The lead negotiators of the Council of the EU and the European Parliament have reached an agreement on a new EU regulation for the European Health Data Space (EHDS). Once adopted, the regulation will expand individuals’ access to and control over their personal electronic health data both on a national level as well as on a transnational level among EU member states (primary use of data) while simultaneously simplifying the exchange and access of health data for public interest and research purposes (secondary use of data).

According to the draft regulation, the software platform will also enable third-country organizations to access the health data of individuals in the EU as long as such third-country organizations comply with the rules of the General Data Protection Regulation (GDPR). Additionally, third-country organizations will be eligible for secondary use of data if they comply with the new regulations of the EHDS on the same level as any EU entity using such health data.

The draft regulation will now need to be endorsed by both the Council of the EU (Council) and the European Parliament (Parliament). Additionally, the exact wording of the new final regulation will need to undergo a lawyers’ review. The draft regulation was adopted by Parliament on 24 April 2024 and is expected to be formally adopted by the Council in the coming weeks—well before the upcoming EU elections in June of this year. The draft regulation will become effective 20 days after publication in the Official Journal of the European Union (publication).

The final regulation will become effective two years after its publication. Chapter IV, containing regulations on the secondary use of data, will apply four years after its publication, with certain exceptions for categories of electronic data subject to the secondary use of data, such as human genetic, epigenomic, and genomic data, data from clinical trials, and data from research, which will apply six years after the date of publication.

The final regulation aims at designing the EHDS as a trusted environment for secure access to and processing of a wide range of health data. It is based on, among others, the GDPR, the Data Governance Act, the Data Act, and the NIS Directive. These legal acts contain provisions (including security measures) that also apply to the healthcare sector. (For an in-depth analysis of the Data Act, please refer to our 5 December 2023 Law Flash.) However, in order to take into account the particular sensitivity of health data, more specific rules are being developed in the draft regulation.

The EHDS sets out a common EU framework allowing for anonymized and/or pseudonymized use of health data for research, innovation, public health, policymaking, regulatory activities, and personalised medicine. It will draw on the creation of a new and decentralised EU infrastructure for the secondary use of data (HealthData@EU) that will connect health data access bodies which should be set up in all EU member states.

BACKGROUND OF THE EHDS

In the 2020 communication A European strategy for data, the EU Commission proposed nine common data spaces to be developed within the EU. The EHDS is the first of the European common data spaces designated for health data. As a regulation (Verordnung) the final regulation will come into effect without further implementation laws of the EU member states. However, certain sections and chapters of the draft regulation currently call for the EU member states to implement certain modifications (see below).

The final regulation will set out the EHDS as a health-specific set of rules, common standards and practices, infrastructures, and governance framework that aims to:

• Empower individuals through increased digital access to and control of their electronic personal health data, nationally and EU-wide (primary use of data)
• Foster a single market for electronic health record (EHR) systems, relevant medical devices, and high-risk AI systems
• Provide a trustworthy and efficient set-up for the secondary use of data (for research, innovation, policymaking, and regulatory activities).

KEY ELEMENTS OF THE DRAFT REGULATION

The draft regulation between the Council and the Parliament covers the following key areas:

• Opt-out (primary use of data): The EU member states shall allow patients to opt out of the access and use of their health data by a healthcare professional. Article 8 of the draft regulation does not include any specific procedure as to how this right may be exercised and does not specify if such restricted access to health data may be circumvented by healthcare professionals in a case of imminent danger to the patient.
• Opt-out (secondary use of data): All EU member states will implement an opt-out for further use of health data. However, they may each allow for justified exceptions to the opt-out right for purposes of public interest, policymaking, statistics, and research. These exceptions will respect the essence of the fundamental human rights of the patients and need to be proportionate.
• Sensitive data: All EU member states may put in place an absolute right to object to access by anyone except the original healthcare provider who provided the treatment. If they choose to do so, they should establish the rules and specific safeguards regarding such mechanisms. Such rules and specific safeguards may also relate to specific categories of personal electronic health data—for example, genetic data.
• Trusted data holders: In order to reduce the administrative burden, EU member states may establish trusted data holders that can securely process requests for access to health data.
• Data localization: Article 60aa of the draft regulation states that generally all health data of the EHDS will be processed and stored within the EU. However, as an exception, the health data may be stored and processed in third countries covered by an adequacy decision pursuant to Article 45 of the GDPR.
• Clinically significant findings: If researchers inform health data access bodies about findings that may impact the health of a patient whose data was used in the scientific research, the respective health data access body may inform the trusted data holder, who must inform the patient or the relevant treating health professional about these findings.
• EHR systems assessments: The draft regulation provides for an initial digital testing environment that must be introduced before any EHR systems are put on the market or into service.

HOW EU MEMBER STATE CITIZENS WILL ACCESS THEIR HEALTH DATA

According to the EU Commission’s policy programme The Path to the Digital Decade, all EU citizens shall, by 2030, have their electronic health data available via access points established by EU member states. A cross-border digital infrastructure (MyHealth@EU) for the primary use of data will connect EU member states and allow patients to share their health data. All EU member states must appoint digital health authorities that will participate in the cross-border digital infrastructure and that will support patients to share their data across borders. The EU member states must appoint the digital health authority as soon as Chapter II of the draft regulation applies (two years after its publication). The supervisory authorities that are responsible for monitoring and enforcement of the GDPR shall also be competent for monitoring and enforcement of the EHDS.

EU member states will also ensure that patient summaries, e-prescriptions, images and image reports, laboratory results, and discharge reports are issued and accepted in a common European format. The European EHR exchange format is stipulated in Chapter II of the draft regulation. As this chapter applies starting two years after publication of the final regulation, we expect the European EHR exchange format to be released by then.

WHO WILL IMPLEMENT AND OVERSEE THE SECONDARY USE OF DATA

Those institutions that wish to reuse health data will need to apply for a permit from a health data access body. The data permit sets out how the data may be used and for what purpose. The health data may only be accessed and processed in closed secure environments to be provided by the health data access bodies with clear standards for cybersecurity.

The draft regulation does not specify which entity (or entities) shall undertake the role of “health data access body” but leaves this decision up to the EU member states. In Germany, the Federal Ministry of Health (Bundesgesundheitsministerium) is currently in the process of establishing a central access and coordination authority regarding health data (Datenzugangs- und Koordinierungsstelle für Gesundheitsdaten) which will probably become the competent authority for the implementation of the final regulation and the EHDS. Until such central authority is established the task may fall to the Health Research Data Center (Forschungsdatenzentrum Gesundheit) which is currently established at the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte) and is the competent authority when it comes to the implementation of the GDNG (Gesundheitsdatennutzungsgesetz).

WHO WILL OVERSEE COMPLIANCE WITH THE FINAL REGULATION ON AN EU LEVEL

A new EHDS board chaired by the EU Commission will be created, composed of the representatives of all digital health authorities and health data access bodies from all the EU member states and observers, depending on their area of work. It will contribute to the consistent application of the final regulation throughout the EU, coordinate and exchange best practices, and cooperate with other bodies at EU level.

EU member states will cooperate at EU level to ensure the smooth functioning of the two cross-border digital infrastructures (primary use of data and secondary use of data).

[View source.]