Health data hosting: The new French HDS Certification has been released – Technologist
The revised version of the French Health Data Hosting (HDS) certification framework has finally been published in the Official Journal on May 16, 2024, marking a significant milestone eagerly awaited by sector stakeholders. Initially released discreetly through the TRIS procedure, this framework has sparked extensive discussions, particularly concerning the data localization and transfers requirements amidst the ongoing concerns of French authorities regarding digital sovereignty.
Reminder: The HDS certification aims to ensure the security of health data hosting, forming a crucial pillar of digital health regulation in France. Currently, 302 entities are certified, with nine organizations accredited to conduct these certifications.
Timeline of Applicability: The decree of April 26, 2024, approving the HDS certification framework, was published in the Official Journal on May 16, 2024. The new provisions come into effect six months after their publication, on 17 November, 2024. They apply to applications for certificates of compliance and applications for the renewal of such certificates submitted to a certification body from that date onwards. After this six-month period, certifying bodies will only be able to issue certificates in accordance with the new framework.
2024 Revision: The revision process, initiated in early 2022, incorporated feedback from sector stakeholders, the French Data Protection Authority (CNIL) and industry federations, thanks to a public consultation performed at the end of 2022. Over 250 contributions were analyzed, and the CNIL issued a favorable opinion on July 13, 2023. The draft decree was notified to the European Commission on December 7, 2023, with no comments received during the three-month period.
Key Changes: This revision, responding to the debates surrounding the bill aimed at securing and regulating the digital space (SREN), adopted on April 10, 2024, strengthens the framework’s orientations with legislative backing. The new requirements notably aim to:
- Reinforce data sovereignty with strict localization requirements, mandating that the physical hosting of health data occurs exclusively within the European Economic Area (EEA). See our focus below.
- Clarify the certified hosting activity types, including a try at clarifying the (un)famous Activity 5. The new HDS certification framework aims to clarify the activities for which hosting services providers have obtained certification, especially Activity 5, which corresponds to the “administration and operation of the information system containing health data.” This should help clarifying that most of the time software vendors or medical device manufacturers do not need HDS certification.
- Incorporate updates from the ISO 27001 standard.
- The new HDS certification framework aims to clarify the hosting services provider’s contractual obligations by integrating mandatory clauses from Article R.1111-11 of the French Public Health Code into HDS contracts. Hosting services providers must audit their HDS contracts to ensure these clauses are included and amend the contracts if necessary.
- The accreditation framework, updated in collaboration with COFRAC, outlines the accreditation process for certification bodies, incorporating feedback from auditors.
Focus on the New (unfortunate) Data Sovereignty Requirements: The revised HDS certification framework introduces four new data sovereignty requirements (requirements 28 to 31):
- Data Localization: Health data must be physically hosted exclusively within the EEA, which includes the EU, Norway, Iceland, and Liechtenstein, with a distinction for remote access (see below).
- Disclosure of Third-Country Access: If data is accessed remotely from outside the EEA by the hosting service provider or its subcontractors, or if these parties are subject to non-European laws that do not ensure adequate protection (as per GDPR Article 45), the hosting service provider must inform its clients of the associated risks and the technical and legal measures taken to mitigate them.
- Public Mapping of Data Transfers: Hosting Service Providers are required to publish on their website a map of any data transfers to countries outside the EEA.
- Alignment with Future Standards: fortunately, the revised framework does not align with the extraterritorial immunity requirements of SecNumCloud V3.2. This will however be reassessed in light of future European cybersecurity frameworks, such as the European Cybersecurity Certification Scheme for Cloud Services (EUCS), by 2027.
In conclusion, this revision of the HDS certification framework aims to strengthen health data security and clarify requirements for sector stakeholders, but still contains some heavy requirements. The stringent data localization obligations and attachment to SecNumCloud envisaged in previous versions of the revision of the HDS certification framework have for now been avoided. Vigilance, however, remains necessary in view of the forthcoming SREN law, which may introduce new constraints in terms of health data security. Excessively stringent data localization requirements, however, run the risk of being impractical and failing to achieve their goal. For any questions or assistance with this specific French requirement, we are here to help.