Back in 2018, the French government introduced—by way of its Public Health Code (Article L.1111-8)— HDS certification, mandating that all entities hosting personal health data must successfully achieve certification. Now, in 2024, they’ve published a new HDS framework with changes, expositions, and removals of language that organizations affected will need to know in order to comply. As one of only 9 certification bodies accredited to certify compliance with HDS—and the only one based in the U.S.—we’re here to offer some insight into this latest and significant shift. In this article, we’ll break down the changes within the new HDS framework, including the restructuring of requirements, the clarifications on prior requirements that have now been made, and the critical removal of in-scope mandates so that you can begin your adjustments before this new version comes into effect. Designed to ensure the security and privacy of health data hosted in France, HDS—a French acronym for Health Data Hosting (Hebergement des donnees de sante)—is a mandatory framework overseen by the French Ministry of Health and the Agence du Numérique en Santé (ANS). Any organization that hosts healthcare data collected in France must comply with its regulatory mandates, and that includes:
- Cloud service providers;
- Data center providers; and
- Third-party service providers.
Compliance means getting certified, which involves an initial application, documentation review, and on-site audits conducted by accredited certification bodies to confirm the implementation of HDS’s required and stringent privacy and security measures such as:
- Physical security and other access controls;
- Data encryption; and
- Data breach notification.
Once you demonstrate compliance with all requirements, you’ll achieve HDS certification—though this achievement is typically valid for three years, you’ll also need to undergo regular audits that confirm your security remains robust, effective, and meets the framework’s requirements.
What are the Changes in the 2024 HDS Framework?
Those requirements have recently been updated, as—on May 16, 2024—the French government published a new version of the HDS framework, which will go into effect on November 16, 2024. (If you are currently HDS certified, you’ll have to transition to the new version before May 16, 2026).
So what’s different in this latest version of HDS? Here’s an overview of some of the major updates.
New Organization of Updated Requirements
While the old HDS referential included 44 requirements organized in a single chapter with 4 subsections, the new referential totally revamps its presentation and content.
Now, there are only 31 requirements, and these have been restructured under 4 different chapters, and an additional Chapter 8 related to transparency has been added along with other new details:
Chapter | Details |
|---|---|
Chapter 4 (1 requirement) | Requirements Regarding: Conditions for Certification In other words, this chapter is a summary of what you need to do to become HDS certified. |
Chapter 5 (15 requirements) | Requirements Regarding: Inclusion of HDS within ISMS While the 2018 version of the HDS referential included only 4 requirements organizations had to meet in addition to those of ISO 27001, the new version—and the 15 requirements in Chapter 5—indicate a heavier integration with your ISO 27001 information security management system. Now, HDS needs to be taken into consideration within the elements listed within clauses 4 to 10 of the ISO 27001 standard, including:
|
Chapter 6 (11 requirements) | Requirements Regarding: Contractual Relationships Before, only certain contractual obligations were applicable per the French Health public code, but now, your obligations as an organization getting HDS certification to your customers are explicitly included in Chapter 6 of the HDS referential and your certification body is required to review them as part of your assessment. |
Chapter 7 (4 requirements) | Requirements Regarding: Data Localization and Data Sovereignty As described in Chapter 7, the new HDS referential requires healthcare data collected in France to be hosted in the European Economic Area (EEA, or the EU + Iceland, Liechtenstein, and Norway). That being said, some specific dispositions linked to the GDPR also allow access to data from countries outside of the EU/EEA. Now, you must create a public mapping of transfers outside the EEA via a specific webpage and you must also communicate the activities of any third parties involved in your data hosting to your customers. |
Chapter 8 (1 table) | Details how to list the involvement of any third parties with your healthcare data hosting, as well as how to communicate that to your customers. |
Longer Audit Time Range
In this new version of HDS, the expected audit time for initial certification has been raised from a range of 1 to 5.5 days to a range of 2 to 5 days for most organizations.
New Exposition on Hosting Providers
While the former HDS referential made a distinction between an IT physical infrastructure provider and an IT managed services provider, this distinction was removed from the new version of the referential—therefore, all requirements apply to hosting providers regardless of their classification.
Furthermore, the HDS framework—which previously described 6 different hosting activities in scope, and still does in the new version—has now provided some additional clarification regarding:
- Hosting activity #5 (management and operation of the information system containing the health data); and
- Hosting activity #6 (backing up the health data).
(These details can be found in Chapters 2 and 3 of the new referential.)
No More ISO 20000-1 or ISO 27018
Though the strong correlation between ISO 27001 and HDS remains, the new version of the framework has removed most of the prior references to ISO 20000-1 and ISO 27018.
Though a few additional requirements from ISO 27018 do remain, most of the related controls—what was an entire section of the referential—were removed from the HDS referential. Moreover, your certification body will no longer be allowed to presume your conformity with those requirements even if you are ISO 27018 certified—they will need to be evaluated again as part of your HDS certification.
And whereas before, a full section of the HDS referential was related to requirements originating from the ISO 20000-1 standard that covered change management, availability, and capacity, those requirements are no longer in the scope of the HDS framework—at all.
Moving Forward with the New HDS Framework
Though it does represent an additional, required undertaking for organizations hosting French healthcare data, HDS certification—and its mandated high standards of data security and privacy—can also help you enhance trust and credibility among your clients and patients, reduce the risk of data breaches, and help ensure compliance with data protection laws.
Now that you understand more about the latest version of the referential, you’re in a better position to accommodate the changes during your preparation for certification, but should you have any further questions, please contact our team, who would be happy to address your concerns and pave an easier way forward to HDS certification.
About the Authors
Mathieu Legendre is a Manager with Schellman, based in New York City, NY. Prior to joining Schellman in 2021, Mathieu worked for an accounting company, specializing in compliance and anti-corruption regulations. Before arriving in the US in 2016, Mathieu worked as an attorney in France, specializing in public law and consumer law-related matters. Mathieu also led and supported various other projects, including real estate projects and writing a World War I non-fiction book. Mathieu has over 15 years of experience comprised of serving clients in various industries, including financial services, construction and government. Mathieu is now focused primarily on privacy for organizations across various industries.
Robert Tylka is a Principal at Schellman & Company. With over 17 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, STAR, and HIPAA examinations. In his portfolio he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the information technology, financial services, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies, with a strong focus in the technology sector.
