On May 3, 2022 the European Commission (“EC”) released a proposal of the European Parliament and of the Council for a European Health Data Space (“EHDS”) Regulation. Timelex had the honour of assisting the EC in preparing a study supporting the impact assessment of policy options for an EU initiative on an EHDS.
The overarching purpose of the proposed act is to strengthen patients’ rights to health data and open up the registries containing medical data tomake better use of it, both for the patients and larger community. In this blog post, we discuss the approach of the European Commission to untapping potential of health data under the EHDS Regulation.
The goals of EHDS Regulation
The draft EHDS Regulation is the first proposal of a domain-specific common European data space which was outlined by the European strategy for data. Importantly, the proposal does not aim to regulate how healthcare will be provided by individual Member States. The specific goals set by the proposal include:
- reinforcing the rights of natural persons (patients) in relation to the availability and control of their electronic health data;
- providing rules and mechanisms supporting the research and fact-based policy making with the use of electronic health data;
- laying down harmonized requirements for electronic health records (“EHR”) systems on the EU market;
- establishing mandatory cross-border infrastructure enabling the primary and secondary use of electronic health data across the EU.
The changes proposed by the EHDSRegulation will be relevant to all stakeholders in the health data life cycle, including: patients, hospitals and providers of EHR solutions and wellness applications, as well as researchers and authorities which access the data (“data users”).
Primary and secondary use of electronic health data
Pivotal term used by EHDS Regulation is electronic health data, which covers:
- personal electronic health data: data concerning health and genetic data as defined in the GDPR, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services processed in an electronic form; and
- non-personal electronic health data: means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in GDPR.
Such broad definition is intended to capture all categories of medical data, irrespective of the source of it (patient or another person, such as a health professional) and including also inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means (e.g. via medical devices).
The proposed EHDS Regulation differentiates between two general contexts of use of electronic health data:
Primary use of electronic health data
Secondary use of electronic health data
- use of data in the context of healthcare, including for:
- treating the patient
- prescriptions and dispensation of medicinal products and medical devices
- social security, administrative or reimbursement services
- use of data for other purposes that benefit the society such as:
- research & innovation
- patient safety
- personalised medicine
- official statistics
- regulatory activities.
Note that this term is not the same as the notion of “further processing” of personal data under article 6(4) GDPR. Under EHDS Regulation it will be possible that electronic health data is specifically collected for secondary use.
New patients rights regarding access and control over their health data
The proposed EHDS Regulation will strengthen the rights of patients to their electronic health data beyond those already provided in the GDPR. Building on the concepts of the right to access, the right to portability and the right to rectification, the patients will be empowered to:
- access their personal electronic health data processed in the context of primary use. They should be provided with their data immediately, free of charge and in an easily readable, consolidated and accessible form. However, to protect the well-being of the patients (for e.g. with respect to information on serious diagnosis, which should be explained by the doctor), there may be some exceptions to this rule;
- insert their electronic health data into their own EHR, however such data will be clearly marked as provided by the patients. This may be useful to rectify the incorrect information or add data from a wellness app;
- give access to data or to request a data transfer to a data recipient of their choice, immediately, free of charge and without hindrance. If the data recipient is from another Member State, most relevant health information (including, for example, patient summaries, discharge reports, electronic prescriptions and lab results, so-called “priority categories”) should be transferred in European electronic health record exchange format. This will be relevant for patients who cross Member State borders to work, study, visit relatives or who travel and need to make their EHR available to doctors in another EU country;
- restrict access of health professionals to all or part of their electronic health data. In other words, the patient may decide how much of their health record is disclosed to their doctor. Member States may establish the rules and specific safeguards regarding such restriction mechanisms;
- obtain information on the healthcare providers and health professionals who have accessed their electronic health data in the context of healthcare.
On the other hand, health professionals will:
- have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
- ensure that the personal electronic health data of the natural persons they treat are updated with information related to the health services provided.
To achieve these goals, EU is planning to expand the existing cross border infrastructure to support primary use of data (MyHealth@EU). The draft regulation empowers the Commission to issue a series of implementing acts on various aspects of MyHealth@EU. The strengthened infrastructure will consist of a central platform and national contact points established by the Member States, to which the health providers will be connected to exchange the data. Finally, digital health authorities will be responsible for implementation and enforcement in the context of primary use.
Standards for electronic health record (EHR) systems and interoperability of medical devices and AI systems
EHR systems are the backbone of the data exchange system envisioned by the draft EHDS Regulation and their interoperability with other systems is key. Hence, the proposed regulation lays down rules for EHR systems for primary use of priority categories of electronic health data. For example, such EHR systems may be placed on the EU market or put into service only if they comply with the essential requirements laid down by the Regulation. The manufactures will need to draw up a EU declaration of conformity and affix the CE marking before putting a EHR system on the market.
