On March 3, 2022, a leaked version of the proposed regulation establishing the European Health Data Area was published. The draft regulation will establish a common framework between EU member states for sharing and exchanging quality health data (such as electronic health records, patient registries and genomic data). The European Commission has not yet published an official version of the proposal. It should do so on May 3.
The leaked proposal is a long document (126 pages, excluding appendices) that contains a number of different sets of rules. The main requirements that may be of interest to organizations in the life sciences sector are that the draft regulations propose to:
- creating new rights for patients over their electronic health data and establishing rules regarding the use of electronic health data for primary care;
- establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR Systems”);
- defines the rules that apply to digital health services and wellness applications; and
- introduces a harmonized regime for access to electronic health data for secondary use.
New patient rights and the use of electronic health data for primary care
The draft regulation gives patients new rights over their personal electronic health data (for example., patient summaries, electronic prescriptions and dispensations, medical images and image reports, lab results and discharge reports). These rights include:
- the right to access and correct their personal electronic health data immediately, free of charge and in an easily readable and accessible form, such as in a unified electronic health record, using a personal electronic health data access service;
- the right to grant or restrict third parties’ access to their personal electronic health data, as well as the right to object to the processing of their personal electronic health data in electronic form; and
- the right to have the recording of new electronic personal health data linked to a recognized electronic identification mechanism.
Healthcare professionals will be required to inform their patients about these aforementioned rights. The draft regulation also grants healthcare professionals the right to access the personal electronic health data of the people under their treatment (regardless of the Member State in which the person is based), unless this access is not restricted by the person. Healthcare professionals will be required to keep their patients’ electronic personal health data up to date. When a healthcare provider or pharmacy uses an EHR system, that EHR system must have passed a pre-market compliance assessment (described below).
Pre-market conformity assessment requirement for EHR systems
The draft regulations define the EHR system as “a solution or software intended by the manufacturer to be used for the storage, intermediation, import, export, conversion, editing and/or consultation electronic health records” (Art. 4(6)). According to the draft regulation, EHR systems marketed in the EU must undergo a conformity assessment before being placed on the market. In order to pass conformity assessment, manufacturers of EHR systems must meet certain requirements relating to the quality, safety and interoperability of these systems, and establish the technical documentation required to demonstrate that the EHR system is meets the requirements set out in the draft regulations. Once a notified body designated by the Member States issues a certificate of conformity for an EHR system, the manufacturer must affix a CE mark to the system. The Commission is required to maintain and maintain a publicly accessible database containing information on EHR systems that have received a declaration of compliance. The proposed regulations also impose certain post-market requirements, including rules on serious incident reporting (that is to sayincidents which directly or indirectly result in or could result in (a) the death of a person or serious damage to the health of a person or (b) a serious disruption of the management and operation of critical infrastructures in the sector of health).
Rules for digital health services and wellness apps
The draft regulation proposes to prohibit member states from imposing restrictions on the provision and receipt of digital health services (for example., dispensing of medicinal products or reimbursement of telehealth services), unless such restrictions are necessary and proportionate to safeguard legitimate interests under Union law. The draft regulations also provide for a voluntary labeling scheme for wellness apps (for examplemobile apps) that are interoperable with EHR systems.
Rules for Secondary Use of Electronic Health Data
The draft regulation requires providers of electronic health data to ensure that certain categories of electronic health data are made available to competent bodies, to be designated by Member States. These competent bodies are, in turn, required to consider requests from data users who wish to reuse health data for secondary purposes — for example., for research, innovation, policy development, statistics and ensuring high standards of quality and safety in healthcare and medicines or medical devices, among others. Data users are only permitted to reuse health data after receiving a data permit from a competent authority.
The proposed data authorization framework addresses the issue that there is not yet harmonization across Member States on the appropriate legal basis for the processing of health data (and genetic data) for secondary use under articles of the GDPR. 6 and 9. The proposed regulation would provide that the processing of personal electronic health data on the basis of the authorization issued under the regulation “shall be considered as enabling lawful processing within the meaning of arts. 6(3), 6(4) and, where appropriate, art. 9(2) (h), (i) or (j) of Regulation (EU) 2016/679” (Art. 76(6)).
Monitoring and Enforcement
Under the draft regulation, each member state is required to designate competent and independent public authorities responsible for implementing the regulation (including digital health authorities). These authorities cooperate with data protection authorities. In addition, the European Commission will establish a “European Digital and Health Data Committee”, composed of representatives of the competent authorities of all Member States and of the Commission. The council will mainly have an advisory function, as well as supporting the implementation of the regulation and cooperation between the competent authorities. Each Member State is required to provide for “effective, proportionate and dissuasive” penalties in the event of infringement of the regulation.
Interaction with other laws
The draft regulation is without prejudice to existing legislation, such as the GDPR, the Data Bill, the Data Governance Bill, the AI Act, and instead aims to build on these laws – but unlike these laws, focuses only on the health sector and health data.