HDS hosting — a practical guide for healthcare organisations

The rule, in one paragraph

HDS certification (Hébergeur de Données de Santé), framed by the French decree of 26 February 2018, applies to any organisation that hosts personal health data for prevention, diagnosis, care or medical follow-up. If you self-host this data, you must be certified. If you outsource it, your host must be certified.

Six distinct scopes

HDS certification covers six scopes, of which at least one must be qualified:

1. Provision and operational maintenance of physical sites.
2. Provision and operational maintenance of hardware infrastructure.
3. Provision and operational maintenance of the hosting platform.
4. Provision and operational maintenance of virtual infrastructure.
5. Administration and operation of the information system.
6. Outsourced backup.

A host can be certified on one or several scopes. Always check the exact scope of the certification (the attestation PDF specifies it).

Who must be certified

Typical cases where HDS is mandatory:

• Medical practices whose patient records sit on a server, in a cloud, or with a vendor — they themselves must ensure they use an HDS host.
• Private clinics and healthcare establishments on their internal IT estate.
• Healthcare software vendors (electronic patient records, practice management, telemedicine, e-health).
• Pharmacies (business software connected to third-party IT estates).
• Laboratories on their medical information systems.
• MSPs and ESN operating on these IT estates must be HDS-certified for the relevant scope.

Public actors (hospitals, public health establishments) benefit from a partial derogation but must still respect the framework.

How to verify an HDS host

Three actions:

1. Request the certification attestation — a named PDF with date, scope, certification body (LNE, AFNOR, Bureau Veritas).
2. Check the scope — to host a patient record system, you need at least scopes 3 and 5. For outsourced backup alone, scope 6 suffices.
3. Request the list of HDS subcontractors — if the host relies on subcontractors, they must also be HDS-certified.

How much does it cost

The price gap between classical hosting and HDS hosting is generally 20 to 40%. The difference covers reinforced access controls, annual audits, contractual documentation, traceability, and incident notification commitments.

For a multi-practitioner medical practice with an online patient record system (5 to 10 TB of storage, 50 to 100 users), expect typically 600 to 1,800 € HT per month for pure HDS hosting, excluding administration and backup.

Customer-side contractual obligations

Some points to systematically demand:

• Subcontractor management policy — who are they, where are they, do they have access to your data?
• Localisation commitment — your data must stay on EU territory, ideally French.
• Incident notification — within what timeframe after detection? (ideally under 24 h for incidents affecting confidentiality)
• Reversibility — how do you retrieve your data at end of contract, in what format, what timeframe?
• Customer audit — can you audit the host yourself, or request an independent audit report?

Our offering

Our datacenter is HDS-certified on scopes 1 to 6. We host medical practices, healthcare software vendors and public healthcare structures in Île-de-France and Occitanie, with a 24/7 SOC dedicated to security monitoring — HDS requirements are not limited to availability, they include operational security.

Written by the Hexceos infrastructure and compliance teams.