HDS Compliance for Health Data: Guide for Associations and NGOs

Charitable associations, humanitarian NGOs, and non-profit healthcare and social structures share a commonly underestimated common point: as soon as they process or store personal health data, they fall under the legal framework of health data hosting (HDS). Yet this sector is lagging structurally in terms of compliance, due to lack of dedicated internal resources and insufficient awareness. This article guides you step by step through understanding what HDS certification entails, identifying your actual obligations, and activating operational compliance — even with a limited IT team.

What is HDS certification and why are associations concerned?

The legal definition of health data

Under the GDPR (Article 4, §15), health data refers to personal data relating to the physical or mental health of an individual, revealing information about their health status. This definition is intentionally broad. It covers not only medical records in the clinical sense, but also:

• Data on beneficiaries collected during screening campaigns
• Information on disabilities declared in social assistance files
• Nutritional or mental health data collected in a psychosocial support context
• Results of tests or medical assessments in humanitarian programmes

An association fighting addiction, a support network for dependent elderly people, or an NGO providing on-site medical consultations all collect data falling into this category.

The HDS framework: legal obligation, not an option

Law No. 2016-41 of 26 January 2016 (Law on Modernisation of the Health System) established the obligation for HDS-certified hosting for any entity that hosts personal health data on behalf of third parties — including associations and NGOs. The certification standard, defined by Decree No. 2018-137 of 26 February 2018, specifies the activities covered and the technical and organisational requirements to be met.

Contrary to popular belief, exemption does not apply simply because a structure is non-profit. What matters is the nature of the data processed and the fact that hosting is carried out on behalf of a third party (a doctor, a patient, a partner structure).

The six HDS activities and their scope for associative structures

HDS certification covers six distinct activities, organised in two blocks:

Infrastructure block (activities 1 to 3)

• Activity 1: Provision and maintenance of physical sites (datacentres)
• Activity 2: Provision and maintenance of hardware infrastructure
• Activity 3: Provision and maintenance of virtual infrastructure

Software and managed services block (activities 4 to 6)

• Activity 4: Provision and maintenance of the application hosting platform
• Activity 5: Administration and operation of the health information system
• Activity 6: Externally hosted data backup for health data

For an association, the most frequently affected activities are activities 4 to 6, particularly when using a third-party SaaS solution to manage beneficiary files or when outsourcing database backups. It is therefore essential to verify that any SaaS or cloud provider handling your health data is properly HDS-certified for the corresponding activities.

In this context, using an HDS-certified electronic signature solution in the health sector makes it possible to secure sensitive document flows — informed consents, admission forms, digitalised prescriptions — without exposing the association to a compliance risk.

How to practically activate HDS compliance in your association?

Step 1: Map your health data processing

Before any technical approach, you must conduct a precise inventory of all processing involving health data. This exercise fits directly within the obligation to maintain a register of processing provided for by Article 30 of the GDPR.

For each processing activity, document:

• The nature of data collected (special category under GDPR)
• The purposes of the processing
• Recipients and sub-processors
• Means of hosting (internal server, cloud, SaaS)
• Security measures in place

This mapping allows you to quickly identify high-risk areas and providers to audit.

Step 2: Audit your providers and require certification

HDS certification is issued by bodies accredited by COFRAC (French Accreditation Committee). You can verify a hoster's certification status on the ANS website (Health Digital Agency), which maintains a public list of HDS-certified hosters.

Systematically require from your providers:

• A copy of the current HDS certificate
• The exact scope of activities covered
• Specific contractual conditions for health data protection

Do not settle for a statement of intent: certification must be verifiable and current.

Step 3: Update your contracts and DPA

Article 28 of the GDPR requires the conclusion of a Data Processing Agreement (DPA) with any processor handling personal data on your behalf. In the HDS context, this DPA must be supplemented with specific clauses covering:

• Reinforced confidentiality commitments
• Obligations to notify incidents within 72 hours
• Conditions for data return and deletion
• Data location (necessarily in the EEA or in a country with an adequacy decision)

Some associations still use paper forms to collect beneficiary consent. Digitalising these processes through a compliant electronic signature solution makes it possible to timestamp and authenticate consents, producing legally enforceable evidence.

