On May 3, 2022 the European Commission ("EC") released a proposal of the European Parliament and of the Council for a European Health Data Space ("EHDS") Regulation. Timelex had the honour of assisting the EC inpreparing a study supporting the impact assessment of policy options for an EU initiative on an EHDS.

The overarching purpose of the proposed act is tostrengthen patients' rights to health dataandopen up the registries containing medical datatomakebetter use ofit, both for the patients and larger community. In this blog post, we discuss the approach of the European Commission to untapping potential of health data under the EHDS Regulation.

The goals of EHDS Regulation

The draft EHDS Regulation is the first proposal of a domain-specific common European data space which was outlined by theEuropean strategy for data. Importantly, the proposal does not aim to regulate how healthcare will be provided by individual Member States. The specific goals set by the proposal include:

  • reinforcing the rights of natural persons (patients) in relation to theavailability and controlof their electronic health data;
  • providing rules and mechanisms supporting theresearch and fact-based policy makingwith the use ofelectronic health data;
  • laying down harmonized requirements for electronic health records ("EHR") systems on the EU market;
  • establishing mandatorycross-border infrastructureenabling the primary and secondary use of electronic health data across the EU.

The changes proposed by the EHDSRegulation will be relevant toall stakeholdersin the health data life cycle, including: patients, hospitals and providers of EHR solutions and wellness applications, as well as researchers and authorities which access the data ("data users").

Primary and secondary use of electronichealth data

Pivotal term used by EHDS Regulation iselectronic health data, which covers:

  • personal electronic health data: data concerning health and genetic data as defined in the GDPR, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services processed in an electronic form; and
  • non-personal electronic health data: means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in GDPR.

Suchbroad definitionis intended to capture all categories of medical data, irrespective of the source of it (patient or another person, such as a health professional) and including also inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means (e.g. via medical devices).

The proposed EHDS Regulation differentiates between two general contexts of use of electronic health data:

Primary use of electronic health data

Secondary use of electronic health data
  • use of data in the context of healthcare, including for:
    • treating the patient
    • prescriptions and dispensation of medicinal products and medical devices
    • social security, administrative or reimbursement services
  • use of data for other purposes that benefit the society such as:
    • research & innovation
    • policy-making
    • patient safety
    • personalised medicine
    • official statistics
    • regulatory activities.

Note that this term isnotthe same as the notion of "further processing" of personal data under article 6(4) GDPR. Under EHDS Regulation it will be possible that electronic health data is specifically collected for secondary use.

New patients rights regarding access and control over their health data

The proposed EHDS Regulation will strengthen the rights of patients to their electronic health data beyond those already provided in the GDPR. Building on the concepts of the right to access, the right to portability and the right to rectification, the patients will be empowered to:

  • accesstheir personal electronic health data processed in the context of primary use. They should be provided with their dataimmediately,free of chargeandin an easily readable, consolidated and accessible form. However, to protect the well-being of the patients (for e.g. with respect to information on serious diagnosis, which should be explained by the doctor), there may be some exceptions to this rule;
  • inserttheir electronic health data into their own EHR, however such data will be clearly marked as provided by the patients. This may be useful to rectify the incorrect information or add data from a wellness app;
  • give access to data or to request a data transferto a data recipient of their choice, immediately, free of charge and without hindrance. If the data recipient is from another Member State, most relevant health information (including, for example, patient summaries, discharge reports, electronic prescriptions and lab results, so-called "priority categories") should be transferred inEuropean electronic health record exchange format. This will be relevant for patients who cross Member State borders to work, study, visit relatives or who travel and need to make their EHR available to doctors in another EU country;
  • restrict access of health professionalsto all or part of their electronic health data. In other words, the patient may decide how much of their health record is disclosed to their doctor. Member States may establish the rules and specific safeguards regarding such restriction mechanisms;
  • obtaininformation on the healthcare providers and health professionals who have accessed their electronic health data in the context of healthcare.

On the other hand, health professionals will:

  • have accessto the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
  • ensure that the personal electronic health data of the natural persons they treat areupdatedwith information related to the health services provided.

To achieve these goals, EU is planning to expand the existing cross border infrastructure to support primary use of data (MyHealth@EU). The draft regulation empowers the Commission to issue a series of implementing acts on various aspects of MyHealth@EU. The strengthened infrastructure will consist of a central platform and national contact points established by the Member States, to which the health providers will be connected to exchange the data. Finally,digital health authoritieswill be responsible for implementation and enforcement in the context of primary use.

Standards for electronic health record (EHR) systems and interoperability of medical devices and AI systems

EHR systems are the backbone of the data exchange system envisioned by the draft EHDS Regulation and their interoperability with other systems is key. Hence, the proposed regulation lays downrules for EHR systems for primary use of priority categories of electronic health data. For example, such EHR systems may be placed on the EU market or put into service only if they comply with the essential requirements laid down by the Regulation. The manufactures will need to draw up a EU declaration of conformity and affix the CE marking before putting a EHR system on the market.

