HDS Compliance for Health Data: Guide for Associations and NGOs

Charitable associations, humanitarian NGOs, and non-profit medical and social care structures share a common challenge that is often underestimated: as soon as they process or host personal health data, they fall under the legal framework of health data hosting (HDS). Yet this sector faces a structural lag in compliance, due to lack of dedicated internal resources and insufficient awareness. This article guides you step by step to understand what HDS certification entails, identify your real obligations, and activate operational compliance — even with a limited IT team.

What is HDS certification and why are associations concerned?

The legal definition of health data

Under the GDPR (Article 4, §15), health data is personal data relating to the physical or mental health of a person, revealing information about their health status. This definition is intentionally broad. It covers not only clinical medical records, but also:

• Beneficiary data collected during screening campaigns
• Information about disabilities declared in social assistance files
• Nutritional or mental health data collected in a psychosocial support context
• Test results or medical evaluations as part of humanitarian programs

An association fighting addiction, a network assisting dependent elderly persons, or an NGO providing field medical consultations all collect data falling into this category.

The HDS system: legal obligation, not optional

Law No. 2016-41 of 26 January 2016 (health system modernization law) established the obligation for certified HDS hosting for any entity that hosts personal health data on behalf of third parties — including associations and NGOs. The certification framework, defined by Decree No. 2018-137 of 26 February 2018, specifies the covered activities and the technical and organizational requirements to be met.

Contrary to a common misconception, exemption does not apply simply by being a non-profit structure. What matters is the nature of the data processed and the fact that hosting is performed on behalf of a third party (a doctor, a patient, a partner structure).

The six HDS activities and their scope for associative structures

HDS certification covers six distinct activities, organized into two blocks:

Infrastructure block (activities 1 to 3)

• Activity 1: Provision and maintenance of physical sites (datacenters) in operational condition
• Activity 2: Provision and maintenance of hardware infrastructure in operational condition
• Activity 3: Provision and maintenance of virtual infrastructure in operational condition

Software and managed services block (activities 4 to 6)

• Activity 4: Provision and maintenance of the application hosting platform in operational condition
• Activity 5: Administration and operation of the health information system
• Activity 6: Externalized backup of health data

For an association, the most frequently affected activities are activities 4 to 6, particularly when it uses a third-party SaaS solution to manage its beneficiary files or when it outsources the backup of its databases. It is therefore essential to verify that any SaaS or cloud provider handling your health data is properly certified HDS for the corresponding activities.

In this context, using a electronic signature solution in the health sector certified HDS allows you to secure sensitive document flows — informed consents, admission forms, dematerialized prescriptions — without exposing the association to non-compliance risk.

How to concretely enable HDS compliance in your association?

Step 1: Map your health data processing activities

Before any technical approach, it is necessary to conduct a precise inventory of all processing activities involving health data. This exercise is directly part of the obligation to maintain a processing register provided for in Article 30 of the GDPR.

For each processing activity, document:

• The nature of data collected (special category under GDPR)
• The purposes of processing
• Recipients and sub-processors
• Hosting methods (internal server, cloud, SaaS)
• Security measures in place

This mapping allows you to quickly identify risk areas and providers to audit.

Step 2: Audit your providers and require certification

HDS certification is delivered by organizations accredited by COFRAC (French Accreditation Committee). You can verify the certification status of a hoster on the ANS website (Digital Health Agency), which maintains a public list of HDS-certified hosters.

Systematically require from your providers:

• A copy of the current HDS certificate
• The exact scope of covered activities
• Specific contractual conditions for health data protection

Do not settle for a statement of intent: certification must be verifiable and up to date.

Step 3: Update your contracts and DPA

Article 28 of the GDPR requires the conclusion of a Data Processing Agreement (DPA) with any processor handling personal data on your behalf. In the HDS context, this DPA must be supplemented by specific clauses covering:

• Enhanced confidentiality commitments
• Incident notification obligations within 72 hours
• Data return and deletion conditions
• Data location (mandatory in the EEA or in a country with an adequacy decision)

Some associations still use paper forms to collect consent from their beneficiaries. Dematerializing these processes via a compliant electronic signature solution allows you to timestamp and authenticate consents, producing legally binding proof.

