HDS Compliance for Health Data: Guide for Associations and NGOs

Charitable associations, humanitarian NGOs, and non-profit healthcare and social structures share a common point often underestimated: as soon as they process or host personal health data, they fall under the legal framework of health data hosting (HDS). Yet this sector accumulates a structural delay in compliance, due to lack of dedicated internal resources and insufficient awareness. This article guides you step-by-step to understand what HDS certification involves, identify your real obligations, and activate operational compliance — even with a limited IT team.

What is HDS certification and why are associations concerned?

The legal definition of health data

Under the GDPR (Article 4, §15), health data are personal data relating to the physical or mental health of a person, revealing information about their state of health. This definition is intentionally broad. It covers not only medical records in the clinical sense, but also:

• Beneficiary data collected during screening campaigns
• Information on declared disabilities in social assistance files
• Nutritional or mental health data collected in the context of psychosocial support
• Results of medical tests or evaluations in the context of humanitarian programmes

An association fighting addictions, a network supporting dependent elderly persons, or an NGO managing field medical consultations all collect data falling into this category.

The HDS scheme: legal obligation, not option

Law No. 2016-41 of 26 January 2016 (law modernising the health system) established the obligation for certified HDS hosting for any entity that hosts personal health data on behalf of third parties — including associations and NGOs. The certification framework, defined by Decree No. 2018-137 of 26 February 2018, specifies the activities covered and the technical and organisational requirements to be met.

Contrary to common misconception, the exemption does not apply solely to being a non-profit structure. What matters is the nature of the data processed and the fact that hosting is performed on behalf of a third party (a doctor, a patient, a partner structure).

The six HDS activities and their scope for associative structures

HDS certification covers six distinct activities, organised into two blocs:

Infrastructure bloc (activities 1 to 3)

• Activity 1: The provision and maintenance in operational condition of physical sites (datacentres)
• Activity 2: The provision and maintenance in operational condition of material infrastructure
• Activity 3: The provision and maintenance in operational condition of virtual infrastructure

Software and managed services bloc (activities 4 to 6)

• Activity 4: The provision and maintenance in operational condition of the application hosting platform
• Activity 5: The administration and operation of the health information system
• Activity 6: Outsourced backup of health data

For an association, the most commonly affected activities are activities 4 to 6, particularly when it uses a third-party SaaS solution to manage its beneficiary files or when it externalises the backup of its databases. It is therefore essential to verify that any SaaS or cloud provider handling your health data is indeed HDS certified for the corresponding activities.

In this context, using a health sector electronic signature solution certified HDS allows you to secure sensitive document flows — informed consents, admission forms, dematerialised prescriptions — without exposing the association to compliance risk.

How to concretely enable HDS compliance in your association?

Step 1: Map your health data processing activities

Before any technical approach, you must carry out a precise inventory of all processing involving health data. This exercise falls directly within the obligation to maintain a register of processing activities provided for in Article 30 of the GDPR.

For each processing activity, document:

• The nature of the data collected (special category under GDPR)
• The purposes of processing
• Recipients and sub-processors
• Hosting methods (internal server, cloud, SaaS)
• Security measures in place

This mapping allows you to quickly identify high-risk areas and service providers to audit.

Step 2: Audit your service providers and require certification

HDS certification is issued by bodies accredited by COFRAC (French Accreditation Committee). You can verify the certification status of a hosting provider on the ANS (Health Digital Agency) website, which maintains a public list of HDS-certified hosting providers.

Systematically require from your service providers:

• A copy of the current HDS certificate
• The exact scope of activities covered
• Contractual conditions specific to health data protection

Do not settle for a statement of intent: certification must be verifiable and up to date.

Step 3: Update your contracts and DPA

Article 28 of the GDPR requires the conclusion of a Data Processing Agreement (DPA) with any sub-processor processing personal data on your behalf. In the HDS context, this DPA must be supplemented by specific clauses covering:

• Reinforced confidentiality commitments
• Obligations to notify incidents within 72 hours
• Conditions for data return and deletion
• Data location (imperatively on EEA territory or in a country with an adequacy decision)

Some associations still use paper forms to collect consent from their beneficiaries. Dematerialising these processes via a compliant electronic signature solution allows you to timestamp and authenticate consents, producing legally enforceable proof.