Step 4: Train your teams and designate a compliance focal point

HDS compliance is not a one-off project: it is a continuous process. Designate an internal focal point (who could be your DPO if you have one, in accordance with the obligation under Article 37 of the GDPR for organisations processing health data on a large scale) and arrange regular awareness sessions for teams in contact with sensitive data.

According to a study published by CNIL in 2024, more than 60% of notified health data breaches involved human error (sending to the wrong recipient, failure to encrypt). Training is therefore a risk reduction lever as important as technical measures.

Sector-specific challenges: limited resources and budget constraints

The paradox of sensitive data and constrained budgets

Associations and NGOs find themselves in a unique position: they often manage some of the most sensitive data (health status of vulnerable people, refugees, unaccompanied minors) with human and financial resources far inferior to those of the hospital sector or private health companies.

This reality requires adopting a pragmatic and prioritised compliance strategy. According to ANS recommendations, a three-phase approach is generally advised for small and medium-sized structures:

1. Emergency phase (0-3 months): identification and neutralisation of critical risks (non-certified hosters, lack of encryption)
2. Consolidation phase (3-12 months): contract updates, deployment of compliant tools, training
3. Maturity phase (12-24 months): internal audits, business continuity plan, annual review of processing

The role of electronic signature in associative HDS compliance

Digitalising sensitive documents is a lever often underexploited by the associative sector. Yet replacing paper forms with qualified or advanced electronic signature processes offers several benefits:

• Traceability: each signature is timestamped and associated with a verified identity, making it easier to demonstrate the lawfulness of processing
• Error reduction: less manual manipulation of sensitive documents
• Secure archiving: electronically signed documents can be stored in a certified digital safe

For more details on the criteria for selecting a solution suited to your structure, see our comparison of electronic signature solutions, which details the differences between market offerings in terms of HDS and eIDAS compliance.

Associations already using an HR or beneficiary management tool often benefit from checking whether their current solution natively integrates compliant electronic signature. Our guide to electronic signature in business addresses these integration criteria in detail.

Finally, if you have already deployed a signature solution but wish to migrate to an HDS-certified provider, our migration offer allows you to transfer your data and workflows without service interruption.

Legal framework applicable to health data hosting for associations and NGOs

Founding texts of the HDS framework

French regulation on health data hosting is based on a set of texts whose mastery is essential for any association handling medical or healthcare and social data.

Law No. 2016-41 of 26 January 2016 (Law on Modernisation of the Health System): it established in the Public Health Code (Article L. 1111-8) the obligation to use an HDS-certified hoster for any natural or legal person hosting personal health data on behalf of data subjects or entities processing it.

Decree No. 2018-137 of 26 February 2018: it clarifies the activities subject to certification, the procedures for issuing and withdrawing certification, and the requirements applicable to certifying bodies (mandatory COFRAC accreditation).

Order of 8 August 2017: it sets out the security standard applicable to health information systems, which serves as the technical basis for HDS evaluation.

Articulation with the GDPR

Regulation (EU) 2016/679 (GDPR) constitutes the general framework for personal data protection. Its provisions apply cumulatively to HDS requirements:

• Article 9: health data are special categories of data whose processing is prohibited in principle, except for listed exceptions (explicit consent, necessity for healthcare provision, public interest, etc.)
• Article 28: any use of a sub-processor hosting health data must be subject to a detailed written contract (DPA)
• Article 32: the association must implement appropriate technical and organisational measures (encryption, pseudonymisation, access control)
• Article 33: any health data breach must be notified to CNIL within 72 hours
• Article 35: a Data Protection Impact Assessment (DPIA) is mandatory when processing is likely to result in a high risk to individuals' rights

Legal risks in case of non-compliance

Non-compliance with the HDS framework exposes the association to several levels of penalties:

