As part of its digital strategy, the European Commission is committed to creating a series of European data spaces in key strategic sectors that will complement the GDPR and ensure a high level of data security in the EU. The first concerns health data.
The Commission believes that EU-wide legislation is necessary because the EU GDPR leaves Member States some leeway in the field of health data, which has led to a lack of harmonization. Furthermore, although existing EU legislation from 2011 (Directive 2011/24/EU) includes rules on patients’ rights in cross-border healthcare, the provisions were voluntary and had limited impact.
As a result, the European Commission published on May 3, 2022 a draft regulation for a European Health Data Area (EHDS). The aim is to strengthen the links between national health systems across the EU through secure and efficient access and exchange of health data. This aims to optimize health care delivery, research and infrastructure across health systems. The EHDS also aims to create a uniform legal framework, in particular for the development, marketing and use of electronic health record (EHR) systems.
Pillars of the European Health Data Area
The EHDS is based on three pillars:
- establish a legal framework for data access and exchange
- ensure the quality and interoperability of (health) data
- create a solid infrastructure.
Legal framework for data access and exchange
The EHDS defines the requirements for the primary and secondary use of health data.
Primary use can be defined as the processing of personal electronic health data for the provision of health services. In the context of primary use, the EHDS contains a new right of access to health data by individuals, as well as new requirements for the processing of data by health professionals.
Access to data by individuals
The EHDS enshrines the right of individuals to immediately access, free of charge and in an easily readable, consolidated and accessible format, their personal electronic health data processed for primary use. To this end, they have the right to:
- receive an electronic copy of their patient file containing at least some (priority) data. To facilitate the exercise of these rights, Member States will be required to set up access and proxy services
- access, make changes to, and keep their electronic health record up to date
- to restrict access to their electronic health record to healthcare professionals and to obtain information about the people who have accessed it.
Data processing by healthcare professionals
The EHDS also contains provisions on access for healthcare professionals. Among other things, it stipulates that when they process data in electronic form, they must have access to their patients’ electronic health data, regardless of their Member State and the nature of their processing. Member States are obliged to provide the corresponding access services.
Healthcare professionals should have access to specified priority healthcare data, regardless of restrictions. This includes patient summaries, medical images and image reports, lab results and discharge reports. The European Commission will establish a European exchange format for these (priority) personal electronic health data in order to facilitate trans-European exchanges.
The EHDS defines further processing of health data, for example data previously collected and stored in hospitals or by other healthcare providers, as secondary use data. It defines the limited permitted purposes for the secondary use of health data. Whether the data was originally collected for primary use or directly for secondary use is irrelevant in this regard.
The secondary use of health data can be, among others, development and innovation activities, training, testing and evaluation of algorithms, or education and teaching activities. There are also prohibitions on certain types of processing, including, for example, using the data to make decisions that harm individuals; for promotional or marketing activities directed at healthcare professionals, organizations, or individuals (e.g., patients or study participants); or to develop products or services that may harm individuals or society.
Any secondary use of health data also requires prior approval from a competent body. This approval must specify in particular how and for what purpose the data may be used. Member States are required to set up a national body for this purpose to ensure that data is made available to data users after the request has been granted and to maintain an administrative system for registering and processing requests for access to data. data, data requests and data sharing approvals.
Data quality and interoperability
EHDS allows a number of ways to ensure and demonstrate data quality. These include an EU quality certification label, using metadata and source information, harmonized technical and data management processes, and transparency around access, delivery and enrichment. Datas.
The different national datasets will be interconnected and linked across the EU by the Commission through an ‘EU dataset catalogue’. This will also help ensure data quality in a broader sense, as users can consult this catalog for information on the data quality of datasets.
In order to ensure the protection of personal data as well as accessibility, data used for secondary use purposes must always be provided in an anonymous form. If the purposes of the processing cannot be achieved with anonymised data, access to pseudonymised data (e.g. information on symptoms or medication without reference to the identity of the person) is permitted provided that it there is no re-identification of the person.
Interoperability – requirements for EHR systems
In order to improve the interoperability of electronic health data, the draft regulations impose specific requirements on EHR systems (systems used in relation to electronic health records that are intended by their manufacturer for the primary use of health data). priority e-health). In particular, EHR systems can only be placed on the market and put into service if the specific requirements of the EHDS are met. These are mainly drawn from the criteria listed in Annex II which the Commission intends to further specify through implementing acts.
Among other things, the EHR systems must allow the complete exchange of electronic personal health data between different systems and be interoperable and compatible with the structures provided in the EHDS. Finally, they must not prohibit, restrict or unduly burden the authorization of use or access to health data.
Creation of a solid infrastructure
Creating a strong infrastructure is the third pillar to facilitate cross-border healthcare under the EHDS and secondary use by interconnecting authorized participants.
Particular innovations include the creation of an EHDS council, a cross-border infrastructure for the primary use of electronic health data ([email protected]) and cross-border infrastructure for the secondary use of electronic health data ([email protected]).
The EHDS Committee is intended to facilitate cooperation and the exchange of information between Member States. It will be composed of high-level representatives of digital health authorities and health data access bodies from all Member States.
[email protected] is a central platform which, through its services, will support and facilitate the exchange of electronic health data between the national digital health contact points that each Member State must designate. The Commission will adopt measures, by means of implementing acts, for the technical development of the platform, setting out detailed requirements regarding the security, confidentiality and protection of health data. In addition, the Commission will also set entry and exclusion conditions in [email protected]
[email protected] is composed of national contact points designated by Member States for the secondary use of health data by certain EU institutions and bodies, certain research infrastructures and (in certain circumstances) third countries and international organisations.
The European Parliament and the Council will now move the draft legislation forward, but it remains to be seen what their views on EHDS will be. All Member States are expected to participate in the [email protected] program by 2025.
The creation of a European health data space underpinned by data protection is seen by the Commission as key to advancing digitalisation and, by extension, the quality of healthcare in the EU. However, it will be necessary to wait and see if the EHDS in its current form can remedy the existing difficulties, in particular with regard to the secondary use of health data, given the complexity of the approval requirement.