HDS Compliance for Health Data: Guide for Associations and NGOs

Charitable associations, humanitarian NGOs, and non-profit medico-social structures share a common point that is often underestimated: as soon as they process or host personal health data, they fall within the legal framework of health data hosting (HDS). Yet this sector accumulates a structural lag in compliance, due to lack of dedicated internal resources and insufficient awareness. This article guides you step-by-step through understanding what HDS certification entails, identifying your actual obligations and activating operational compliance — even with a limited IT team.

What is HDS certification and why are associations concerned?

The legal definition of health data

Under the GDPR (Article 4, §15), health data is personal data relating to the physical or mental health of a person, revealing information about their state of health. This definition is intentionally broad. It covers not only medical files in the clinical sense, but also:

• Data on beneficiaries collected during screening campaigns
• Information on disabilities declared in social assistance files
• Nutritional or mental health data collected in a psychosocial support context
• Results of tests or medical evaluations within humanitarian programmes

An association fighting addictions, a support network for dependent elderly people or an NGO managing field medical consultations all collect data falling into this category.

The HDS system: legal obligation, not option

Law No. 2016-41 of 26 January 2016 (law on modernising the health system) established the obligation to use certified HDS hosting for any entity that hosts personal health data on behalf of third parties — including associations and NGOs. The certification framework, defined by Decree No. 2018-137 of 26 February 2018, clarifies the activities covered and the technical and organisational requirements to be satisfied.

Contrary to a common misconception, the exemption does not apply simply because you are a non-profit structure. What matters is the nature of the data processed and the fact that hosting is carried out on behalf of a third party (a doctor, a patient, a partner structure).

The six HDS activities and their scope for associative structures

HDS certification covers six distinct activities, organised in two blocks:

Infrastructure block (Activities 1 to 3)

• Activity 1: The provision and maintenance in operational condition of physical sites (datacentres)
• Activity 2: The provision and maintenance in operational condition of hardware infrastructure
• Activity 3: The provision and maintenance in operational condition of virtual infrastructure

Software and managed services block (Activities 4 to 6)

• Activity 4: The provision and maintenance in operational condition of the application hosting platform
• Activity 5: Administration and operation of the health information system
• Activity 6: Externalised backup of health data

For an association, the most frequently affected activities are Activities 4 to 6, particularly when it uses a third-party SaaS solution to manage beneficiary files or when it externalises the backup of its databases. It is therefore essential to verify that any SaaS or cloud provider handling your health data is properly certified HDS for the corresponding activities.

In this context, using a health sector electronic signature solution certified HDS enables you to secure sensitive document flows — informed consents, admission forms, digitalised prescriptions — without exposing the association to a risk of non-compliance.

How to practically activate HDS compliance in your association?

Step 1: Map your health data processing activities

Before any technical approach, you must conduct a precise inventory of all processing involving health data. This exercise falls directly within the obligation to maintain a register of processing activities as required by Article 30 of the GDPR.

For each processing activity, document:

• The nature of data collected (special category under GDPR)
• The purposes of processing
• Recipients and sub-processors
• Hosting means (internal server, cloud, SaaS)
• Security measures in place

This mapping allows you to quickly identify risk areas and sub-processors to audit.

Step 2: Audit your sub-processors and require certification

HDS certification is issued by bodies accredited by COFRAC (French Committee for Accreditation). You can verify the certification status of a host on the ANS (Digital Health Agency) website, which maintains a public list of HDS-certified hosts.

Systematically require from your sub-processors:

• A copy of the current HDS certificate
• The exact scope of covered activities
• Specific contractual conditions for health data protection

Do not settle for a declaration of intent: certification must be verifiable and up to date.

Step 3: Update your contracts and DPAs

Article 28 of the GDPR requires the conclusion of a Data Processing Agreement (DPA) with any sub-processor processing personal data on your behalf. In the HDS context, this DPA must be supplemented by specific clauses covering:

• Enhanced confidentiality commitments
• Obligations to notify incidents within 72 hours
• Conditions for returning and deleting data
• Data location (necessarily on EEA territory or in a country with an adequacy decision)

Some associations still use paper forms to collect beneficiary consent. Digitalising these processes via a compliant electronic signature solution enables you to timestamp and authenticate consents, producing legally binding evidence.

