Healthcare data hosting (HDS) accreditation

HDS accreditation requires adherence to a precisely defined framework. As a hosting provider, OVH is committed to supporting you and meeting its obligations.

What is HDS accreditation?

Personal healthcare data and information systems are particularly sensitive. They are a vital element of patient privacy, an integral part of a patient's road to recovery and a tool for healthcare professionals. The regulatory body gradually oversees practices linked to the quick growth of healthcare information systems.

As such, professionals and healthcare institutions as well as patients must rely on certified providers to host personal healthcare data externally. Ministerial approval serves as an additional guarantee in terms of respect for patient rights and data security.

The legal basis for healthcare data hosting comes from Article L.1111-8 of the Public Healthcare Code, issued from the "Kouchner" law (bill n°2002-303 dated the 4th of March, 2002 with regards to patient rights). The n°2006-6 decree dated the 4th of January, 2006, defines the terms and conditions for the certification of computerised healthcare data hosting providers. These provisions were added to articles R.1111-9 and seq. of the Public Healthcare Code.

Currently, only our datacentres in France and Canada have HDS certification, but we will soon be receiving it for our datacentres in the UK, Germany and Poland.

You are:

A healthcare institution or healthcare provider

The healthcare institution/provider is in direct contact with the people affected by personal healthcare data. You are in charge of treatments implemented through your healthcare information system and you are bearing this responsibility along with all the obligations that come with it. In compliance with legal obligations, you must rely on a provider certified by the Healthcare Department for third-party hosting of your information systems.

OVH Healthcare's special conditions define the responsibilities and obligations of OVH as well as those of the healthcare institution/provider within the context of a healthcare information system. OVH and the institution/provider must meet these obligations to guarantee that the implementation of the information system is in line with the level of data sensitivity and the critical level of treatment.

An actor in the healthcare information system supply chain

(Service company, Saas solution publisher, etc.)

In order to implement a healthcare information system adapted to data sensitivity and treatment challenges, all parties involved must comply with best practices.

Those in charge of treatment, the accredited healthcare data hosting provider and all third-parties involved in the healthcare system supply chain all have a role to play in establishing a reliable and secure system. Each party in charge of a functional area of responsibility must implement the proper practices.

As a customer of an accredited hosting provider, you must agree to comply with the obligations related to healthcare information systems and to ensure that everyone that you are working with inside the supply chain also complies with these obligations.

The special terms and conditions of the OVH Healthcare solution clearly define the responsibilities and obligations of OVH and our customers. In particular, we also define the obligations that our customers must impose on their own customers and partners involved in the implementation and use of the health information system.

Roles and responsibilities of OVH and its customers in a healthcare environment

Taking into account the rights of the people affected, which means verifying patient information beforehand and obtaining patient consent

Manage right of access to data, which means managing the information to exclude from this right, carrying out preliminary audits, complying with deadlines for the provision of access, defining terms of access and managing special cases such as the presence of a third-party or the request of a third party.

Controlling rights efficiency of those concerned and ensuring compliance with the rights of rectification, opposition and deletion as well as the maintenance and availability of access and operation history.

In addition to these obligations, the customer agrees to implement appropriate practices to ensure data security, notably a confidentiality and security policy, staff training and awareness, the partitioning of the healthcare information system, management of incidents linked to disaster recovery plan, and managing their business to keep up with its development and be prepared for the end of the hosting service.

Managing data access and various situations such as access by the healthcare staff and implementing systems adapted to each case, notably means of authentication.

OVH's commitments

Obtaining the Healthcare Data Hosting Provider Certification for its OVH Healthcare service in compliance with Article L.1111-8 of the Public Healthcare code and doing everything necessary to renew it.

Complying with legal and statutory requirements in effect., notably with regards to personal data protection and healthcare data hosting, and ensuring the compliance of all service providers and subcontractors. This commitment will notably materialize through the review of OVH Healthcare client contracts clients by the physician of the hosting provider and the client audit clauses provided for in the OVH Healthcare CPs.

Implementing their obligation to council the players involved in the hosting system, through this document, through the intervention of the hosting provider's physician and accompanying clients around the area.

Complying with ethical standards including compliance with healthcare data confidentiality and professional secrecy. To that effect, OVH has hired among its teams a physician in charge of healthcare data hosting activities.

Protecting the effectiveness of patient rights by ensuring they consent to host their healthcare data, that they have been fully and clearly informed, about the management of their right to access, rectification, opposition and deletion in compliance with the terms applied by the "Information Technology and Freedom" act and by the public healthcare code.

Maintaining an enhanced security level for healthcare data in compliance with the state of the art and the legal and regulatory requirements in effect. The measures that are implemented are both organisational and technical. Particular attention shall be paid to controlling the access to data, to a strong authentication and to the traceability of all operations performed on the data. A confidentiality and security policy will be formalised, implemented and assessed.

Staff training and awareness with regards to issues linked to the sensitivity of healthcare data in terms of respecting patient privacy, medical ethics and enhanced security.

Hosting personal healthcare data on their infrastructures located in France.

Controlling the outsourcing system by transferring any obligation, particularly with regards to security, data localisation and the effectiveness of patient rights, to its sub-contractors and by imposing a contract transfer similar to its own subcontractors.

Supporting its customers in the event of a change in activities or end of service. OVH agrees to return any data to the customer that he or she may have stored on its infrastructure, at any time.