HDS Compliance for Health Data: Guide for Associations and NGOs

Charitable associations, humanitarian NGOs, and non-profit healthcare and social structures share a commonly underestimated aspect: the moment they process or host personal health data, they fall under the legal framework of health data hosting (HDS). Yet this sector accumulates a structural lag in compliance, due to lack of dedicated internal resources and insufficient awareness. This article guides you step-by-step to understand what HDS certification entails, identify your real obligations, and activate an operational compliance process — even with a limited IT team.

What is HDS certification and why are associations concerned?

The legal definition of health data

Under the GDPR (Article 4, §15), health data are personal data relating to the physical or mental health of a person, revealing information about their state of health. This definition is intentionally broad. It covers not only medical records in the clinical sense, but also:

• Beneficiary data collected during screening campaigns
• Information on disabilities declared in social assistance files
• Nutritional or mental health data collected in a psychosocial support context
• Results of tests or medical assessments within humanitarian programs

An association fighting addictions, a support network for dependent elderly persons, or an NGO managing field medical consultations all collect data falling into this category.

The HDS system: legal obligation, not option

Law n° 2016-41 of January 26, 2016 (law on the modernization of the health system) established the obligation of certified HDS hosting for any entity that hosts personal health data on behalf of third parties — including associations and NGOs. The certification framework, defined by Decree n° 2018-137 of February 26, 2018, specifies the covered activities and the technical and organizational requirements to be met.

Contrary to a common misconception, the exemption does not apply simply because it is a non-profit structure. What matters is the nature of the data processed and the fact that hosting is performed on behalf of a third party (a doctor, a patient, a partner organization).

The six HDS activities and their scope for associative structures

HDS certification covers six distinct activities, organized into two blocks:

Infrastructure block (activities 1 to 3)

• Activity 1: Provision and maintenance in operational condition of physical sites (datacenters)
• Activity 2: Provision and maintenance in operational condition of hardware infrastructure
• Activity 3: Provision and maintenance in operational condition of virtual infrastructure

Software and managed services block (activities 4 to 6)

• Activity 4: Provision and maintenance in operational condition of the application hosting platform
• Activity 5: Administration and operation of the health information system
• Activity 6: Externalized backup of health data

For an association, the most frequently affected activities are activities 4 to 6, particularly when it uses a third-party SaaS solution to manage beneficiary files or when it outsources database backup. It is therefore essential to verify that any SaaS or cloud provider handling your health data is properly certified HDS for the corresponding activities.

In this context, using a health sector electronic signature solution certified HDS makes it possible to secure sensitive document flows — informed consents, admission forms, digitized prescriptions — without exposing the association to non-compliance risk.

How to concretely activate HDS compliance in your association?

Step 1: Map your health data processing

Before any technical approach, a precise inventory of all processing involving health data must be carried out. This exercise is directly part of the obligation to maintain a processing register provided for in Article 30 of the GDPR.

For each processing activity, document:

• The nature of data collected (special category under GDPR)
• The purposes of processing
• Recipients and sub-processors
• Hosting means (internal server, cloud, SaaS)
• Security measures in place

This mapping allows you to quickly identify risk areas and providers to audit.

Step 2: Audit your providers and require certification

HDS certification is issued by organizations accredited by COFRAC (French Committee for Accreditation). You can verify a hoster's certification status on the ANS website (Health Digital Agency), which maintains a public list of HDS-certified hosters.

Systematically require from your providers:

• A copy of the current valid HDS certificate
• The exact scope of covered activities
• Contractual terms specific to health data protection

Do not settle for a declaration of intent: certification must be verifiable and current.

Step 3: Update your contracts and DPA

Article 28 of the GDPR requires the conclusion of a Data Processing Agreement (DPA) with any sub-processor handling personal data on your behalf. In the HDS context, this DPA must be supplemented by specific clauses covering:

• Enhanced confidentiality commitments
• Obligation to notify incidents within 72 hours
• Conditions for data return and deletion
• Data location (necessarily on EEA territory or in a country with an adequacy decision)

Some associations still use paper forms to collect beneficiary consent. Digitalizing these processes via a compliant electronic signature solution makes it possible to timestamp and authenticate consents, producing legally enforceable proof.

