Regulations and Guidelines

1 - What is MR-006?

The MR-006 is a rule adopted by the CNIL (French Data Protection Authority) for the processing of personal data in the context of an observational study sponsored by a pharmaceutical company requiring access to public health data in France, specifically referred to as PMSI (Programme de Médicalisation des Systèmes d'Information).

PMSI collects data for all hospitalizations occurring within the French territory with the aim of financing health establishments (activity-based pricing) and organizing healthcare offerings (planning). PMSI is part of the SNDS (Système National des Données de Santé), which consolidates and makes available databases that previously existed independently:

• SNIIRAM Database: Contains health insurance data.
• PMSI Database: Contains data derived from the activity of health establishments.
• CepiDC Database: Managed by INSERM, contains data on causes of death.
• Data related to disability: From departmental houses for disabled persons.
• Data from "health supplements" (e.g., mutual health insurance) will also be included in the SNDS.

This system is designed to ensure comprehensive management and use of health data for better public health management and research purposes in France. For access to other databases, authorization from french authorities are required.

2 - Procedure

The French Data Protection Law proposes a binary system:
‍
Either the Sponsor is 100% compliant with the MR-006's requirements. It declares compliance to the CNIL, and the access to the PMSI can be initiated without further formalities.
Or the Sponsor is not 100% compliant with the MR-006's requirements. The Sponsor must then obtain PRIOR authorization to access to the PMSI data.

The CNIL has a two-month period to respond from the date of the authorization request. In the absence of a response after this period, the authorization is considered tacit.

Therefore, compliance with MR-006 is a crucial step in the regulatory journey of an observational study with public health data in France. A sponsor must, therefore, evaluate the compliance of its study with MR-006 in advance.

Accessing data from the PMSI requires submitting a request to the Health Data Hub. This process must be accompanied by a compliance commitment to MR-006, or, if that is not possible, by obtaining direct authorization from the CNIL.

3 - Requirements related to the Sponsor

The study can only be performed through a research laboratory or a study office, public or private, that has made a commitment to compliance with the CNIL.
The Sponsor signs a data access agreement with the ATIH (Technical Agency for Information on Hospitalization) and provides an updatable list of the research laboratories or study offices they use.
Data is made available to the research laboratory or study office by the ATIH through a secure solution; no export of personal data outside of the secure solution used is possible. Only anonymous results can be exported.
‍
A sponsor cannot pretend to MR-006 compliance in the following situations:
An export of personal data outside of the secure solution provided by the ATIH is needed.
PMSI data must be merged with other personal data

4 - Requirements related to the data subjects

MR-006 distinguishes two categories of data subjects with their own requirements:
The patients included in the study. 
The  professionals in charge of the study performance

4.1 - Requirements related to patients

Regarding the processing of patients data, MR-001 specifies that:

1. Purposes‍

Data can only be processed for research purposes and certain uses are explicitly excluded, including:

Promotion of Products: Using data to promote products to health professionals or health establishments is prohibited.
Insurance Modifications : Using data to exclude or alter the contributions of an individual or a group of individuals presenting the same insurance risk is also excluded.

French law mandates that any use of data for research must serve a public interest, which must be clearly outlined in the study protocol submitted to the Health Data Hub. Here’s what this typically involves:

Definition of Public Interest: The research must aim to achieve results that benefit the public, such as improving public health outcomes, enhancing healthcare services, or advancing medical knowledge.

Study Protocol: The protocol must detail how the research serves the public interest. This includes a comprehensive description of the research objectives, methodology, and the expected benefits to society.

Ethical Considerations: The protocol must also address ethical considerations, ensuring that the research respects the rights and welfare of individuals whose data is being used. This includes provisions for informed consent where applicable, measures to protect personal data, and procedures to minimize any potential harm to data subjects.

Submission and Review: The study protocol is submitted to the Health Data Hub, which reviews the proposed research to ensure it aligns with legal and ethical standards. This review process includes assessing the validity of the public interest claim and the safeguards in place to protect data subjects.

Oversight and Compliance: Once approved, the research must be conducted in strict accordance with the approved protocol. Regular oversight might be required to ensure ongoing compliance, and any deviations from the protocol must be justified and documented.

2. Categories of data‍

Only pseudonymized data may be processed.

The categories of personal data that can be processed include:

• Medicine, Surgery, Obstetrics, and Dentistry (MCO): This category includes data from medical and surgical treatments, obstetric care, and dental procedures carried out in hospitals.
• Follow-up Care and Rehabilitation (SSR): Data related to rehabilitative care and follow-up treatments that patients receive after initial medical interventions or surgeries to help restore their health and functional abilities.
• Medical Information Collection in Psychiatry (RIM-P): This involves data collected from psychiatric evaluations and treatments, which are crucial for understanding and managing mental health conditions.
• Home Hospitalization (HAD): Data concerning patients who receive hospital-level care at home, which includes various types of medical, surgical, and rehabilitation services administered outside traditional hospital settings.
• Linking Data through the 'ANO' File: This feature allows for the linkage of all PMSI data related to the same patient using the 'ANO' file.

3. Recipients of data‍

Data is only made available to research laboratories and study offices through a secure solution. No export of personal data can take place outside of this secure solution as stipulated by this reference methodology.

Only personnel from the research laboratory and study office are permitted to access the data.

4. Information and rights of patients‍

Patients must be informed of the processing of their personal data according to the mandatory information provided by Article 13 of the GDPR. This information must be provided via hospitals collecting health data and research laboratories and study offices. A notice on the entities websites can be used.

Patients may exercise their GDPR rights at any time with the local public health insurance entity to whom the patient is attached.
‍
5. Data retention period‍

Data must not be stored outside the secure solution provided by the ATIH. Only anonymized results may be exported. The duration of access to the data within the secure solution should be limited to the time necessary for the processing of the data. If justified by the data controller, access to the data may be maintained after the completion of the study, but not beyond two years from the last publication related to the results.

4.2 - Requirements related to Professionals carrying out the research

1. Purposes‍

Personal data can only be processed to implement the study and comply with the legal obligations of the Sponsor or the research laboratories and study offices.

2. Categories of data‍

Any professional personal data (name, first name, professional address, diploma, etc.) can be collected.

‍3. Data retention period

‍Data of professionals cannot be kept beyond 5 years from the lend of the study.

4 - Other Requirements

Subcontractors‍

The respective commitments of the Sponsor and the research laboratory or study office are formalized in a contract. In particular, the contract must stipulate that the subcontractor:

• Processes data only on documented instructions from the Sponsor and takes all required security measures.
• Does not subcontract without the written authorization of the Sponsor.
• Assists the Sponsor in ensuring compliance with various obligations (rights of individuals, security of processing, breach notification, impact assessments, etc.).
• Provides the Sponsor with all necessary information to demonstrate compliance with obligations and to enable audits.
• Immediately informs the Sponsor in the event of an instruction that, in its opinion, constitutes a violation of the GDPR or data protection law.
• Designates a Data Protection Officer.
• Maintains a records  of processing activities.

The Sponsor appoints a Data Protection Officer.

At the end of the study, the study results obtained must be communicated to the Health Data Hub for publication, respecting business secrecy and intellectual property.