The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification. In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard. On May 16, 2024, France officially published an updated version of this “HDS” certification standard.
- Key Changes
The updated standard includes a few clarifications, for instance on the activities for which hosting providers have to obtain certification (in particular the activity of “administering and operating healthcare systems”), or regarding the contractual obligations of the hosting provider.
It also incorporates changes previously made to the ISO 27001 standard into the HDS certification standard.
Importantly, it features new requirements in terms of sovereignty, in particular:
- a requirement to restrict the storage of health data to the territory of an EEA member state; and
- transparency requirements vis-à-vis the hosting provider’s customers in the event of transfers outside the EEA (e.g., in the form of remote access to the data).
- Entry into force
As of November 16, 2024, new applicants for HDS certification will be assessed against this new version of the HDS certification standard.
French authorities also highlighted that hosting providers that are already HDS-certified will need to renew their HDS certification according to the updated standard within 24 months, i.e., by May 16, 2026 at the latest.