Step 4: Train your teams and designate a compliance focal point

HDS compliance is not a one-time project: it is an ongoing process. Designate an internal focal point (who may be your DPO if you have one, in accordance with the obligation provided in Article 37 of the GDPR for organizations processing large-scale health data) and schedule regular awareness sessions for teams in contact with sensitive data.

According to a study published by CNIL in 2024, more than 60% of health data breaches reported involved human error (sending to the wrong recipient, absence of encryption). Training is therefore a risk reduction lever as important as technical measures.

Specific challenges for the associative sector: limited resources and budget constraints

The paradox of sensitive data and limited budgets

Associations and NGOs find themselves in a particular position: they often manage some of the most sensitive data (health status of vulnerable people, refugees, unaccompanied minors) with human and financial resources far inferior to those of the hospital sector or private health companies.

This reality requires adopting a pragmatic and prioritized compliance strategy. According to ANS recommendations, a three-phase approach is generally recommended for small and medium-sized structures:

1. Emergency phase (0-3 months): identification and mitigation of critical risks (non-certified hosters, absence of encryption)
2. Consolidation phase (3-12 months): contract updates, deployment of compliant tools, training
3. Maturity phase (12-24 months): internal audits, continuity plan, annual review of processing

The role of electronic signature in associative HDS compliance

Dematerialization of sensitive documents is a lever often underexploited by the associative sector. Yet replacing paper forms with qualified or advanced electronic signature processes offers several advantages:

• Traceability: each signature is timestamped and associated with a verified identity, facilitating proof of the lawfulness of processing
• Error reduction: less manual handling of sensitive documents
• Secure archiving: electronically signed documents can be preserved in a certified digital safe

For more information on the selection criteria for a solution suited to your organization, consult our comparison of electronic signature solutions that details market offer differences in terms of HDS compliance and eIDAS.

Associations already using an HR or beneficiary file management tool often have an interest in checking whether their current solution natively integrates compliant electronic signature. Our guide to electronic signatures in business addresses these integration criteria in detail.

Finally, if you have already deployed a signature solution but wish to migrate to an HDS-certified provider, our migration offer allows you to transfer your data and workflows without service interruption.

Legal framework applicable to health data hosting for associations and NGOs

Founding texts of the HDS framework

French regulation on health data hosting is based on a stack of texts whose mastery is essential for any association handling medical or healthcare and social data.

Law n° 2016-41 of January 26, 2016 (law on the modernization of the health system): it enshrined in the Public Health Code (Article L. 1111-8) the obligation to use a certified HDS hoster for any natural or legal person that hosts personal health data on behalf of data subjects or entities processing it.

Decree n° 2018-137 of February 26, 2018: it specifies the activities subject to certification, the procedures for issuing and withdrawing certification, as well as the requirements applicable to certifying bodies (COFRAC accreditation mandatory).

Order of August 8, 2017: it sets the security framework applicable to health information systems, which serves as the technical foundation for HDS assessment.

Articulation with the GDPR

Regulation (EU) 2016/679 (GDPR) constitutes the general framework for personal data protection. Its provisions apply cumulatively to HDS requirements:

• Article 9: health data are special categories of data whose processing is prohibited in principle, except for listed exceptions (explicit consent, necessity for healthcare, public interest, etc.)
• Article 28: any use of a sub-processor hosting health data must be subject to a detailed written contract (DPA)
• Article 32: the association must implement appropriate technical and organizational measures (encryption, pseudonymization, access controls)
• Article 33: any health data breach must be reported to CNIL within 72 hours
• Article 35: a Data Protection Impact Assessment (DPIA) is mandatory whenever processing is likely to entail a high risk to the rights of data subjects

