Impact of the European Health Data Area on Digital Health Providers


EU plans to create a new “European Health Data Area” (EHDS) will require digital health providers to meet a range of new legal requirements for the systems they use to process health data .

There is, however, uncertainty as to whether digital health providers will be obligated to make electronic health data generated by their software available to others when the EHDS begins operating.

What is the European Health Data Area?

The European Health Data Area (EHDS) aims to address health-specific challenges in accessing and sharing data. In particular, the EHDS:

  • gives patients new rights to control their electronic health data in the context of healthcare;
  • establishes a mandatory cross-border infrastructure enabling the use of electronic health data across the EU for the primary use of the provision of health services;
  • introduces obligations for “data holders” to make electronic health data available to third parties, including public sector bodies, for “secondary use”, and defines rules and mechanisms for this; and
  • lays down the rules for making electronic health record systems available on the EU market.

The European Commission’s proposal for the EHDS is currently being assessed by the two legislative bodies of the EU – the Council of Ministers and the European Parliament. There is a significant overlap between the proposal and other legal regimes – it has, for example, already been the subject of comments by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS ).

How does EHDS apply in the context of digital health?

According to the Commission’s proposal, manufacturers and suppliers of electronic health record systems and wellness apps placed on the market and put into service in the EU will be required to comply with the EHDS Regulation. Several provisions would impact digital health companies if passed as currently drafted.

Applicability and interoperability

For the purposes of the draft EHDS regulation, the electronic health record (EHR) is a set of electronic health data relating to a natural person, collected in the health system and processed for health care purposes. Any device or software produced by a manufacturer intended to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records will be considered a electronic health record system (EHR system). As such, any manufacturer who develops a health data management software product will be subject to the DHSE.

Manufacturers of “wellness applications”, i.e. devices or software intended by the manufacturer to be used for the processing of electronic health data for purposes other than health care, such as makers of apps that seek to provide individuals with wellness or nutrition information, or wearable devices that collect exercise data, will fall within the scope of the EHDS Regulation.

Interoperability and data portability between EHR systems is an essential feature of EHDS. Manufacturers of EHR systems will be required to ensure that these systems comply with the essential requirements set out in Annex II of the EHDS Regulation before placing them on the EU market.

In addition to patient safety requirements, Annex II sets out security and interoperability and compatibility requirements with other EHR systems and European infrastructures that will be established under the EHDS. In accordance with the data protection by design and by default principle of the General Data Protection Regulation (GDPR), manufacturers will be required to ensure that EHR systems are designed and developed in such a way as to ensure the safe and secure processing secure electronic health data.

Under the proposed EHDS Regulation, the Commission will also adopt common specifications concerning the essential requirements set out in Annex II, by means of implementing acts, including the deadlines for implementing those specifications. Common specifications may include elements related to datasets containing electronic health data and defining structures, e.g. data fields and data groups, technical specifications, standards and profiles for data exchange electronic health, and other data quality requirements.

When manufacturers of high-risk artificial intelligence (AI) medical devices and systems declare interoperability with EHR systems, those medical devices or AI systems will also need to comply with the essential requirements for interoperability under of the EHDS.

Manufacturers of wellness apps claiming interoperability with an EHR system and therefore essential requirements may voluntarily have their apps accompanied by a label indicating compliance with these requirements. In this case, the market surveillance authorities designated by the Member States will be required to verify their compliance.

Although it will be very difficult in the short term to ensure that EHR systems and other interoperable products comply with essential requirements and common specifications, it is hoped that in the longer term interoperability will reduce barriers and costs. which manufacturers face when seeking to enter another Member State’s market.

Security declaration obligations

When a serious incident involving an EHR system occurs, manufacturers will be required to report it to the market surveillance authorities of the Member State in which the serious incident occurred and provide details of the corrective measures taken or contemplated by the manufacturer.

Serious incidents that may lead to the death or serious damage to the health of a person or a serious disruption of the management and operation of critical infrastructures in the health sector will have to be notified immediately after a causal link between the DSE and the serious incident, or reasonable likelihood of such a link, has been established, and in any event no later than 15 days after the manufacturer became aware of the serious incident.

Individual data rights

The draft EHDS regulation provides that a series of additional rights will coexist with the rights of access and data portability that already exist under the GDPR. Under the proposal, these rights would only apply when an individual’s personal electronic health data is processed for a so-called primary purpose. Individuals would, for example, have the right to:

  • access their electronic personal health data processed in the context of a primary use, immediately, free of charge and in an easily readable, consolidated and accessible form;
  • insert electronic health data into their own EHR through electronic health data access services or applications linked to such services;
  • receive an electronic copy of their personal electronic health data in a format prescribed by the Commission, referred to in the draft regulation as the “European electronic health record exchange format”, whether or not the person has even shared their health information with the data holder; and
  • have a data holder access or transmit their personal electronic health data to another natural or legal person in the health or social security sector. Currently, a controller is only required to do so where such a transfer is “technically feasible” under the GDPR – no such qualification exists under the EHDS proposal.

Access rights and data portability are particularly likely to impact EHR systems and how they are developed and structured. The interoperability established under the EHDS will support these objectives, but secure access rights will be essential to the protection of personal data held in these systems.

Secondary Use of Electronic Health Data

One feature of the EHDS that is likely to have a huge impact on the digital health sector is the proposal to expand the availability of electronic health data for secondary use.

The EHDS establishes a regime that would authorize the further processing of electronic health data for a specific set of “secondary use” purposes, such as development and innovation activities for products or services contributing to public health. or social security, or for purposes of training, testing, and evaluating algorithms.

EHRs and electronic health data generated by people, including from medical devices, wellness apps and other digital health applications, all fall under the minimum categories of data that must be made available. by data holders for secondary use. The definition of “data holder” is broad and includes an entity in the health or care sector, or carrying out research in connection with these sectors, with the right, the obligation or the ability to make certain data available. The EHDS proposal clearly states that private entities are included in the scope of “data holders”, so the term could apply to digital health companies if they are considered part of the health and care sectors. .

However, the EDPB and the EDPS are of the view that electronic health data from wellness apps and other digital applications should be excluded from the scope of secondary use obligations under the ‘EHDS.

The watchdogs consider, among other things, that the health data generated by these applications does not have the same data quality requirements as those generated by medical devices. They also fear that apps and wearable technology generate huge amounts of data that can be invasive and allow inferences to be drawn about other aspects of an individual’s privacy. For example, it might be possible to infer an individual’s religious orientation based on data collected through a nutrition app.

The EDPS and EDPS recommended that, while such data remains within the secondary use obligations, individuals have the freedom to decide whether their personal data collected through wellness apps and other digital apps can be used for secondary use, and that data subjects are properly informed of their choices in this regard. Calls by the Guild of European Research-Intensive Universities also support this recommendation.

To look forward

The high-level requirements that manufacturers of EHR systems and wellness apps must meet under the proposed EHDS regulations are clear, but the practical implications of what this will mean and the specific standards that will need to be met remain to be seen. It is expected that these details will not be provided until much later, once the legislation comes into force.

Written by Anita Basi of Pinsent Masons.


Comments are closed.