Step 4: Train your teams and designate a compliance officer

HDS compliance is not a one-time project: it is an ongoing process. Designate an internal point of contact (who may be your DPO if you have one, as required by Article 37 of the GDPR for organizations processing health data on a large scale) and schedule regular awareness sessions for teams in contact with sensitive data.

According to a study published by the CNIL in 2024, over 60% of health data breaches notified involved human error (sending to the wrong recipient, lack of encryption). Training is therefore as important a risk reduction lever as technical measures.

Specific challenges for the associative sector: limited resources and budget constraints

The paradox of sensitive data and constrained budgets

Associations and NGOs face a particular situation: they often manage among the most sensitive data (health status of vulnerable people, refugees, unaccompanied minors) with human and financial resources far inferior to those of the hospital sector or private health companies.

This reality requires adopting a pragmatic and prioritized compliance strategy. According to ANS recommendations, a three-phase approach is generally advised for small and medium-sized structures:

1. Emergency phase (0-3 months): identification and mitigation of critical risks (non-certified hosters, lack of encryption)
2. Consolidation phase (3-12 months): contract updates, deployment of compliant tools, training
3. Maturity phase (12-24 months): internal audits, continuity plans, annual processing review

The role of electronic signature in associative HDS compliance

Dematerialization of sensitive documents is a lever often underutilized by the associative sector. Yet replacing paper forms with qualified or advanced electronic signature processes offers several advantages:

• Traceability: each signature is timestamped and associated with a verified identity, facilitating proof of the legality of processing
• Error reduction: less manual handling of sensitive documents
• Secure archiving: electronically signed documents can be stored in a certified digital safe

To learn more about selection criteria for a solution suited to your structure, consult our comparison of electronic signature solutions which details market offer differences in terms of HDS and eIDAS compliance.

Associations already using an HR management tool or beneficiary file management system often benefit from checking whether their current solution natively integrates compliant electronic signature. Our guide to electronic signature in business addresses these integration criteria in detail.

Finally, if you have already deployed a signature solution but wish to migrate to an HDS-certified provider, our migration offer allows you to transfer your data and workflows without service interruption.

Legal framework applicable to health data hosting for associations and NGOs

Founding texts of the HDS framework

French regulation on health data hosting is built on a stack of texts whose mastery is essential for any association handling medical or medico-social data.

Law No. 2016-41 of 26 January 2016 (health system modernization law): it established in the Public Health Code (Article L. 1111-8) the obligation to use a certified HDS hoster for any natural or legal person who hosts personal health data on behalf of data subjects or entities that process it.

Decree No. 2018-137 of 26 February 2018: it specifies the activities subject to certification, the methods of issuing and withdrawing certification, and the requirements applicable to certifying bodies (COFRAC accreditation mandatory).

Order of 8 August 2017: it sets the security framework applicable to health information systems, which serves as the technical basis for HDS evaluation.

Integration with GDPR

The Regulation (EU) 2016/679 (GDPR) constitutes the general framework for personal data protection. Its provisions apply cumulatively to HDS requirements:

• Article 9: health data are special categories of data whose processing is prohibited in principle, except for listed exceptions (explicit consent, necessity for healthcare, public interest, etc.)
• Article 28: any use of a processor hosting health data must be the subject of a detailed written contract (DPA)
• Article 32: the association must implement appropriate technical and organizational measures (encryption, pseudonymization, access control)
• Article 33: any health data breach must be notified to the CNIL within 72 hours
• Article 35: a Data Protection Impact Assessment (DPIA) is mandatory whenever processing is likely to pose a high risk to the rights of individuals

Legal risks in case of non-compliance

Non-compliance with the HDS framework exposes the association to several levels of sanctions:

