866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Key Considerations for Complying with HDS Version 2 Blog Feature
Robert Tylka

By: Robert Tylka

Print/Save as PDF

Key Considerations for Complying with HDS Version 2

Healthcare Assessments | HDS Certification

Published: Sep 22, 2025

Effective May 16, 2024, Version 2 of the Health Data Host (HDS) Referential went into force with a two-year transition period. This means if you are currently HDS certified, you’ll have to transition to the new version before May 16, 2026. This transition brings many positive changes, including a clarification of the applicable hosting activities, removal of distinction between physical hosting and IT managed services providers, removal of references to controls within the ISO 20000-1 and ISO 27018 standards, requirement for data localization within the European Economic Area (EEA), and more. However, we have noticed particular challenges that companies pursuing HDS certification tend to struggle with.  
 
In this article, we’ll break down those trends faced by organizations within the new HDS framework so that you can focus on those areas that may take more time for implementation or remediation in your own compliance journey.

HDS Integration with ISO 27001 

While ISO 27001 was always a pre-requisite to achieving HDS certification, the additional requirements related to the HDS framework were not clearly defined. Now, HDS needs to be explicitly taken into consideration within clauses 4 to 10 of the ISO 27001 standard, specifically within: internal and external issues; needs and expectations; scope; risk assessment and risk treatment; objectives; awareness; communication; responsibilities; performance; internal audit; and management review.  

Some key considerations if you plan on undergoing HDS certification include: 

  • Has the hosting of health data been considered within your risk assessment, specifically the failure or loss of the control of media, failure to control access granted, unforeseen use of service due to clumsiness or malicious intent, or hardware or software failures? 
  • Does the statement of applicability include the HDS v2 controls, their applicability and justification for inclusion or exclusion, and availability in both English and French? 
  • Do the information security objectives include the protection of health data entrusted to the organization by its clients and include compliance with the obligations of the GDPR? 
  • Has the internal audit extended to the 31 HDS control requirements, including an audit of the traces of access by persons operating on behalf of the organization to the health data or the systems used for their processing? 

The Impact of Non-Compliance with ISO 27001 

In cases where the HDS certification body is not the same as that of ISO 27001, the HDS certification body has a responsibility to inform the ISO 27001 certification body of instances of non-compliance with a requirement of ISO 27001 noted during an HDS audit. This obligation is required to be documented in the contract between the certification body and the hosting provider.

Data Localization Requirement

As expected, a focus on data sovereignty was reinforced with strict localization requirements, mandating that the physical hosting of health data occurs exclusively within the EEA. The EEA includes the European Union (EU) as well as Iceland, Liechtenstein, and Norway, while excluding the United Kingdom (UK) and Switzerland, amongst others. So, while remote access to data is allowed outside of the EEA in accordance with an adequacy decision under GDPR or other appropriate safeguards, the data itself must be hosted there.

Contractual Requirements

The contractual obligations between the host and its customers, required per the French Health public code, are now explicitly included in Chapter 6 of the HDS referential. You will need to ensure that not only are these requirements present in your updated contractual documents, but that any current customers relying on your HDS certification also have the updates accounted for.  

Some key considerations if you plan on undergoing HDS certification include: 

  • Do the contracts include procedures for exercising data rights (access, deletion, amendment, etc.)? 
  • Do the contracts include a point of contact for the client, who would be contacted in case of incident related to the hosted health data? 
  • Do the contracts include SLAs for quality and performance of the host’s services? 
    • Are there any penalties or credits issued by the host if performance or quality agreements are not met? 
  • Do the contracts mention the use of sub processors and ensure an equivalent level of protection? 
  • Do the contracts specify that hosted health data will not be used for any other purpose other than the execution of the activity of hosting health data? 
  • Do the contracts include provisions for the deletion/return of data (reversibility) upon termination of the contract? 

For many HDS-certified companies, these specific requirements may have little to do with their vast customer base; therefore, a short appendix specific to customers relying on your HDS certification may help ensure compliance without impacting all customers.

Representation of Guarantees Requirement 

The introduction of this new requirement is something you will want to get ahead of. Specifically referring to Chapter 8 of the HDS Referential, this mandate was created to provide your clients with greater transparency regarding the scope of the service covered by HDS certification and to enable them to find out about the various players on which the hosting provider relies to deliver its service, regardless if those vendors are HDS certified or not.  

The following illustrative table is provided as a reference – and while not prescriptive in that specific format, the various data points should be considered for inclusion: 
A screenshot of a computer AI-generated content may be incorrect.

Each company listed does not have to be HDS certified; however, by providing transparency to your customers, they can better understand risks in the supply chain and how it may impact their data. 

Navigating HDS v2 Certification 

All in all, we see vast improvement in the requirements under HDS v2 compared with v1.1 – with the requirements clearly defined and applicable to all hosting providers; however, a particular focus on the more challenging aspects described above will help to streamline your HDS implementation efforts and avoid any bottlenecks in the certification process. Should you have any further questions, please contact our team, who would be happy to address your concerns and pave an easier way forward to HDS certification. 

In the meantime, discover additional HDS certification insights in the following resources:  

About Robert Tylka

Robert Tylka is a Principal at Schellman & Company. With over 17 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, STAR, and HIPAA examinations. In his portfolio he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the information technology, financial services, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies, with a strong focus in the technology sector.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.