Under the EHDS, EU citizens’ health data, such as doctors’ letters, medical reports and prescriptions, will be recorded electronically. Citizens must be able to access their personal data. At the same time, the Commission also wants the data to be available for the research and development of new drugs, medical technologies and treatment methods.
According to the Commission, there is not enough data available in the EU for development and research in the health sector. This is due to the fragmentation of standards and specifications for storing and sharing health data in different Member States, and it strongly hampers innovation in digital health, such as the development of new health products and services. public, the Commission said. To solve this problem, he proposed a new regulations to grant rights of access to health data in specific circumstances.
The Commission stressed the importance of the EHDS complying with the data protection rules in the EU. He said researchers, industry and public institutions will only have access to health data collected in the EHDS for purposes that benefit individuals and society. Additionally, they will only be able to access data that does not reveal the identity of the data owner.
Under the legislative proposal, so-called “data users” can access and process health data for different permitted purposes set out in the legislation. Anyone who carries out activities for reasons of public interest – including industry – can be considered a “data user”. The purposes of particular interest for the processing of health data in the health sector are development and innovation activities for products or services contributing to public health as well as the training, testing and evaluation of algorithms, including in medical devices, AI systems and digital health applications, contributing to public health. “Either of these goals will put healthcare providers in a better position to harness the potential coming from health data that could help them develop new drugs or new devices involving AI,” said declared Daniel Widmanexpert in digitization projects and data protection law at Pinsent Masons.
Under the proposed legislation, data users would only be able to access and process health data if they obtain a data permit from national health data access bodies – which would have to be established by member states. The data license defines how the data can be used and for what purpose. In order to have access to data for the permitted purposes, a data requester should submit a data subject access request, which must meet certain requirements. Among other things, a detailed explanation of the intended use of the electronic health data, a description of the electronic health data requested and a description of the safeguards provided to prevent any other use of the electronic health data must be provided.
“It is a positive sign that the Commission has identified that increased access to health data is needed to promote digital health innovation in the EU,” said Widmann. “However, it remains to be seen whether the planned national health data access bodies can actually promote access to health data or will become a bottleneck. An alternative approach to creating government bodies regulating access to health data would have been to take the risk of GDPR based on an approach based on self-certification by data users.”
Widmann said such self-certification should take into account the sensitivity of health data and require specific requirements, particularly regarding the security of the processing. “This approach may have the added benefit of reducing bureaucracy and may lead to increased availability of health data,” he said.
According to the Commission, the EHDS complements the GDPR and other EU legislation on data governance and information security by providing tailor-made rules for the healthcare sector. Lidia Vidal, information technology and data law expert at Pinsent Masons, said: “The legislative proposal aligns with the GDPR’s ‘data protection by design’ principle, stating that the use of data from anonymized electronic health should be available where possible and if requested by the data user, unless the purpose of the processing by the user cannot be achieved with anonymized data, in which case the data will be provided under a pseudonymised format.” She also said that data users are not recommended to attempt to re-identify individuals from the dataset provided, as they could be penalized for doing so.
Vidal stressed that the processing of health data can only take place in secure processing environments, with the appropriate technical and organizational measures and security and interoperability requirements in place and in accordance with Article 50 of the proposal. EHDS legislation. “Organizations obtaining access to EHDS data should ensure that only those authorized by the data license can access the data. These individuals should adhere to very high privacy and cybersecurity standards,” Vidal said.