• CNIL administrative sanctions: up to 20 million euros or 4% of annual worldwide turnover (Article 83, §5 of GDPR) for the most serious violations. For associations, the CNIL assesses the amount based on available resources, but symbolic yet public sanctions have already been imposed on small structures.
• Criminal liability: Article 226-13 of the Criminal Code provides for up to one year imprisonment and 15,000 euros fine for breach of medical confidentiality.
• Civil liability: affected beneficiaries may engage the association's liability on the basis of Articles 1240 and following of the Civil Code if demonstrable harm occurs.
• Accreditation suspension: associations accredited by public authorities (ARS, departmental council) may have their accreditation withdrawn in case of serious breach of health data protection.

It should also be noted that the NIS2 Directive (EU Directive 2022/2555, transposed in France by Law No. 2024-449 of 21 May 2024) extends cybersecurity obligations to a broader spectrum of entities, potentially including certain large associations managing critical health infrastructure.

Use cases: HDS compliance in practice for associations and NGOs

Scenario 1: A home care assistance association managing 500 beneficiary files

An association working with dependent elderly people in several departments manages approximately 500 active files including information on pathologies, current prescriptions, and dependency assessments (GIR scale). This data is stored in associative management software hosted by a non-HDS-certified cloud provider.

Following an internal audit triggered by a beneficiary's data access request, the association identifies this non-compliance. It initiates migration to an HDS-certified hoster for activities 4 and 5, concludes a compliant DPA with its software provider, and deploys an electronic signature solution to dematerialize consent forms and personalized care plans.

Observed results: 70% reduction in consent processing time (from 12 days average in paper format to less than 4 days), complete elimination of risks related to loss or misdirection of paper documents, and obtainment of enhanced cyber insurance coverage through documented compliance.

Scenario 2: An international NGO coordinating field medical missions

An NGO specializing in emergency medical care collects health data within its missions on beneficiary populations in several countries, with data transmitted to a centralized server in France. The IT team consists of two volunteer employees.

Facing the impossibility of maintaining an in-house HDS-certified infrastructure, the NGO opts for a 100% SaaS architecture with an HDS-certified hoster covering activities 1 to 6. It implements an electronic signature process for medical protocols and consent forms adapted to low-connectivity areas (offline signature mode synchronized).

Observed results: HDS and GDPR compliance achieved in less than 6 months without additional IT recruitment, estimated 40% savings compared to in-house hosted infrastructure, and ability to respond to institutional calls for proposals (AFD, European Union) requiring data compliance certification.

Scenario 3: An associative network managing community health centers

A grouping federation of several community health centers (approximately 8,000 active patients) uses shared patient file software between different sites. Coordination between sites involves health data exchanges via unsecured messaging, in direct violation of the HDS framework.

The association undertakes a refactoring of its information system with support from an HDS-certified provider, implements secure health messaging (MSSanté), and dematerializes all admission and consent forms via an eIDAS-compliant electronic signature platform. A DPIA is conducted for each high-risk processing activity.

Observed results: zero data breaches reported to CNIL over the 18 months following compliance implementation (compared to two minor incidents in the previous period), average admission time reduced by 35%, and improved patient file completion rate by 22% due to elimination of incomplete paper forms.

Conclusion

Enabling HDS compliance for health data in the associative and NGO sector is not an option reserved for large hospital structures: it is a legal obligation that applies to any entity, regardless of size or legal status, as soon as it hosts or processes personal health data. Lack of knowledge of the framework does not exempt responsibility.

The good news: a structured four-step approach — mapping, provider audit, contract update, training — allows achieving solid compliance even with limited resources. Dematerialization of consents and sensitive documents via an eIDAS-compliant electronic signature solution is a particularly effective lever for reducing risks while improving operational efficiency.

Certyneo offers an eIDAS-compliant electronic signature platform, adapted to the constraints of the associative sector and hosted on HDS-certified infrastructure. Contact our team for a free audit of your document situation and discover how to secure your health data flows today.