PeriodicalIF":3.1000,"publicationDate":"2025-04-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12020775/pdf/","citationCount":"0","resultStr":"{\"title\":\"Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study.\",\"authors\":\"Christine Riou, Mohamed El Azzouzi, Anne Hespel, Emeric Guillou, Gouenou Coatrieux, Marc Cuggia\",\"doi\":\"10.2196/63754\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Background: The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management.Objective: This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains.Methods: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91).Results: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research.Conclusions: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives.\",\"PeriodicalId\":56334,\"journal\":{\"name\":\"JMIR Medical Informatics\",\"volume\":\"13 \",\"pages\":\"e63754\"},\"PeriodicalIF\":3.1000,\"publicationDate\":\"2025-04-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12020775/pdf/\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"JMIR Medical Informatics\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://doi.org/10.2196/63754\",\"RegionNum\":3,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"MEDICAL INFORMATICS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"JMIR Medical Informatics","FirstCategoryId":"3","ListUrlMain":"https://doi.org/10.2196/63754","RegionNum":3,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"MEDICAL INFORMATICS","Score":null,"Total":0}

引用次数: 0

摘要

背景：欧盟的通用数据保护条例（GDPR）对健康数据管理产生了深远的影响，对临床数据仓库（cdw）产生了重大影响。2021年，法国率先由其数据保护机构（国家信息和自由委员会）建立了一个符合gdpr的CDW实施国家框架。该框架为医疗机构提供了详细的指导方针，为评估医疗数据管理中GDPR的实际实施提供了独特的机会。目的：本研究通过在一所主要大学医院实施法国CDW框架来评估其在现实世界中的适用性。它确定了卫生机构在实施方面面临的实际挑战，并提出了与监管当局有关的调整建议，以促进二次使用数据领域的研究。方法：于2023年5月在雷恩大学医院进行了系统评估，该医院通过eHOP CDW系统管理了超过200万患者的数据。评估采用双重评估方法，审查了13个类别的116项标准，并得到信息安全和数据保护官员的验证。遵从性被划分为满足、未满足或不适用，标准被划分为与软件相关（n=25）或与机构相关（n=91）。结果：60% （n=15）符合软件相关标准，28% （n=7）不符合或部分符合，12% （n=3）不适用。机构相关标准实现了72% （n=28）的安全需求遵从性。主要的挑战包括管理遗传数据、实现自动化归档和控制数据导出。调查结果揭示了有效的隐私保护措施，但也强调了需要进行监管调整以更好地支持研究的领域。结论：这是对国家CDW合规框架的首次实证评估，为实施GDPR要求的医疗机构提供了有价值的见解。虽然该框架建立了强有力的隐私保护，但某些条款可能会过度限制研究活动。该研究确定了框架发展的机会，平衡了数据保护与研究的必要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study.

Background: The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management.

Objective: This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains.

Methods: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91).

Results: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research.

Conclusions: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

JMIR Medical Informatics Medicine-Health Informatics

CiteScore

7.90

自引率

3.10%

发文量

173

审稿时长

12 weeks

期刊介绍： JMIR Medical Informatics (JMI, ISSN 2291-9694) is a top-rated, tier A journal which focuses on clinical informatics, big data in health and health care, decision support for health professionals, electronic health records, ehealth infrastructures and implementation. It has a focus on applied, translational research, with a broad readership including clinicians, CIOs, engineers, industry and health informatics professionals. Published by JMIR Publications, publisher of the Journal of Medical Internet Research (JMIR), the leading eHealth/mHealth journal (Impact Factor 2016: 5.175), JMIR Med Inform has a slightly different scope (emphasizing more on applications for clinicians and health professionals rather than consumers/citizens, which is the focus of JMIR), publishes even faster, and also allows papers which are more technical or more formative than what would be published in the Journal of Medical Internet Research.