Regulating the secondary use of health data opens up opportunities for research and analysis, which can lead to scientific progress, new products and devices, digital innovation in the health sector and the improvement of the health system.
Categories of electronic data for secondary use
The draft regulation on the European health data area allows some re-use of personal health data collected in the context of primary use. Non-personal electronic health data, such as data collected for the delivery of health care more generally, may also be subject to secondary use for statistical or security purposes.
The draft regulations include a list of fifteen categories of electronic data that data holders can share for secondary purposes. Some of these categories are defined explicitly, such as electronic medical records. Others are described in general terms, allowing for different interpretations of the boundaries or scope of a given category, such as “data affecting health, including social, environmental and behavioral determinants of health”, or “electronic data related to insurance status, employment status, education, lifestyle, wellness and behavior data relevant to health. In this way, in an effort to make as much data available for secondary use as possible, the European Commission would allow new types of data to be included in these categories.
The categories of data listed in the draft are defined as “minimum categories”. Their number can increase thanks to the mechanism foreseen in the project. National health data access bodies may grant access to additional categories of electronic health data entrusted to them in accordance with the laws of the State concerned or on the basis of voluntary cooperation with data holders. , mainly private entities in the health sector.
What is allowed
Secondary use of electronic health data could take place exclusively for the purposes specified in the regulations. The list of objectives is a closed list. This means that electronic data could only be accessed if the purpose pursued by the applicant is to fulfill one or more of the eight purposes listed in the regulation.
First on the list are activities undertaken in the general interest of society, such as public health surveillance, protection against cross-border health threats, ensuring the safety and high quality of health care and compliance with statistical obligations, also at the international level. Access to electronic health data for processing in the public interest is only granted to public sector bodies and to institutions, bodies, offices and agencies of the European Union carrying out tasks which entrusted to them under Union or national law.
The second group of objectives includes education and teaching activities, scientific research, development and innovation activities undertaken in the health and care sectors.
Training, testing, and evaluating algorithms, including in medical devices, AI systems, or digital health applications, is listed as a separate objective.
A specific purpose justifying access to electronic health data is the secondary use in the context of personalized health care, consisting in evaluating, maintaining or restoring the state of health of natural persons, on the basis of the health data ( example, genomic information) of other natural persons.
What is prohibited
The secondary use of electronic health data, which constitutes a special category of personal data, must not have detrimental effects on natural persons. Therefore, the draft regulation prohibits requesting access to data and their processing if their purpose is to cause harmful legal effects or a similar significant impact on a natural person based on their electronic data, to aggravate the conditions or the exclusion of insurance for such a person, as well as for carrying out advertising activities, for allowing access to data by third parties without the required authorization, or even for manufacturing products (eg drugs illegal) or services that are harmful to individuals and the general public.
Data Access Authorization
According to the draft regulation, secondary use of data will be possible on the basis of a data access permit. This is an administrative decision issued by the health data access body, allowing the processing of the data specified in the authorization under the conditions defined by regulation. Electronic health data is transmitted in an anonymised form, unless specific authorized processing purposes require a pseudonymised form. The permit will have a fixed term, with a maximum of five years, which can be extended once for another five years. Access to data may also require the payment of a fee.
An important element of the authorization is information about the technical characteristics and the tools made available to the data user for the purpose of retrieving data from a secure processing environment. Electronic health data could only be accessed through a secure processing environment in which the data access organization applies the security measures specified in the regulations.
Health data from altruistic sources
The draft regulations also take into account an altruistic approach to health data. “Data altruism” is defined in the EU Data Governance Act (Regulation 2022/868) as “the voluntary sharing of data based on the consent of data subjects to process personal data relating to them, or authorizations from data holders to allow the use of their non-personal data without seeking or receiving reward…, for purposes of general interest as provided for by national legislation, where applicable, such as health, the fight against climate change [etc]or for scientific research purposes of general interest.
This collection of data for public interest purposes may be carried out by entities conducting non-commercial activities in countries that adopt national policies on data altruism.
The proposed regulations allow data altruism organizations to process electronic personal health data in a secure processing environment that meets the requirements established by the regulations. It also requires health data access organizations to cooperate with the registration authorities of data altruism organizations in monitoring their activities.
Cross-border digital infrastructure for secondary use of electronic health data
The digital infrastructure for the secondary use of electronic health data provided for in the proposed Regulations is similar to that for the primary use of this data. It is called [email protected] It consists of a central platform, set up and operated by the Commission and the national contact points linked to it, which may be national bodies for access to health data. It is also possible to link a contact point from a third country.
European Union institutions, offices, bodies and agencies involved in scientific research, health policy or analysis are also authorized participants in the infrastructure, as are other research structures, mainly those dealing with health, which operate under EU law and which support the use of electronic health data for the benefit of the general public. Authorized participants will be jointly responsible for processing and the Commission will have the status of processor.
The draft regulation establishes rules for granting access to cross-border registers and databases, which will be specified in more detail in the Commission’s implementing acts. The cross-border infrastructure also simplifies the process when requesting access to electronic health data from multiple countries, allowing a single data access request to be submitted to the health data access agency in one country. Selected state; that organization will then inform the competent organizations of the other States and the authorized participants in the [email protected] Infrastructure.