Step 4: Train your teams and appoint a compliance officer

HDS compliance is not a one-off project: it is a continuous process. Appoint an internal point of contact (who may be your DPO if you have one, as required under Article 37 of the GDPR for organisations processing health data on a large scale) and plan regular awareness-raising sessions for teams in contact with sensitive data.

According to a study published by the CNIL in 2024, more than 60% of notified health data breaches involved human error (sending to the wrong recipient, lack of encryption). Training is therefore a risk reduction lever as important as technical measures.

Sector-specific issues for associations: limited resources and budget constraints

The paradox of sensitive data and constrained budgets

Associations and NGOs find themselves in a particular position: they often manage among the most sensitive data (health status of vulnerable persons, refugees, unaccompanied minors) with human and financial resources far below those of the hospital sector or private health companies.

This reality requires adopting a pragmatic and prioritised compliance strategy. According to ANS recommendations, a three-phase approach is generally recommended for small and medium-sized structures:

1. Emergency phase (0-3 months): identification and neutralisation of critical risks (non-certified hosting providers, lack of encryption)
2. Consolidation phase (3-12 months): updating contracts, deploying compliant tools, training
3. Maturity phase (12-24 months): internal audits, continuity plan, annual review of processing activities

The role of electronic signature in associative HDS compliance

Dematerialising sensitive documents is a lever often under-exploited by the associative sector. Yet replacing paper forms with qualified or advanced electronic signature processes offers several advantages:

• Traceability: each signature is timestamped and associated with a verified identity, facilitating demonstration of the lawfulness of processing
• Reduced error risk: less manual handling of sensitive documents
• Secure archiving: electronically signed documents can be preserved in a certified digital safe

For more information on the selection criteria for a solution suited to your structure, consult our comparison of electronic signature solutions which details the differences between market offerings in terms of HDS and eIDAS compliance.

Associations already using an HR management tool or beneficiary file management solution often benefit from checking whether their current solution natively integrates compliant electronic signature. Our guide to electronic signature in enterprise addresses these integration criteria in detail.

Finally, if you have already deployed a signature solution but wish to migrate to an HDS-certified service provider, our migration offer allows you to transfer your data and workflows without service interruption.

Legal framework applicable to health data hosting for associations and NGOs

Founding texts of the HDS framework

French regulation on health data hosting is based on a stack of texts whose mastery is essential for any association handling medical or medico-social data.

Law No. 2016-41 of 26 January 2016 (law modernising the health system): it established in the Public Health Code (Article L. 1111-8) the obligation to use an HDS-certified hosting provider for any natural or legal person that hosts personal health data for the account of data subjects or entities that process it.

Decree No. 2018-137 of 26 February 2018: it specifies the activities subject to certification, the modalities for issuing and withdrawing certification, as well as the requirements applicable to certifying bodies (COFRAC accreditation mandatory).

Order of 8 August 2017: it sets the security framework applicable to health information systems, which serves as a technical basis for HDS evaluation.

Articulation with the GDPR

Regulation (EU) 2016/679 (GDPR) constitutes the general framework for the protection of personal data. Its provisions apply cumulatively to HDS requirements:

• Article 9: health data are special categories of data whose processing is prohibited in principle, except for listed exceptions (explicit consent, medical care necessity, public interest, etc.)
• Article 28: any use of a sub-processor hosting health data must be the subject of a detailed written contract (DPA)
• Article 32: the association must implement appropriate technical and organisational measures (encryption, pseudonymisation, access control)
• Article 33: any health data breach must be notified to the CNIL within 72 hours
• Article 35: a Data Protection Impact Assessment (DPIA) is mandatory whenever processing is likely to present high risk to individuals' rights

Legal risks in case of non-compliance

Non-compliance with the HDS framework exposes the association to several levels of sanctions:

• CNIL administrative sanctions: up to 20 million euros or 4% of global annual turnover (Article 83, §5 of the GDPR) for the most serious violations. For associations, the CNIL assesses the amount considering available resources, but symbolic but public sanctions have already been imposed on small structures.
• Criminal liability: Article 226-13 of the Criminal Code provides for up to one year's imprisonment and 15,000 euros in fines for breach of medical confidentiality.
• Civil liability: aggrieved beneficiaries may engage the association's liability under Articles 1240 et seq. of the Civil Code if demonstrable damage occurs.
• Suspension of accreditation: associations accredited by public authorities (ARS, departmental council) may have their accreditation withdrawn in case of serious breach of health data protection.

It should also be noted that the NIS2 Directive (EU Directive 2022/2555, transposed into French law by Law No. 2024-449 of 21 May 2024) extends cybersecurity obligations to a wider spectrum of entities, potentially including certain large associations managing critical health infrastructure.

Use cases: HDS compliance in practice for associations and NGOs

Scenario 1: A home care association managing 500 beneficiary files

An association serving dependent elderly persons in several departments manages approximately 500 active files including information on pathologies, ongoing prescriptions and dependency assessments (GIR scale). This data is stored in an associative management software hosted by a non-HDS certified cloud provider.

Following an internal audit triggered by a beneficiary's access request, the association identifies this non-compliance. It initiates a migration to an HDS-certified hosting provider for activities 4 and 5, concludes a compliant DPA with its software provider and deploys an electronic signature solution to dematerialise consent forms and personalised care plans.

Observed results: 70% reduction in consent processing time (from an average of 12 days in paper format to less than 4 days), complete elimination of risks related to loss or incorrect sending of paper documents, and obtaining enhanced cyber insurance coverage thanks to documented compliance.

Scenario 2: An international NGO coordinating field medical missions

An NGO specialising in emergency medical care collects, in the context of its missions, health data on beneficiary populations in several countries, with data transmitted to a centralised server in France. The IT team consists of two volunteer persons.

Unable to maintain an in-house HDS-certified infrastructure, the NGO opts for a 100% SaaS architecture with an HDS-certified hosting provider covering activities 1 to 6. It implements an electronic signature process for medical protocols and consent forms adapted to areas of low connectivity (offline mode signature synchronised).

Observed results: HDS and GDPR compliance achieved in less than 6 months without additional IT recruitment, estimated 40% savings compared to an in-house hosted infrastructure, and ability to respond to institutional calls for projects (AFD, European Union) requiring certification of data compliance.

Scenario 3: An associative network managing community health centres

A grouping of associations running several community health centres (approximately 8,000 active patients) uses shared patient record software between different sites. Coordination between sites involves exchange of health data via unsecured email, in direct violation of the HDS framework.

The association undertakes a comprehensive overhaul of its information system with the support of an HDS-certified provider, implements secure health messaging (MSSanté), and dematerialises all its admission and consent forms via an eIDAS-compliant electronic signature platform. A DPIA is conducted for each high-risk processing activity.

Observed results: zero data breaches notified to the CNIL over the 18 months following compliance (versus two minor incidents in the preceding period), average admission time reduced by 35%, and improved patient record completion rate by 22% thanks to elimination of incomplete paper forms.

Conclusion

Enabling HDS compliance for health data in the associative and NGO sector is not an option reserved for large hospital structures: it is a legal obligation that applies to any entity, regardless of its size or legal status, as soon as it hosts or processes personal health data. Ignorance of the framework does not exempt responsibility.

The good news: a structured four-step approach — mapping, provider auditing, contractual updating, training — allows you to achieve a solid level of compliance even with limited resources. Dematerialising consents and sensitive documents via an HDS-certified electronic signature solution is a particularly effective lever for reducing risks while improving operational efficiency.

Certyneo offers an eIDAS-compliant electronic signature platform, adapted to the constraints of the associative sector and hosted on HDS-certified infrastructure. Contact our team for a free audit of your documentary situation and discover how to secure your health data flows today.