Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Key Considerations for Complying with HDS Version 2

Healthcare Assessments | HDS Certification

Published: Sep 22, 2025

Effective May 16, 2024, Version 2 of the Health Data Host (HDS) Referential went into force with a two-year transition period. This means if you are currently HDS certified, you’ll have to transition to the new version before May 16, 2026. This transition brings many positive changes, including a clarification of the applicable hosting activities, removal of distinction between physical hosting and IT managed services providers, removal of references to controls within the ISO 20000-1 and ISO 27018 standards, requirement for data localization within the European Economic Area (EEA), and more. However, we have noticed particular challenges that companies pursuing HDS certification tend to struggle with.  
 
In this article, we’ll break down those trends faced by organizations within the new HDS framework so that you can focus on those areas that may take more time for implementation or remediation in your own compliance journey.

HDS Integration with ISO 27001 

While ISO 27001 was always a pre-requisite to achieving HDS certification, the additional requirements related to the HDS framework were not clearly defined. Now, HDS needs to be explicitly taken into consideration within clauses 4 to 10 of the ISO 27001 standard, specifically within: internal and external issues; needs and expectations; scope; risk assessment and risk treatment; objectives; awareness; communication; responsibilities; performance; internal audit; and management review.  

Some key considerations if you plan on undergoing HDS certification include: 

  • Has the hosting of health data been considered within your risk assessment, specifically the failure or loss of the control of media, failure to control access granted, unforeseen use of service due to clumsiness or malicious intent, or hardware or software failures? 
  • Does the statement of applicability include the HDS v2 controls, their applicability and justification for inclusion or exclusion, and availability in both English and French? 
  • Do the information security objectives include the protection of health data entrusted to the organization by its clients and include compliance with the obligations of the GDPR? 
  • Has the internal audit extended to the 31 HDS control requirements, including an audit of the traces of access by persons operating on behalf of the organization to the health data or the systems used for their processing? 

The Impact of Non-Compliance with ISO 27001 

In cases where the HDS certification body is not the same as that of ISO 27001, the HDS certification body has a responsibility to inform the ISO 27001 certification body of instances of non-compliance with a requirement of ISO 27001 noted during an HDS audit. This obligation is required to be documented in the contract between the certification body and the hosting provider.

Data Localization Requirement

As expected, a focus on data sovereignty was reinforced with strict localization requirements, mandating that the physical hosting of health data occurs exclusively within the EEA. The EEA includes the European Union (EU) as well as Iceland, Liechtenstein, and Norway, while excluding the United Kingdom (UK) and Switzerland, amongst others. So, while remote access to data is allowed outside of the EEA in accordance with an adequacy decision under GDPR or other appropriate safeguards, the data itself must be hosted there.

Contractual Requirements

The contractual obligations between the host and its customers, required per the French Health public code, are now explicitly included in Chapter 6 of the HDS referential. You will need to ensure that not only are these requirements present in your updated contractual documents, but that any current customers relying on your HDS certification also have the updates accounted for.  

Some key considerations if you plan on undergoing HDS certification include: 

  • Do the contracts include procedures for exercising data rights (access, deletion, amendment, etc.)? 
  • Do the contracts include a point of contact for the client, who would be contacted in case of incident related to the hosted health data? 
  • Do the contracts include SLAs for quality and performance of the host’s services? 
    • Are there any penalties or credits issued by the host if performance or quality agreements are not met? 
  • Do the contracts mention the use of sub processors and ensure an equivalent level of protection? 
  • Do the contracts specify that hosted health data will not be used for any other purpose other than the execution of the activity of hosting health data? 
  • Do the contracts include provisions for the deletion/return of data (reversibility) upon termination of the contract? 

For many HDS-certified companies, these specific requirements may have little to do with their vast customer base; therefore, a short appendix specific to customers relying on your HDS certification may help ensure compliance without impacting all customers.

Representation of Guarantees Requirement 

The introduction of this new requirement is something you will want to get ahead of. Specifically referring to Chapter 8 of the HDS Referential, this mandate was created to provide your clients with greater transparency regarding the scope of the service covered by HDS certification and to enable them to find out about the various players on which the hosting provider relies to deliver its service, regardless if those vendors are HDS certified or not.  

The following illustrative table is provided as a reference – and while not prescriptive in that specific format, the various data points should be considered for inclusion: 
A screenshot of a computer
AI-generated content may be incorrect.

Each company listed does not have to be HDS certified; however, by providing transparency to your customers, they can better understand risks in the supply chain and how it may impact their data. 

Navigating HDS v2 Certification 

All in all, we see vast improvement in the requirements under HDS v2 compared with v1.1 – with the requirements clearly defined and applicable to all hosting providers; however, a particular focus on the more challenging aspects described above will help to streamline your HDS implementation efforts and avoid any bottlenecks in the certification process. Should you have any further questions, please contact our team, who would be happy to address your concerns and pave an easier way forward to HDS certification. 

In the meantime, discover additional HDS certification insights in the following resources:  

About Robert Tylka

Robert Tylka is a Principal at Schellman & Company. With over 17 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, STAR, and HIPAA examinations. In his portfolio he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the information technology, financial services, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies, with a strong focus in the technology sector.