The proposal also puts forth voluntary labelling scheme for wellness applications and high-risk AI systems which claim interoperability with EHR systems.
Making health data available for research and policy goals
The provisions on secondary use are intended to fuel health research and innovation, both for private and public initiatives, as well as informed policy making. The proposed system will be built on three actors: health data access bodies, data holders and data users. Their roles are described below.
Health data access bodies
- set up by Member States to ensure a predictable and simplified access to electronic health data for secondary purposes;
- act as intermediaries between the data holders, potential users of the data and - in some cases - patients;
- examine the applications from potential users and issue data permits i.e. administrative decisions which allow a data user to access data, if such access is required for purposes outlined in EHDS Regulation;
- can charge fees for their services;
- can also pre-process the requested data to prepare it for the secondary use;
- if during the research there is a finding that may impact on the health of a natural person, the health data access body may inform this person and their doctor about that finding;
- keep a metadata catalogue with a list of the available datasets, in which each dataset will be described, including: data source, scope of data, its main characteristics and conditions for making data available. The national catalogues will be connected by EU Datasets Catalogue;
- power to fine a data holder which does not provide their datasets for secondary use.
- is a broad term which encompasses persons and bodies that will be obligated to make electronic data available for secondary use, for example: hospitals, health research institutions, EU bodies, but also private companies which control certain data, such as: content of EHRs, social, environmental and behavioural determinants of health, electronic health data from biobanks and dedicated databases, health-related administrative data;
- may charge reasonable fees for making electronic health data available for secondary use;
- must refrain from withholding the data by charging unjustified fees that are not transparent nor proportionate with the costs for making data available;
- will need to inform health data access bodies about their datasets and their characteristics;
- may also provide a Union data quality and utility label on their datasets, if those sets fulfil principles defined by the Regulation and delegated acts. For some data sets (e.g. those created with public funding), adherence to those principles will be mandatory;
- may directly grant data permit if access request pertains to a single data holder. They provide the user with access to data in a secure processing environment (described below).
- are, for example, researchers or companies wishing to use the data for their R&D, as well as authorities which require data to carry out their tasks (some different rules apply to them);
- can request access to data either directly by the data holder or via the intermediation of health data access bodies. To do so, they will need to apply for the issuance of a data permit.
- The application should provide, for example:
- purposes for which the data would be used,
- description of the needed data and possible data sources,
- a description of the tools needed to process the data, as well as characteristics of the secure environment (further described below) that are needed;
- when data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice and indicate legal basis for the processing (in accordance with Article 6 (1) GDPR);
- will have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of the Regulation;
- no later than 18 months after the completion of the electronic health data processing, will be obligated to make public the results or output of the secondary use of electronic health data. This is potentially an important factor to consider when applying for a permit, especially for private companies;
- will need to acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS;
- if the data is enriched, the dataset with such improvements and a description of the changes will be made available free of charge to the original data holder.
Safeguards for ensuring privacy of patients and cross border cooperation within EU
Data for secondary use may be provided in anonymized format or in pseudonymized format (only if the purpose of the data user’s processing cannot be achieved with anonymised data). The information necessary to reverse the pseudonymisation shall be available only to the health data access body.
The health data access bodies will provide access to electronic health data only through a secure processing environment, which provide technical and organisational measures and fulfil security and interoperability requirements. The data users will only be able to download non-personal electronic healthdata from the secure processing environment. For data protection law specialists, it will be interesting to read that for the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users will be joint controllers in the sense of Article 26 of GDPR. As mentioned above, also data holders may host secure processing environments in which they provide access to users following a single holder request.
Each Member State will need to designate a national contact point for secondary use of electronic health data. The national contact point may be the health data access body. The Member States and the Commission will set up HealthData@EU, which will serve to support and facilitate the cross-border access to electronic health data for secondary use, connect the national contact points for secondary use of electronic health data of all Member States and authorise participants in that infrastructure.
The draft EHDS Regulation has just been published by the European Commission and following the ordinary legislative procedure will now be sent to and discussed by the European Parliament and the Council. Once adopted, the EHDS Regulation will enter into force on the twentieth day following that of its publication. It shall apply from 12 months after its entry into force, however enforcement of certain provisions will be further delayed.
Want to know more?
Do you have a specific question or would you like support in this matter? We are happy to help. Book a free 15-minute call with Magdalena at magdalena.kogut.lawyer.brussels (reserved for organisations).