Making the most of health data: Commission publishes proposal for a European health data space


On May 3, 2022, the European Commission published its proposal for a regulation on the so-called European Health Data Area (EHDS), after a previous version was leaked in mid-March. The EHDS is part of the European Data Strategy and is the first proposal for a so-called Common European Data Space. It will be an integral part of the creation of a European Health Union. In particular, the EHDS is designed to:

  • Empower citizens to control and use their health data within the EU;
  • Fostering a single market for digital health services and products; and
  • Provide a framework for the use of health data for research, innovation, policy development and regulation.

It is hoped that the EHDS will drive the introduction of new and more innovative digital health products across the EU, while delivering significant cost benefits that will help improve the efficiency of health systems across the EU. the whole of the EU. However, several questions and issues surround the EHDS proposal, which will have important implications for a number of stakeholders in different sectors. Here we take a look at what the EHDS proposal contains and what companies need to do to prepare for it.

Secure health data environment

Basically, the EHDS aims to provide a secure and reliable health data environment for people whose health data is processed by health professionals for the purpose of providing health care – the so-called primary use. Regulating primary use is, in the Commission’s view, necessary to generate high quality and quantity of health data for reuse for research and other secondary purposes.

Services such as patient portals, which will be set up in each Member State, will give individuals more control over their health data and allow them to exercise their specific EHDS rights, such as the right to immediate and free access to their data in an easily readable, consolidated and accessible form, to transmit their data from one health (or social security) actor to another (also beyond EU borders) and to obtain information about healthcare providers who have accessed their data.

EU Member States must therefore develop access services for healthcare providers to ensure the mandatory recording and exchange of certain health data in an electronic format. Therefore, the Commission will implement legislation determining which – and how – healthcare providers and healthcare data should be registered.

A central platform – ‘[email protected]’ – will enable cross-border access to health data. This platform will be established by national contact points for digital health in each Member State. These touchpoints will be responsible for connecting primary user actors to the platform ensuring access and data exchange for individuals and healthcare providers across the EU. In line with the intentions of the Commission, this will facilitate the cross-border processing of EU residents.

The provisions on primary use raise many questions, especially with regard to the technical implementation of national access services in practice. In addition, since Member States have discretion regarding the technical development of their access services, the development of cross-border access infrastructure will be a major challenge. Furthermore, it is currently unknown how these access services will interact with electronic identification procedures.

Electronic health record systems

To promote interoperability and data portability, the EHDS introduces a mandatory self-certification system for electronic health record (EHR) systems and corresponding obligations for manufacturers, importers and distributors involved. The rules complement the requirements that were introduced on software by Regulation (EU) 2017/745 on medical devices and the proposed Artificial Intelligence Law, which the Commission says provides for a “regulatory gap” in this respect. regard.

Thus, EHR systems are solutions or systems intended by the manufacturer to be used to store, mediate, import, export, convert, edit or visualize electronic health data. They must be distinguished from software for general use, even when used in a health environment, and so-called well-being applications (the latter can however be voluntarily labeled provided that they are interoperable).

EHR systems placed on the EU market or put into service in the EU must comply with the so-called essential requirements relating to interoperability and security and be subject to common specifications adopted by the Commission. Manufacturers must, among other things, prepare technical documentation to prove the conformity of their EHR system, must draw up a respective EU declaration of conformity and affix a CE mark to each product. The EHDS further introduces a database for EHR systems and some so-called wellness applications, similar to EUDAMED, to improve overall transparency. The provisions relating to the EHR systems will be evaluated after five years, in particular as regards the introduction of a conformity assessment procedure involving notified bodies.

The current proposal raises several issues, and it remains to be seen whether and to what extent these will be addressed by the Commission as well as other stakeholders during the legislative process. For example, it is not yet clear how exactly the product scope will be distinguished, what the common specifications will look like and how the EHDS will work in relation to existing regulations in the Member States, for example, the telematics infrastructure in Germany.

Research, policy and regulation

The EHDS will also provide an extensive governance framework and access mechanism for the use of health data for research, innovation, policy development and regulation. Each Member State will set up a Health Data Access Body (HDAB), which will govern the granting of data requests from researchers, companies or institutions.

HDAB will only grant access to requested data if it is used for specific purposes and without revealing the identity of the individual, unless there is a specific justification for processing the data in the clear. It is also strictly forbidden to use the data for decisions harmful to citizens such as the design of harmful products or services or the increase of an insurance premium. Once a so-called data user, which can be any actor with a legitimate interest in reusing health data, is granted a data license, data holders must upload the health data to a secure processing. For the activities of the HDAB and the data holder, the data user must pay a fee proportional to the costs associated with making the data available. Also, the user of the data is required to make public the results of his research within eighteen months.

The provisions relating to the use of data in the EHDS pose many new questions for actors in the health sector, in particular with regard to the interaction with complex European legislation such as the GDPR or the upcoming data protection act. data and data governance law. Although the EHDS addresses some of these issues, others will only be resolved after its adoption through close cooperation of the HDABs with other competent authorities, in particular privacy authorities, and with the Commission.

Transitional provisions

The Commission’s EHDS proposal is only the start of the legislative process, which can take 12 to 18 months until the final text enters into force. As a European regulation, the EHDS directive will not need to be transposed into national law but will be directly applicable, according to the current text, 12 months after its entry into force. Certain provisions will apply one or three additional years later: This concerns in particular the provisions relating to the rights of access of individuals and health professionals to personal health data and, to our knowledge, also the provisions relating to the EHRs processing this data, depending on the category of health data. Internal EHR systems must comply with the EHR systems provisions three years after the regulation comes into force.

Preparing for the EHDS

EHDS has implications for many stakeholders. All companies active in the healthcare sector (for example, as manufacturers, importers or distributors of EHR systems or pharmaceutical companies engaged in research) should explore relevant opportunities and risks. Businesses not affected by the EHDS should monitor the Commission’s approach to the structure and regulation of the EHDS, which is the first of many data spaces envisaged by the Commission (e.g. for finance, mobility and energy).

Opportunities to engage in the legislative process should be explored. For example, for a minimum period of eight weeks, stakeholders can currently submit their comments to the Commission, which will then be presented to the European Parliament and the Council during the legislative debate.

Given the many issues surrounding the EHDS, the legislative process needs to be closely monitored, in particular with regard to its interaction with other relevant legislation (e.g. GDPR, NIS directive) and ongoing legislative procedures (in particular data law and artificial intelligence law).


Comments are closed.