Legal risks in case of non-compliance

Non-compliance with the HDS framework exposes the association to several levels of sanctions:

• CNIL administrative sanctions: up to €20 million or 4% of annual global revenue (Article 83, §5 of GDPR) for the most serious violations. For associations, CNIL considers the amount based on available resources, but symbolic but public sanctions have already been imposed on small structures.
• Criminal liability: Article 226-13 of the Criminal Code provides for up to one year imprisonment and €15,000 fine for breach of medical confidentiality.
• Civil liability: affected beneficiaries can engage the association's liability on the basis of Articles 1240 et seq. of the Civil Code if demonstrable damage exists.
• License suspension: associations approved by public authorities (ARS, departmental council) may have their approval withdrawn in case of serious breach of health data protection.

It should also be noted that the NIS2 Directive (EU Directive 2022/2555, transposed in France by Law n° 2024-449 of May 21, 2024) extends cybersecurity obligations to a broader spectrum of entities, potentially including some large associations managing critical health infrastructure.

Use cases: HDS compliance in practice for associations and NGOs

Scenario 1: A home care association managing 500 beneficiary files

An association serving dependent elderly people in several departments manages approximately 500 active files including information on pathologies, current prescriptions, and dependency assessments (GIR scale). This data is stored in an association management software hosted by a non-HDS-certified cloud provider.

Following an internal audit triggered by a data subject access request, the association identifies this non-compliance. It launches a migration to an HDS-certified hoster for activities 4 and 5, concludes a compliant DPA with its software provider, and deploys an electronic signature solution to digitalize consent forms and personalized care plans.

Results observed: 70% reduction in consent processing time (from 12 days average in paper format to less than 4 days), complete elimination of risks linked to loss or incorrect sending of paper documents, and enhanced cyber insurance coverage thanks to documented compliance.

Scenario 2: An international NGO coordinating field medical missions

An NGO specializing in emergency medical care collects, within its mission context, health data on beneficiary populations in several countries, including data transmitted to a centralized server in France. The IT team is composed of two volunteer staff.

Faced with the impossibility of maintaining in-house HDS-certified infrastructure, the NGO opts for a 100% SaaS architecture with an HDS-certified hoster covering activities 1 to 6. It implements an electronic signature process for medical protocols and consent forms adapted to low-connectivity areas (offline signature mode synchronized).

Results observed: HDS and GDPR compliance achieved in less than 6 months without additional IT recruitment, estimated savings of 40% compared to in-house hosted infrastructure, and ability to respond to institutional calls for projects (AFD, European Union) requiring certification of data compliance.

Scenario 3: An associative network managing community health centers

A network of associations managing several community health centers (approximately 8,000 active patients) uses shared patient file software across different sites. Coordination between sites involves health data exchanges via unsecured messaging, in direct violation of the HDS framework.

The association launches an overhaul of its information system with the support of an HDS-certified provider, implements secure health messaging (MSSanté), and digitalizes all its admission and consent forms via a compliant electronic signature platform. A DPIA is conducted for each high-risk processing.

Results observed: zero data breaches reported to CNIL over the 18 months following compliance implementation (versus two minor incidents in the previous period), average admission time reduced by 35%, and improvement in patient file completion rate of 22% thanks to elimination of incomplete paper forms.

Conclusion

Activating HDS compliance for health data in the associative and NGO sector is not an option reserved for large hospital structures: it is a legal obligation that applies to any entity, regardless of its size or legal status, as soon as it hosts or processes personal health data. Lack of knowledge of the framework does not exempt from responsibility.

The good news: a structured approach in four steps — mapping, provider audit, contract updates, training — allows reaching a solid compliance level even with limited resources. Dematerialization of consents and sensitive documents via a certified electronic signature solution is a particularly effective lever for reducing risks while improving operational efficiency.

Certyneo offers an eIDAS-compliant electronic signature platform, adapted to the constraints of the associative sector and hosted on HDS-certified infrastructure. Contact our team for a free audit of your documentary situation and discover how to secure your health data flows starting today.