The proposal also puts forthvoluntarylabelling scheme forwellness applications and high-risk AI systemswhich claim interoperability with EHR systems.

Making health data available for research and policy goals

The provisions on secondary use are intended to fuel health research and innovation, both for private and public initiatives, as well as informed policy making. The proposed system will be built on three actors: health data access bodies, data holders and data users. Their roles are described below.

Health data access bodies

Data holders

Data users
  • set up by Member States to ensure a predictable and simplified access to electronic health data for secondary purposes;
  • act asintermediariesbetween the data holders, potential users of the data and - in some cases - patients;
  • examine the applications from potential users and issuedata permitsi.e. administrative decisions which allow a data user to access data, if such access is required for purposes outlined in EHDS Regulation;
  • can chargefeesfor their services;
  • can alsopre-processthe requested data to prepare it for the secondary use;
  • if during the research there is a finding that may impact on the health of a natural person, the health data access body may inform this person and their doctor about that finding;
  • keep ametadata catalogue with a list of the available datasets,in which each dataset will be described, including: data source, scope of data, its main characteristics and conditions for making data available. The national catalogues will be connected by EU Datasets Catalogue;
  • power to fine a data holderwhich does not provide their datasets for secondary use.
  • is a broad term which encompasses persons and bodies that will be obligated to make electronic data available for secondary use, for example:hospitals, health research institutions, EU bodies, but also private companies which control certain data,such as: content of EHRs, social, environmental and behavioural determinants of health, electronic health data from biobanks and dedicated databases, health-related administrative data;
  • may chargereasonable feesfor making electronic health data available for secondary use;
  • must refrain from withholding the data by charging unjustified fees that are not transparent nor proportionate with the costs for making data available;
  • will need toinform health data access bodies about their datasetsand their characteristics;
  • may also provide a Uniondata quality and utility label on their datasets,if those sets fulfil principles defined by the Regulation and delegated acts. For some data sets (e.g. those created with public funding), adherence to those principles will be mandatory;
  • maydirectly grant data permitif access request pertains to a single data holder. They provide the user with access to data in asecure processing environment(described below).
  • are, for example,researchersorcompanieswishing to use the data for their R&D, as well asauthoritieswhich require data to carry out their tasks (some different rules apply to them);
  • canrequest access to data either directly by the data holderor via the intermediationof health data access bodies. To do so, they will need to apply for the issuance of a data permit.
  • Theapplicationshould provide, for example:
    • purposes for which the data would be used,
    • description of the needed data and possible data sources,
    • a description of the tools needed to process the data, as well as characteristics of the secure environment (further described below) that are needed;
    • when data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice and indicate legal basis for the processing (in accordance with Article 6 (1) GDPR);
  • willhave the right to access and process the electronic health data in accordance with the data permitdelivered to them on the basis of the Regulation;
  • no later than 18 months after the completion of the electronic health data processing, will be obligated tomake public the results or output of the secondary use of electronic health data. This is potentially an important factor to consider when applying for a permit, especially for private companies;
  • will need toacknowledge the electronic health data sourcesand the fact that electronic health data has been obtained in the context of the EHDS;
  • if the data isenriched, the dataset with such improvements and a description of the changes will be made available free of charge to the original data holder.

Safeguards for ensuring privacy of patients and cross border cooperation within EU

Data for secondary use may be provided inanonymizedformat or inpseudonymizedformat (only if the purpose of the data user's processing cannot be achieved with anonymised data). The information necessary toreverse the pseudonymisationshall be available only to the health data access body.

The health data access bodies will provide access to electronic health data only through asecure processing environment,which provide technical and organisational measures and fulfil security and interoperability requirements. The data users will only be able todownloadnon-personalelectronic healthdatafrom the secure processing environment. For data protection law specialists, it will be interesting to read that for the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users will be joint controllers in the sense of Article 26 of GDPR. As mentioned above,also data holdersmay host secure processing environments in which they provide access to users following a single holder request.

Each Member State will need to designate anational contact pointfor secondary use of electronic health data. The national contact point may be thehealth data access body. The Member States and the Commission will set upHealthData@EU,which will serve to support and facilitate the cross-border access to electronic health data for secondary use, connect the national contact points for secondary use of electronic health data of all Member States and authorise participants in that infrastructure.

Next steps

The draft EHDS Regulation has just been published by the European Commission and following the ordinary legislative procedure will now be sent to and discussed by the European Parliament and the Council. Once adopted, the EHDS Regulation will enter into force on the twentieth day following that of its publication. It shall apply from 12 months after its entry into force, however enforcement of certain provisions will be further delayed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.