Step 4: Train your teams and designate a compliance officer

HDS compliance is not a one-off project: it is a continuous process. Designate an internal contact (which may be your DPO if you have one, in accordance with the obligation under Article 37 of the GDPR for organisations processing health data on a large scale) and plan regular awareness sessions for teams in contact with sensitive data.

According to a study published by the CNIL in 2024, over 60% of notified health data breaches involved human error (sending to the wrong recipient, lack of encryption). Training is therefore as important a risk reduction lever as technical measures.

Specific issues for the associative sector: limited resources and budget constraints

The paradox of sensitive data and constrained budgets

Associations and NGOs find themselves in a particular position: they often manage among the most sensitive data (health status of vulnerable people, refugees, unaccompanied minors) with human and financial resources far inferior to those of the hospital sector or private health companies.

This reality requires adopting a pragmatic and prioritised compliance strategy. According to ANS recommendations, a three-phase approach is generally recommended for small and medium-sized structures:

1. Emergency phase (0-3 months): identification and neutralisation of critical risks (non-certified hosts, lack of encryption)
2. Consolidation phase (3-12 months): contract updates, deployment of compliant tools, training
3. Maturity phase (12-24 months): internal audits, continuity plan, annual review of processing

The role of electronic signature in associative HDS compliance

The digitalisation of sensitive documents is a lever often underexploited by the associative sector. Yet replacing paper forms with qualified or advanced electronic signature processes offers several advantages:

• Traceability: each signature is timestamped and associated with a verified identity, facilitating demonstration of lawful processing
• Reduced error risk: less manual handling of sensitive documents
• Secure archiving: electronically signed documents can be kept in a certified digital safe

For more information on the selection criteria for a solution adapted to your structure, see our comparison of electronic signature solutions which details the differences between market offerings in terms of HDS and eIDAS compliance.

Associations already using an HR tool or beneficiary file management tool often have an interest in verifying whether their current solution natively integrates compliant electronic signature. Our corporate electronic signature guide addresses these integration criteria in detail.

Finally, if you have already deployed a signature solution but wish to migrate to an HDS-certified provider, our migration offer allows you to transfer your data and workflows without service interruption.

Legal framework applicable to health data hosting for associations and NGOs

Founding texts of the HDS framework

French regulation on health data hosting is based on a series of texts that must be mastered by any association handling medical or medico-social data.

Law No. 2016-41 of 26 January 2016 (law on modernising the health system): it incorporated into the Public Health Code (Article L. 1111-8) the obligation to use a certified HDS host for any natural or legal person who hosts personal health data on behalf of data subjects or entities processing it.

Decree No. 2018-137 of 26 February 2018: it clarifies the activities subject to certification, the procedures for issuing and withdrawing certification, and the requirements applicable to certification bodies (mandatory COFRAC accreditation).

Order of 8 August 2017: it sets the security reference framework applicable to health information systems, which serves as the technical basis for HDS evaluation.

Interface with the GDPR

Regulation (EU) 2016/679 (GDPR) constitutes the general framework for personal data protection. Its provisions apply cumulatively to HDS requirements:

• Article 9: health data are special categories of data whose processing is prohibited in principle, except for listed exceptions (explicit consent, necessity for health care, public interest, etc.)
• Article 28: any use of a sub-processor hosting health data must be the subject of a detailed written contract (DPA)
• Article 32: the association must implement appropriate technical and organisational measures (encryption, pseudonymisation, access control)
• Article 33: any health data breach must be notified to the CNIL within 72 hours
• Article 35: a Data Protection Impact Assessment (DPIA) is mandatory whenever processing is likely to pose a high risk to the rights of individuals

Legal risks in case of non-compliance

Non-compliance with the HDS framework exposes the association to several levels of sanctions:

