On May 3, 2022, the European Commission published a proposal for a Regulation on the European Health Data Space (EHDS) (“EHDS Regulation”, or “Proposal”). With the Proposal, the European Commission aims to make significant progress towards a single market for digital health services and products.
This draft EHDS Regulation is part of the European Strategy for data (published in 2020) and complements other major pending and planned legislative proposals for a comprehensive set of rules on data. This includes, for example, the proposed Data Act on harmonized rules on fair access to and use of data, the Data Governance Act on availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU, as well as the draft ePrivacy Regulation.
The EHDS Regulation would rewrite rules for individuals, professionals, and companies, as well as state actors in the health care sector in order to build a framework to use health data for health care services as well as research and innovation.
Why an EHDS?
The European Commission believes that there are significant advantages for research, innovation, policy-making, and regulatory activities in having a single internal market for health data between the EU Member States. For example, in the view of the European Commission, the COVID-19 pandemic demonstrated the importance of being able to rapidly access electronic health data to be prepared for health emergencies. Additionally, in order to diagnose and treat patients quickly anywhere in the EU, it is considered important to use health data that are findable, accessible, interoperable and reusable (“FAIR principles”).
The Proposal’s overall objective is to ensure that electronic health data are as open as possible and as closed as necessary. Against this background, the draft EHDS Regulation aims to:
- improve treatment and strengthen rights of individual patients by means of better digital access to and control over their health data, while at the same time ensuring a high level of patient safety;
- improve healthcare quality and efficiency, e.g., by enabling health professionals to have eased access to relevant health data;
- foster research and innovation in the digital healthcare and life science sector by facilitating access to non-identifiable health data, e.g., as it regards the development of new products, therapies and drug production in the EU;
- unleash the data economy in the digital healthcare and life science sector by, for instance, providing a unified legal framework and standardization; and
- create synergies between the EHDS and other systems, such as the European Open Science Cloud and the European Research Infrastructures.
To take advantage of these opportunities, the Proposal provides for a comprehensive legal framework, common standards and practices, infrastructures, and a governance framework for the use of electronic health data.
Who will be subject to the EHDS Regulation?
Similar to the EU General Data Protection Regulation (GDPR), the EHDS will in general apply to companies established in the EU, but it would also include non-EU companies processing personal data when targeting the EU market. The EHDS Regulation would also apply to non-personal electronic health data, namely to so-called data holders and data users in the EU, irrespective of where the data is being processed. The EHDS Regulation would apply to the following (among others):
- Manufacturers and suppliers of electronic health record (EHR) systems and wellness applications placed on the market in the EU. An EHR includes any appliance or software used for storing, intermediating, importing, exporting, converting, editing, or viewing electronic health records. A wellness application refers to software which processes electronic health data for other purposes than healthcare, such as well-being.
- Controllers and processors established in the EU. This includes companies processing electronic health data of EU citizens (or non-EU citizens residing in the EU) and data users to whom electronic health data are made available by data holders in the Union.
- Controllers and processors established in third countries that have been connected to or are interoperable with MyHealth@EU. MyHealth@EU is a central cross-border platform an infrastructure for digital health. It facilitates the exchange of electronic health data between the EU Member States. This platform is the technical basis for the EHDS which aims to foster cross-border access to health data within the EU and enable safe transfers of non-personal electronic health data to non-EU countries (which will nevertheless be governed by the GDPR requirements for transfer of personal data outside the EU).
- Data users to whom electronic health data are made available by data holders in the EU. Data users refers to anyone who pursues activities for reasons of public interest, including private companies. Data users may claim access to electronic health data from data holders, who can be entities of any kind (e.g., public or non-profit organizations or private companies) that are operating or conducting research with regards to the health sector.
Given the fundamental importance of the processing of health data in the fields of health care and life science the EHDS Regulation will be of significant relevance for US and other non-EU-based companies in this sector targeting the EU market and focusing on, for example, the development of new treatments, drugs, and other medical devices.
What are key aspects of the draft EHDS Regulation?
The Proposal sets out a comprehensive framework of rules for the processing of electronic health data both in so-called primary use and in secondary use. The key aspects of this framework are the following:
Rules for Primary Health Data Use
Primary use pertains to the processing of personal data related to providing health care services to individuals. Under the Proposal, individuals will have easy access to and will be in full control of their data. Individuals will be able to add or amend information in their EHR and may decide with whom they want to share what data. This includes health care professionals (e.g., medical doctors, hospitals, and pharmacies) and providers of electronic health care systems that directly process patient health care data.
