SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How HDS Certification Can Help Protect Your Health Data

HDS Certification

In an increasingly data-driven healthcare landscape, protecting sensitive information has become paramount. The French health data regulation, known as Hébergeur de Données de Santé (HDS), plays a crucial role in safeguarding healthcare data. Understanding HDS and its implications is vital for any organization that may host French health data.

During the French Revolution, a seismic social and political upheaval lead to the introduction of revolutionary ideas and the emergence of new political systems that shaped modern France and influenced revolutionary movements worldwide.

While perhaps not on the same scale, the threats to health data and demand for additional security over that data has led to advancements of security standards. In today's fast-paced and ever-evolving healthcare industry, data security is more important than ever—especially since the threat landscape continues to evolve.

But just as they did in the 1790s, the French have come up with a new solution to help solidify the protection of health data— HDS certification. Though relatively new to the scene in comparison to some other security standards, HDS now presents a worthy alternative for healthcare organizations seeking to prove to patients that their information is safe.

As one of only nine organizations authorized to provide HDS certification, we have a more detailed perspective on this option you have than most, and so in this article, we’re going to reiterate the criticality of protecting health data before getting into what HDS certification is and what types of organizations it might suit—or are simply required to be certified.

The Importance of Protecting Health Information

We don’t need to tell you that if you handle sensitive health information, you must take all necessary measures to help ensure that patient data is protected and secured—personal health data has been and remains some of the most valuable and sensitive information out there.

For that reason, it’s unfortunately also the most sought after by cyber criminals, and because patient data is now spread farther and wider than ever before—from hospitals to cloud data solution providers—the risks of exposure and other threats continue to increase every year.

Recent data analysis by Critical Insight confirms that attackers are targeting not only hospitals but also business associates and third-party vendors, such as electronic medical record providers, lawyers, accountants, billing companies, and medical device manufacturers.

Defending against such widespread and advancing attacks and preventing any breaches or theft requires effective and robust security measures, and that’s where HDS certification can help.

What is HDS?

HDS certification was created in France, because as we mentioned, the government there recognized the need to mitigate these risks as they specifically pertained to health data and they went so far as to codify it into law.

The French Public Health Code (Article L.1111-8) mandates that all entities hosting personal health data achieve HDS certification—a process that was introduced in 2018. For any Americans reading this, HDS regulations and the related certification function a bit like HIPAA in the United States in that they serve to verify your compliance with a baseline set of requirements regarding all personal health data hosting.

To obtain certification, you’ll undergo an assessment by an authorized certification body that will evaluate your adherence to HDS’s rigorous control framework, which includes measures such as:

  • Robust authentication and authorization procedures;
  • Strong backup systems; and
  • Effective encryption methods.

After completing and passing the assessment, you’ll receive a report and an official certificate, including an HDS mark, the latter of which is valid for three years. Much like the popular ISO 27001 certification, annual surveillance audits are required during off-certifying years to ensure continued HDS compliance.

Who Needs HDS Certification?

HDS is focused on securing patient data in healthcare, but of the many different types of organizations in the sector, which should consider pursuing HDS certification?

Article L.1111-8 of the French Public Health Code provides some guidance where it says the standards are for “Any natural or legal person that hosts personal health data collected during an activity of: prevention, diagnostic, social and medico-social care and monitoring for the account of natural or legal person originating the production and collection of these data on behalf of the patient itself, must be accredited and certified for this activity.”

To put that into simpler terms, HDS applies to a wide range of entities involved in healthcare data management, so if your company falls into any of the following categories, HDS certification may be relevant or required for you:

Healthcare Providers

Hospitals, clinics, private practices, and other healthcare facilities that store and process French patient data.

Health IT Service Providers

Companies that develop and maintain healthcare software applications, electronic health records (EHR) systems, telemedicine platforms, and other health IT solutions used by French healthcare providers.

Data Hosting Service Providers

Organizations that provide data hosting services—especially if you handle or store French health data. Of course, if you do, HDS certification is mandatory, but it’s important to recognize that even the potential storage of such data could warrant a thorough evaluation of HDS compliance requirements.

Third-Party Service Providers

Vendors and contractors engaged by healthcare providers or health IT companies to handle health data on their behalf, such as cloud service providers or data analytics firms.

 Ready to Take Your Next HDS Steps?

It may not have been an uprising in the same vein as the one that introduced the guillotine and tore down the Bastille, but in these modern times, the French have channeled their revolutionary spirit into creating a solid compliance option to help protect health data.

No matter where or how you work in the healthcare sector, the HDS certification can help your organization comply with legal requirements, enhance the credibility of your services, and build trust with your customers regarding the safety of their data. As this certification is still relatively new, you’ll also gain a competitive advantage that can lead to increased opportunities and long-term growth.

Even though you now understand a little more about HDS, navigating this compliance journey may still be challenging. As one of your limited potential partners on this endeavor, we encourage you to reach out to us with any questions—we’d be happy to provide you with a more thorough walk-through.

As we are an experienced single-provider cybersecurity firm, we also offer a variety of related services such as:

Our team can work with you to create a customized compliance roadmap that meets the unique needs of your organization while reducing your audit fatigue—contact us today!

About ROBERT TYLKA

Robert Tylka is a Principal at Schellman. With over 16 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In his portfolio, he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the financial services, information technology, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 500 and publicly traded companies, with a strong focus in the technology sector.