HDS Certification: Certification for Health Data Hosts

HDS certification can cover six healthcare activities

HDS certification can cover six distinct activities defined by the Public Health Code. For the first four activities, the standard requires not only the provision of resources, but also their Maintenance in Operational Condition (MOC), i.e. all measures (maintenance, monitoring, updates) ensuring that the service remains continuously available, efficient and secure.

• The provision and MCO of physical sites for hosting the hardware infrastructure (data centres, secure IT rooms).
• The provision and MCO of the hardware infrastructure (physical servers, storage arrays, network equipment).
• The provision and O&M of the virtual infrastructure (virtual servers, virtual networks and storage via a hypervisor).
• The provision and O&M of the application hosting platform (a PaaS-type application platform enabling the deployment of healthcare software).
• The administration and operation of the information system containing health data (day-to-day technical and application management).
• The backup of health data, specifically referring to the management of off-site backups to ensure data recovery in the event of an incident.

Each entity may be certified in one or more of these areas depending on the services actually provided. It is essential that the scope selected is included within that of the ISO/IEC 27001 certificate and that it is clearly defined on the final certificate to reflect the actual services provided.

Legal framework for Health Data Hosting (HDS)

“Any natural or legal person hosting personal health data collected in the course of prevention, diagnosis, treatment or medico-social follow-up activities on behalf of natural or legal persons responsible for the production or collection of such data, or on behalf of the patient themselves, must be authorised or certified for this purpose.” Article L.1111-8 of the Public Health Code, amended by Law No. 2016-41 of 26 January 2016.

 The certification procedure is based on an assessment of compliance with the certification framework. The hosting provider selects a certification body which must be accredited by COFRAC (or its equivalent at European level).

For data controllers (healthcare organisations, healthcare professionals, software publishers), HDS certification is much more than just a regulatory requirement: it is a mark of trust and operational excellence. By choosing a hosting provider certified by an independent third party such as LSTI, the data controller can be assured that their service provider implements appropriate security measures and a consistent framework to protect the most sensitive data.

This trust is based on four fundamental pillars reinforced by the HDS V2 standard:

• Proof of robust information system security governance: The data controller benefits from an independently assessed level of security, guaranteeing the confidentiality, integrity and availability (CIA) of health data.
• Simplified regulatory compliance: The certification attests that the hosting provider complies with the strict obligations of the Public Health Code (CSP) and the GDPR, thereby facilitating the data controller’s own compliance process.
• Transparent contractual guarantees: In accordance with Article R.1111-11 of the CSP, commitments regarding service levels, respect for data subjects’ rights and the secure reversibility of data are formally defined.
• Visibility across the service chain: The new “Representation of Guarantees” introduced by V2 offers complete transparency regarding all parties and subcontractors involved in the service provision, enabling the data controller to maintain full control over their data ecosystem.

By outsourcing hosting to an HDS V2-certified organisation, the data controller transforms a legal obligation into a strategic asset, ensuring optimal and long-term protection of the information entrusted by patients.

HDS certification is a legal requirement that applies to any organisation — public or private — that hosts, operates or provides hosting services for personal health data (PHD). It specifically concerns entities acting as data processors within the meaning of the GDPR on behalf of data controllers (healthcare establishments, healthcare professionals) or the patient themselves.

This certification is intended in particular for the following parties:

• Physical infrastructure hosts: providers responsible for making physical sites (data centres) available and maintaining them in operational condition for hardware infrastructure.
• Virtual infrastructure hosts: organisations providing virtual servers and the associated infrastructure application platforms.
• Application platform providers (PaaS): organisations providing the environment necessary for the deployment of healthcare applications.
• IT service providers and information systems administrators: service providers responsible for the operation and critical maintenance of systems containing health data.
• Outsourced backup services: any organisation providing secure backup of health data on behalf of a third party.

A scope defined by usage

The certification requirement applies whenever hosted data is collected in the course of preventive, diagnostic, clinical or social and medico-social care activities. Whether you are responsible for the overall infrastructure or a specialist subcontractor, your scope of certification must reflect the services actually provided within the healthcare ecosystem.

HDS V2: Representation of guarantees and compliance by stakeholders

HDS V2 now requires full transparency across the subcontracting chain. If you use a third party for part of your activities (such as physical storage), you must ensure that they are also certified for the activities they carry out.

Before applying for an HDS certification audit with LSTI, it is essential that your organisation completes several key steps to ensure that its system complies with the requirements of the HDS V2 framework and the ISO/IEC 27001 standard.

Establishing a compliant and operational ISMS

As HDS certification is based on the ISO 27001 standard, you must first structure and implement an Information Security Management System (ISMS). It is strongly recommended that this system has been operational for at least six months prior to the initial audit to demonstrate its maturity.

Define your scope of activity precisely

You must identify the hosting activities (from among the six domains defined by the Public Health Code) that you actually provide to your clients. This scope must be clearly documented, as it serves as the basis for your entire risk analysis and the drafting of your Statement of Applicability (SoA).

Risk analysis and IT security of the Health Information System

In addition to a risk analysis, the HDS V2 framework requires specific scenarios to be considered, such as:

• Loss of control over physical media (copies, reallocation of space).
• Control of access and technical interventions.
• Risks related to data sovereignty and potential subjection to non-European legislation.

Bringing your contracts and guarantees into compliance

Ensure that your hosting contracts already include the mandatory clauses of Article R.1111-11 of the Public Health Code (service levels, reversibility, individual rights). You must also prepare your ‘Guarantees Statement’ document detailing all parties in your service chain.

Validate compliance through an internal audit

Conducting an internal audit is an essential prerequisite. This audit must, in particular, verify the SMSI’s compliance with HDS requirements and ensure that access to health data by your teams is actually traceable. Finally, a management review must be conducted to validate the system’s suitability and effectiveness prior to LSTI’s intervention.

LSTI’s audit process is based on a rigorous methodology that has been tried and tested with numerous IT service providers and healthcare organisations. Our audits are designed to validate the actual effectiveness of your cybersecurity framework whilst ensuring a smooth transition to the HDS V2 standard.

LSTI conducts ISO 27001 and HDS V2 audits simultaneously with the same team of specialist auditors, thereby ensuring maximum consistency and efficiency.

A certification cycle in three key stages

The HDS certification cycle follows a structured, progressive and recurring approach. It aims to assess the initial compliance of the hosting system, then to ensure its ongoing compliance over time.

• Initial audit: carried out in two phases, this process begins with a document review (Stage 1) followed by an operational verification on-site or remotely (Stage 2) to validate the system’s compliance, as well as your hosting risk management strategy, with the requirements of the ISO 27001 and HDS standards.
• Certificate issuance: if the requirements are met, a 27001 certificate and an HDS certificate are issued for a period of three years.
• Annual surveillance audits: these ensure that compliance is maintained and that the system is continuously improved throughout the certificates’ lifecycle.
• Renewal audit: at the end of the three-year cycle, a full audit enables the 27001 and HDS certifications to be extended for a new cycle.

The regulatory framework of the HDS V2 standard has been mandatory for all new applicants since 16 November 2024. For organisations that are already certified, the full transition to these new requirements must be completed by 16 May 2026 at the latest.

Find our certification regulations on the Downloads page.

Validity of a certificate

The HDS certificate is issued for a period of three years and is subject to annual surveillance audits to ensure strict compliance and data security are maintained throughout the cycle.