According to the European Commission, the rules for primary health data use primarily aim to strengthen patient rights. To ensure comprehensive control of data, patients have the right to restrict access to others and obtain information (free of charge) on how the patient data is used and for which purpose.
Complementary to this, Member States shall ensure that patient summaries, ePrescriptions, images and image reports, laboratory results, and discharge reports are issued in a common European format. Thus, health data can then be shared between health professionals in and across Member States.
Electronic Health Record (EHR) Systems
The proposal regulates the activity of Electronic Health Record (EHR) Systems to ensure interoperability and a high level of protection. Manufacturers of such systems must meet several requirements (as part of a pre-market conformity assessment) including, among others:
- registration before placing the service on the market;
- technical specifications adopted by the European Commission (quality, security, and interoperability);
- draw up the technical documentation of EHR systems; and
- provisions on CE marking (Regulation (EU) 765/2008) and market surveillance (Regulation (EU) 2019/1020).
The Proposal provides a voluntary labelling of wellness applications if they are interoperable with EHR systems. Such a label would demonstrate that the respective application complies with the technical specifications for EHR systems.
Rules for Secondary Health Data Use
Secondary use describes the further use of health data that does not directly serve the treatment of the respective individual but goes beyond this. As it pertains to the secondary use of health data, the Proposal, in particular, provides the following essential rules:
- Secondary use should enable public and private organizations to have access to health data for purposes of research, innovation, policy making, educational activities, patient safety, regulatory activities, or personalized health care. Of particular importance for researchers as well as companies is the use of data for training, testing, and evaluating algorithms in medical devices (including digital health applications and AI systems).
- To fully unleash the benefits of the secondary use of electronic health data, existing data holders should contribute and make their data available under certain conditions. To ensure the quality of their data, data holders must improve their data bases, for example, eliminating data incompleteness. As such burdens should not become disproportionate, small entities are excluded from the obligation to make their data available for secondary use.
- To obtain secondary data, companies and institutions need a permit from a health data access body in the Member States. Using the data is limited to specific purposes and only permitted in closed, secure environments and without revealing the identity of the individual. The future health data access bodies will be connected to a new decentralized platform (HealthData@EU).
- The Proposal also clearly regulates which secondary use is prohibited. This includes, for example, taking decisions detrimental to a natural person based on their electronic health data, excluding patients from the benefit of an insurance contract, performing advertising or marketing activities towards health professionals/organizations, or transferring data to unauthorized third parties.
Supervision and Enforcement
Under the Proposal, EU Member States must designate an independent digital health authority responsible for the implementation and enforcement of the rules of primary use of health data. In the event of breaches of these rules, the competent data protection authorities may impose fines under the GDPR of up to the higher of 20 million EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year. In addition, one or more health data access bodies will have to be established which will be responsible for granting access to data for secondary use. If recipients do not comply with the requirements for secondary use, health data access bodies may revoke an issued data permit and order to cease the respective electronic health data processing. If data holders seriously fail to provide data, health data access bodies may impose fines or exclude these companies or organizations from using the EHDS for up to five years. A new “European Digital and Health Data Board” would also be formed which would have to coordinate with the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS).
What open questions remain?
The EHDS Regulation will have significant overlap with other legislation, such as the GDPR, the Medical Device Regulation (2017/745), the In Vitro Diagnostic Medical Device Regulation (2017/746), the Directive concerning security of network and information systems (2016/1148), as well as rules currently still in the making (e.g., the Data Governance Act, the Data Act, and the AI Act). If contradictions or frictions between the various sets of rules should arise in practice, such as with the GDPR requirements, considerable legal uncertainty for the affected actors will result. It also remains to be seen how the technical requirements for the systems and applications are finalized. These will also be decisive for the implementation of the regulation without complications.
The Proposal will now be discussed by the European Parliament and the Council and make its way through the legislative procedures. The European Commission aims to have the backing of all the EU member states for the common data platform MyHealth@EU for patients by 2025, and then unfold the platform’s full potential. We are following the negotiations on the proposal for the EHDS Regulation and will provide updates as this moves forward.