Health Data Hosting (HDS): key points to know

In France, Health Data Hosts play a very important role in the management and processing of healthcare data. They enable healthcare organizations to store data considered sensitive by the CNIL (National Commission for Information Technology and Civil Liberties), while guaranteeing confidentiality and a very high level of security.

So how do healthcare data hosts work? And what is at stake in their use? That's what we're going to decipher in this article, by looking at a few key points.

What does "HDS" mean?

💼 The term HDS stands for "Healthcare Data Host".It is a specific qualification granted to healthcare organizations and professionals who are authorized to host personal medical data.

In France, this certification guarantees that data is kept with the highest levels of security and confidentiality, in compliance with national regulations.

But what data does an HDS keep? An HDS is Accountability for storing sensitive personal data. This data includes :

• Electronic medical records
• Medical imaging
• Medical prescriptions
• Medical examination results
• Etc.

Healthcare data hosts have highly secure facilities to house servers and network equipment. What's more, in terms of physical security, healthcare data hosts are equipped with surveillance cameras and fire detection systems, so they are able to protect their equipment as well as the data they store. 

In terms of network security, security measures are in place to protect personal data in transit. These include the use of virtual private networks (VPNs), firewalls, data encryption and more. These techniques help prevent intrusions and cyber-attacks.

Let's take the concrete case of two companies that are concerned by the obligation to host their healthcare data on an HDS and for which Dipeeo is their referent at the CNIL (National Commission for Information Technology and Civil Liberties) and manages all GDPR subjects for the two startups: 

👩‍⚕️ Docorga, one of Doctolib's main competitors, offers a platform that enables healthcare professionals to simplify the management of their patients' care, from the request for treatment, through the various secure document management tools, right up to the billing of procedures. All this on a secure application, which takes into account the protection of the privacy of the persons concerned. 

Docorga hosts the personal health data it processes on an HDS located in France. Among the tools offered by the healthcare platform:

• A secure messaging system for exchanging sensitive files;
• Patient files that allow you to personalize patient care and add your own observations;
• Notes and reminders to reduce the number of consultations forgotten by patients by sending them SMS reminder notifications.

Through its personal health data processing service, Docorga handles health data considered sensitive by the CNIL (National Commission for Information Technology and Civil Liberties). This means that we need to take into account the various rules governing the hosting of health data, as laid down by law.

👨‍⚕️ Viabeez is a platform that brings healthcare professionals to workplaces and communities. According to Viabeez, 59% of French people forego healthcare due to lack of time and access. With over 10,000 employees benefiting from their healthcare services, the platform offers : 

• A simple, automated appointment scheduling tool for your employees
• Access to France's most sought-after specialties;
• Better health care for your employees.

This also requires consideration of the rules laid down by law for the hosting of personal health data.

Who is concerned by HDS certification?

📋 The HDS standard applies to organizations that host health data, i.e. sensitive information concerning an individual's physical or mental health.

According to Article L. 1111-8 of the French Public Health Code, "any healthcare professional, healthcare establishment or service, or any other organization carrying out preventive, healthcare, medico-social or social monitoring activities (natural or legal persons) which produce the data mentioned in the context of their preventive, diagnostic, healthcare or social and medico-social monitoring activities, are concerned".

In practice, this means that any person or organization that produces health data as part of its care or medico-social monitoring activities may be concerned by the HDS standard. This includes, for example:

• General practitioners and specialists, nurses, physiotherapists, pharmacists, etc.
• Hospitals, clinics, health centers, etc.
• Medical analysis laboratories
• Personal care and assistance centers
• Social protection organizations (social security, mutual insurance companies, etc.)

What is HDS certification?

🔥 HDS certification is a key point in the reinforcement of healthcare data protection. It requires hosting providers to meet specific conditions in order to obtain authorization to host personal health data. Compliance and data traceability are crucial, helping to create a secure environment for the storage of such sensitive information.

HDS servers require HDS certification, which plays a key role in guaranteeing the security of healthcare data hosting. Certain conditions must be met, including enhanced authentication, penetration testing and consent forms.

To obtain HDS certification, it is necessary to comply with a strict set of standards and processes. These criteria guarantee that the entity is perfectly equipped to manage, store and protect healthcare data.

Certification involves careful assessment by Independents , accredited bodies.

These audits verify not only the robustness of technical infrastructures, but also employee training, internal procedures and security measures in place.

Once HDS certification has been obtained, regular checks are carried out to ensure that standards continue to be met.

HDS certification enables French healthcare providers to use cloud services

👀 By opting for a healthcare data hosting provider, medical organizations can access advanced technological solutions, such as Cloud HDS, which offers flexibility and scalability while ensuring optimum security.

Indeed, Health Data Hosting (HDS) certification is required for entities such as Cloud service providers that host personal health data governed by French law and collected to provide preventive, diagnostic and other healthcare services.

The HDS regulations were issued by ASIP SANTÉ, which is responsible for promoting e-health solutions in France.

In particular, Google, Microsoft and AWS have obtained certification as health data hosts: 

For Google Cloud, "among other things, this opens up the possibility of better and faster diagnoses via artificial intelligence, better collaboration between doctors for more appropriate patient follow-up, and much greater computing power for more effective research, while respecting the private and necessarily secure nature of health data", explains Eric Haddad, former Managing Director of Google Cloud France.

According to Microsoft, HDS certification enables healthcare providers in France to use Microsoft cloud computing services to reduce costs by improving clinical and operational efficiency, and opens the door to the development of innovative, cutting-edge healthcare solutions.

Providers can develop intelligent applications or use third-party applications hosted on Azure to implement predictive analytics to personalize healthcare, assess and treat patients remotely (telemedicine), and improve the supervision of therapeutic drugs.

As for AWS (Amazon Web Services), obtaining HDS certification demonstrates that AWS provides a framework for technical and governance measures to secure and protect personal health data, governed by French law.

Solutions from AWS and its partners address the key IT challenges of the healthcare sector, enabling healthcare organizations to operate securely in a highly regulated global industry.

Potential penalties for non-certified hosts

It is crucial to underline the consequences of non-certification. Sanctions can include fines and other legal measures, underlining the crucial importance of complying with HDS certification standards.

Discover now the practical guide dedicated to the healthcare sector addresses the specific issues and important actions to take to comply with the GDPR.