Health Data Hosting (HDS) France
The Hébergeurs de Données de Santé (HDS) certification is required for entities such as cloud service providers that host the personal health data governed by French laws and collected for delivering preventive, diagnostic, and other health services. The HDS regulation was issued by ASIP SANTÉ which, under the French Ministry of Health, is responsible for promoting electronically based healthcare solutions in France.
Hosting of health data is regulated under French law by the French Public Health Code (Article L.1111-8), which stipulates that any healthcare organization—hospitals, pharmaceutical companies, laboratories—that handles personal medical data must use a service provider that is HDS-certified. In April 2018, new Articles R1111-8-8 to R1111-11 of the Public Health Code took effect, changing the accreditation procedure from an authorization by the French Ministry of Health to certification by an authorized body such as BSI.
HDS certification requires that service providers implement measures that keep personal health data secure, confidential, and accessible by patients. These measures include strong authentication and authorization procedures, robust backup systems, and powerful encryption methods. HDS also specifies mandatory provisions that must be included in contracts with the cloud service provider. These requirements apply no matter where the data is stored.
Microsoft and HDS
Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365 have been granted the Health Data Hosting (Hébergeurs de Données de Santé, HDS) certification, which is required for all entities hosting personal health data governed by French law. This made Microsoft the first major cloud service provider to meet the strict French standards for storing and processing health data. This certification, required by the revision to the 2018 French Public Health Code, imposes advanced security and privacy requirements on hosting services and cloud providers to ensure that the confidentiality and integrity of sensitive data is adequately protected.
Microsoft compliance with the HDS requirements has been audited and certified by the BSI Group, an independent certifying body accredited by French authorities to conduct HDS audits.
The HDS certification enables healthcare providers in France to use Microsoft cloud services to save costs by improving clinical and operational efficiency, and it opens the door to the development of innovative, cutting-edge healthcare solutions. Providers are able to develop smart applications or use third-party applications hosted on Azure to implement predictive analytics to personalize healthcare, evaluate and treat patients at a distance (tele-medicine), and sharpen therapeutic drug monitoring.
The rigorous audit covered the measures Microsoft has taken to secure personal health data and protect its confidentiality, including the:
- ISO/IEC 27001:2013 Information Security Management certification of Microsoft cloud services, which are audited annually for compliance.
- High level of privacy based on compliance with the GDPR and the ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud.
Microsoft in-scope cloud services
- Azure. The HDS certificate applies to Azure services listed as compliant with the ISO/IEC 27001 standard in Azure Compliance offerings and provisioned from the France Central, France South, Europe West, and Europe North Azure regions.
- Dynamics 365. The HDS certificate applies to Dynamics 365 Core Online Services provisioned from France and European Union geographies.
- Microsoft 365. The HDS certificate applies to Office 365 Core Online Services provisioned from France and European Union geographies.
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
The HDS certificate does not apply to Microsoft online services in preview or pre-release.
Audits, reports, and certificates
The HDS certification is valid for three years.
How to implement
- Contractual terms: French Public Health code requires the execution of specific contractual terms between the health data hosting service or cloud service provider and its customers. Eligible customers must reach out to their Microsoft licensing point of contact to enter into these specific contractual terms before hosting health personal data on Microsoft online services.
- Health and life sciences: Case overviews, solution guides, tutorials, and other resources to help build Azure solutions.