Share This Article
On 24 April 2024 the European Parliament approved the Regulation on the European Health Data Space (โEHDSโ) signaling a fundamental step toward the creation of a robust European Health Union.ย
This development was accomplished thanks to the agreement reached last 14 March between the Parliament and the Council of the European Union on the proposed Regulation submitted by the Commission on 3 May 2022.
The text of the Regulation will now have to be formally approved by the Council and will then enter into force 20 days after publication in the Official Journal of the European Union, which is expected in autumn.
The EHDS Regulation is one of the pillars of the Commission’s ambitious โEuropean Data Strategy,โ which already includes several legislations, and aims to create a โsingle market for data,โ ensuring Europe’s global competitiveness and sovereignty over data, including through the creation of common spaces for information sharing.
In this context, the EHDS Regulation is an essential resource for the entire health sector, the adoption of which will improve people’s access to and control over their own health data, while allowing it to be reused for public interest purposes (so-called โsecondary useโ). The project envisions the creation of a specific environment for health data that will help promote a single market for digital health products and services, benefiting patients and the society as a whole.
The most significant changes introduced as a result of the agreement between the Parliament and the Council
Article 1(1) of the draft indicates that the Regulation establishes the European Health Data Space by identifying common rules, standards and infrastructure as well as a framework for the governance of health data, with the aim of facilitating access to electronic health data for primary and secondary use.
The Regulation will have an impact on an already highly regulated sector. For this reason, the proposal specifies that the Regulation is without prejudice to the application of European and national laws that already regulate the sector, including the GDPR, the e-Privacy Directive, Regulation (EU) 2018/1725, the AI Act – whose final approval is expected to be imminent – and the Medical Devices and In Vitro Diagnostic Medical Devices Regulations.
Provisions on EHR systems
The Regulation introduces the requirement that electronic health record systems (or โEHR systemsโ) comply with the specifications set forth for the European electronic health data exchange format, to ensure data security and make it possible to share data across member state borders.
Electronic health record system means any device or software used for processing electronic health records, the latter defined as any set of electronic health data collected in the health system, relating to an individual and used for health purposes.
One of the significant changes introduced by the agreement between Parliament and the Council concerns the obligation to adopt two software components (i.e., the โEuropean interoperability component for EHR systemsโ and the โEuropean logging component for EHR systemsโ) in EH systems to ensure the possible sharing of data across the borders of member states.
The Regulation also introduces the European digital testing environment which is to be developed by the Commission for the evaluation of the components of EHR systems. In addition, member states shall establish a digital testing environment, in accordance with the specifications provided by the Commission in subsequent executive acts.
Before placing EHR systems on the market, manufacturers will be required to use the digital testing environments to evaluate their systems, and the results of the tests will have to be included within the technical documentation accompanying the systems.
Further novelty lies in the possibility for manufacturers of wellness applications to establish interoperability with EHR systems for the primary use of data, duly informing users. The sharing or transmission of data through such applications will be subject to the consent of the user, who will be able to choose which categories of health data available on the application they wish to include in the EHR systems.
The primary use of electronic health data
Article 5 of the EHDS Regulation identifies the categories of electronic health data (โpriority categories of personal electronic health data for primary useโ) that are to be made accessible and shared for purposes of healthcare and treatment, leaving it up to member states to add additional categories of information.
The European Commission will be in charge of clarifying, through appropriate implementing acts, the format for the exchange of this information, which must in any case be commonly used, machine-readable, and allow transmission of electronic health data between different software applications, devices and healthcare providers, supporting both the transmission of structured and unstructured health data.
The newly adopted text includes several articles that regulate in detail how patients and their representatives can exercise patientsโ rights, including the right of access to electronic health data, the right to supplement such data directly through their electronic health record, the right to rectification of health data, and the right to portability of such data. In this context, the most significant novelty is the possibility for member states to provide for the right to opt-out, i.e., the right of patients to inhibit access to their health data both by health professionals, for primary use, and by other parties entitled to use the data for secondary use, although in that case the right to opt-out is subject to some strict conditions.
Another important innovation, included in the latest draft of the Regulation, is the prohibition on health care providers from charging fees:
- to patients, for requesting access to or sharing their health data; and
- to other parties, for making electronic health data available to them.
The secondary use of electronic health data
The Regulation identifies several purposes for which secondary use is permitted and others for which it must be considered radically prohibited. For example, purposes whose pursuit is permitted under the Regulation include those of public interest in the field of public health and labor, scientific research and policy making.
Article 33 of the draft also identifies minimum categories of electronic data for secondary use, with a far more substantial list than the one outlined in Article 5 for the primary use of health data. Also in this case, Member states may provide for additional categories of information to be made accessible for secondary use.
In the case of reuse of health data, the need to protect personal data as well as intellectual property rights and trade secrets remains intact.ย Member States will also be able to adopt stricter measures to regulate access to certain types of sensitive data (e.g., genetic data), for scientific research purposes, providing for additional limitations to those established by the Regulation.
The newly adopted text of the Regulation also includes an exemption from the obligations laid down in relation to the secondary use of electronic health data for individual researchers and individuals and legal persons that qualify as micro-enterprises.
What to expect from the European Health Data Space?
The establishment of the EHDS will have a significant impact on the entire health sector, being able to generate enormous benefits for public and private actors in this sector as well as for the community as a whole.
It is therefore important for practitioners to familiarize themselves with the contents of the Regulation in order to prepare for its entry into force and to consider how best to take advantage of the opportunities it offers.
However, the new arrangement also brings with it some significant risks, particularly for the privacy of individuals, for the protection of patients, and for the protection of trade secrets.
The hope is that the European institutions and member states will adequately address the critical issues related to the establishment of the EHDS through a comprehensive risk assessment and the adoption of appropriate measures to protect shared health data.
In our view, the success of the European initiative will depend in large part on the ability of the actors involved to make the operation of the EHDS secure and reliable. We deem appropriate to quote in closing the words used by the EDPB and the EDPS in their joint opinion 03/2022 issued on the proposed Regulation, โThe European Health Data Space should serve as an example with regard to transparency, effective accountability and proper balance between the interests of the data subjects and the shared interest of the society as a whole.โ
On a similar topic, you can read the article “Italian retrospective scientific research no longer subject to privacy approval of the Data Protection Authority“.
Authors: Cristina Criscuoli and Roxana Smeria