• CNIL administrative sanctions: up to €20 million or 4% of annual global turnover (Article 83, §5 of the GDPR) for the most serious violations. For associations, the CNIL assesses the amount taking into account available resources, but symbolic yet public sanctions have already been imposed against small structures.
• Criminal liability: Article 226-13 of the Criminal Code provides for up to one year's imprisonment and €15,000 fine for breach of medical confidentiality.
• Civil liability: injured beneficiaries can engage the association's liability under Articles 1240 et seq. of the Civil Code in case of demonstrable harm.
• Suspension of accreditation: associations accredited by public authorities (ARS, department councils) may be stripped of their accreditation in the event of serious breach of health data protection.

It should also be noted that the NIS2 directive (EU Directive 2022/2555, transposed in France by Law No. 2024-449 of 21 May 2024) extends cybersecurity obligations to a wider range of entities, potentially including certain large associations managing critical health infrastructure.

Use cases: HDS compliance in practice for associations and NGOs

Scenario 1: A home care association managing 500 beneficiary files

An association supporting dependent elderly people in several departments manages about 500 active files including information on pathologies, current prescriptions and dependency assessments (GIR scale). This data is stored in association management software hosted by a non-HDS-certified cloud provider.

Following an internal audit triggered by a beneficiary's access request, the association identifies this non-compliance. It begins migration to an HDS-certified host for Activities 4 and 5, concludes a compliant DPA with its software provider and deploys an electronic signature solution to digitalise consent forms and personalised care plans.

Observed results: 70% reduction in consent processing time (from an average of 12 days in paper format to less than 4 days), complete elimination of risks linked to loss or incorrect sending of paper documents, and obtaining enhanced cyber insurance coverage thanks to documented compliance.

Scenario 2: An international NGO coordinating field medical missions

An NGO specialising in emergency medical care collects, in the context of its missions, health data on beneficiary populations in several countries, including data transmitted to a centralised server in France. The IT team consists of two volunteer staff.

Faced with the impossibility of maintaining in-house HDS-certified infrastructure, the NGO opts for a 100% SaaS architecture with an HDS-certified host covering Activities 1 to 6. It implements an electronic signature process for medical protocols and consent forms adapted to areas of low connectivity (offline signature synchronised).

Observed results: HDS and GDPR compliance achieved in less than 6 months without additional IT recruitment, estimated 40% cost savings compared to in-house infrastructure, and ability to respond to institutional calls for projects (AFD, European Union) requiring data compliance certification.

Scenario 3: An associative network managing community health centres

A grouping association bringing together several community health centres (approximately 8,000 active patients) uses shared patient record software between different sites. Coordination between sites involves health data exchanges via unsecured email, in direct violation of the HDS reference framework.

The association undertakes a redesign of its information system with the support of an HDS-certified provider, implements secure health messaging (MSSanté), and digitalises all its admission and consent forms via a compliant eIDAS electronic signature platform. A DPIA is conducted for each high-risk processing.

Observed results: zero data breaches notified to the CNIL over the 18 months following compliance implementation (compared to two minor incidents in the previous period), average admission time reduced by 35%, and improved patient file completion rate by 22% through elimination of incomplete paper forms.

Conclusion

Activating HDS compliance for health data in the associative and NGO sector is not an option reserved for large hospital structures: it is a legal obligation that applies to any entity, regardless of size or legal status, as soon as it hosts or processes personal health data. Lack of awareness does not exempt from responsibility.

The good news: a structured four-step approach — mapping, sub-processor audit, contract updates, training — enables you to achieve solid compliance even with limited resources. Digitalising consents and sensitive documents via a certified eIDAS electronic signature solution is a particularly effective lever for reducing risks whilst improving operational efficiency.

Certyneo offers an eIDAS-compliant electronic signature platform, adapted to the constraints of the associative sector and hosted on HDS-certified infrastructure. Contact our team for a free audit of your document situation and discover how to secure your health data flows today.