• CNIL administrative sanctions: up to EUR 20 million or 4% of annual global turnover (Article 83(5) of the GDPR) for the most serious violations. For associations, CNIL considers the amount taking into account available resources, but symbolic but public penalties have already been imposed on small structures.
• Criminal liability: Article 226-13 of the Penal Code provides for up to one year's imprisonment and EUR 15,000 in fines for breach of medical confidentiality.
• Civil liability: affected beneficiaries may engage the association's liability on the basis of Articles 1240 et seq. of the Civil Code if demonstrable harm occurs.
• Suspension of approval: associations approved by public authorities (ARS, departmental councils) may have their approval withdrawn in case of serious breach of health data protection.

It should also be noted that the NIS2 Directive (EU Directive 2022/2555, transposed into French law by Law No. 2024-449 of 21 May 2024) extends cybersecurity obligations to a broader spectrum of entities, potentially including certain large associations managing critical health infrastructure.

Use scenarios: HDS compliance in practice for associations and NGOs

Scenario 1: A home-care association managing 500 beneficiary files

An association providing services to dependent elderly people across several departments manages around 500 active files including information on pathologies, current prescriptions and dependency assessments (GIR grid). This data is stored in an associative management software hosted by a cloud provider not certified for HDS.

Following an internal audit triggered by a beneficiary's access request, the association identifies this non-compliance. It initiates migration to an HDS-certified hoster for activities 4 and 5, concludes a compliant DPA with its software provider, and deploys an electronic signature solution to digitalise consent forms and personalised care plans.

Results observed: 70% reduction in consent processing time (from an average of 12 days in paper format to less than 4 days), complete elimination of risks related to loss or incorrect transmission of paper documents, and enhanced cyber insurance coverage thanks to documented compliance.

Scenario 2: An international NGO coordinating field medical missions

An NGO specialising in emergency medical care collects health data, as part of its missions, on beneficiary populations in several countries, including data transmitted to a centralised server in France. The IT team consists of two volunteer staff members.

Faced with the impossibility of maintaining an in-house HDS-certified infrastructure, the NGO opts for a 100% SaaS architecture with an HDS-certified hoster covering activities 1 to 6. It implements an electronic signature process for medical protocols and consent forms adapted to areas of low connectivity (offline signature mode synchronised).

Results observed: HDS and GDPR compliance achieved in less than 6 months without additional IT recruitment, estimated 40% cost savings compared to in-house hosted infrastructure, and ability to respond to institutional calls for proposals (AFD, European Union) requiring data compliance certification.

Scenario 3: An associative network managing community health centres

A group of associations bringing together several community health centres (approximately 8,000 active patients) uses shared patient record software across different sites. Coordination between sites involves exchanges of health data via unsecured messaging, in direct violation of the HDS standard.

The association undertakes a redesign of its information system with the support of an HDS-certified provider, implements secure health messaging (MSSanté), and digitalises all its admission and consent forms using a compliant eIDAS electronic signature platform. A DPIA is conducted for each high-risk processing.

Results observed: zero data breaches notified to CNIL over the following 18 months (compared to two minor incidents in the previous period), average admission time reduced by 35%, and improved patient file completion rate by 22% thanks to the elimination of incomplete paper forms.

Conclusion

Activating HDS compliance for health data in the associative and NGO sector is not an option reserved for large hospital structures: it is a legal obligation that applies to any entity, regardless of size or legal status, as soon as it hosts or processes personal health data. Lack of knowledge of the framework does not exempt from responsibility.

The good news: a structured approach in four steps — mapping, provider audit, contract updates, training — enables a solid level of compliance even with limited resources. Digitalising consents and sensitive documents via an HDS-certified eIDAS-compliant electronic signature solution is a particularly effective lever for reducing risks whilst improving operational efficiency.

Certyneo offers an eIDAS-compliant electronic signature platform, adapted to the constraints of the associative sector and hosted on HDS-certified infrastructure. Contact our team for a free audit of your documentation situation and discover how to secure your health data flows today.