The European Health Data Area – A Trojan horse for Pharma and Medtech? | Insight


The draft regulation on the European health data area (EHDS) goes under the radar of some industry players. This is just part of a tidal wave of European data legislation that is coming (including Data Law, Data Governance Law and AI Law). This means it can easily get lost in the noise.

But if you take a closer look, EHDS has complex implications for a range of actors; from pharma and medtech to hospitals, public health organizations and even big tech. And all of this is not good news. It’s true that innovators may have a new regulatory pathway to access datasets, and there are new, expanded rights for data subjects in health data. But there is a reverse. Organizations are forced to hand over potentially valuable datasets to competitors, and there is a lack of clarity on key issues such as the preservation of intellectual property rights (IPRs) and how the EHDS interacts with Member States’ existing laws on patient confidentiality.

We’ve distilled the main points below into three key topics:

  1. New regulatory pathways to access health datasets for research and innovation
  2. A New Product Security Regime for EHR Systems
  3. Rights of data subjects strengthened

If you want to know more, please contact us.

1. New regulatory pathways to access health datasets

The EHDS introduces a new regulatory pathway by which “data holders” (broadly defined to include most hospitals, public health organizations, the pharmaceutical industry and medtech) must put a wide range of “electronic health data” available to “data users” for a defined list. permitted secondary uses. These permitted uses include scientific research, certain development and innovation activities, and training algorithms. This will be great news for AI developers, who need large amounts of data to train and validate their models.

In order to obtain these datasets, data users must either:

  • submit a successful request to a newly created health data access body (to be set up in each Member State). They will then receive a data permit to access multiple data sets from multiple data holders; Where
  • if the data user names only one data holder in one member state in his request, request this data directly from the data holder (i.e. it is not necessary to pass by a health data access organization). If successful, the data holder should be able to issue a data permit directly to the data user.

Addressing General Data Protection Regulation (GDPR) loopholes: This new avenue for accessing datasets could be heavily used by the research industry, as it is likely to be perceived as a more permissive framework for data access. These proposals are (in part) a legislative reaction to the failures of the GDPR to allow access to personal health-related data for research purposes to the private and public sectors:

  • To the extent that electronic health data includes personal data for the purposes of the GDPR, member states have applied the GDPR inconsistently with respect to the legal bases for processing; some Member States requiring data subjects to provide GDPR consent to the processing of their personal data for research purposes, while others require/encourage industry to rely on other bases of processing. This has created significant confusion and delays for researchers across the EU in accessing datasets that include personal data.
  • Recital 37 corrects this shortcoming by clarifying that the user and data holder can process personal data on grounds other than GDPR consent (under Articles 6 and 9) across the EU. This facilitates more “frictionless” access for researchers.
  • The EHDS Regulation facilitates simplified GDPR compliance by establishing bases for processing, safeguards for processing and trusted governance to provide access to health data (through health data access organizations ).

But if you dig a little deeper, a few cracks start to show in this new path:

  • Electronic health data is much broader than you might initially think: the categories of electronic health data that data holders may be required to make available go far beyond the concept of “health data” in GDPR framework. To take just a few examples, they include: clinical trial data; medical device data; patient registers; identification data relating to healthcare professionals; as well as electronic data relating to insurance status, employment status, education, lifestyle, wellness, and health-relevant behavioral data. Both personal and non-personal data are captured. It will be no small feat for data custodians to simply map out where these datasets might be located within a large organization, let alone action data access requests.
  • The elephant or elephants in the room: IPR, privacy and local restrictions on sharing patient information: it is unclear to what extent these data sharing obligations compel a data holder to disclose trade secrets , or how the EHDS Regulation intends to preserve IPRs in practice once they are disclosed to third parties (a fundamental question for the life sciences industry). The EHDS Regulation also does not adequately address the limitations imposed on data sharing by member state laws on medical secrecy, ethics approval requirements and patient confidentiality. If a data holder is limited in what they can share under member state laws, how does that fit into this EU-wide data sharing framework?
  • More attrition for legal teams? When organizations hold larger amounts of electronic health data, they are more likely to be the target of direct requests for access to datasets by data users. Data holders will need to put in place the necessary infrastructure and expertise to assess and process data applications/requests. This will not only be a problem for the private sector, but also for public sector hospitals and beleaguered public health agencies acting as data holders (which are still facing the fallout of the pandemic and unprecedented demands on an already overloaded system).

2. A New Product Security Regime for EHR System Manufacturers

The EHDS imposes a new product safety regime for EHR systems, which is effectively a “lite” version of the European Medical Device Regulation (EU MDR). This new regime applies to organizations acting as a manufacturer, importer or distributor of an EHR system.

This new regime fills a “regulatory gap”, where EHR systems tend not to be regulated as medical devices under the EU’s MDR, nor do they fall squarely within the scope of the EU MDR. other targeted EU product safety regimes.

The good news is that manufacturers will be able to self-certify against CE marking (Notified Body involvement is not required). However, economic operators throughout the EHR system supply chain will need to put in place the necessary architecture to ensure compliance. Manufacturers will need to ensure that technical documentation is in place, compliance assessments are performed, and they comply with post-market surveillance obligations.

3. Enhanced rights of data subjects

One of the fundamental principles of the EHDS Regulation is to allow patients to exercise various rights regarding their electronic health data. It achieves this by relying on the data access and data portability rights of the GDPR.

Under the EHDS, individuals have enhanced rights to access and receive a copy of their personal electronic health data for primary use, to rectify their electronic health data, and enhanced data portability rights. The EHDS is building the infrastructure for patients to exercise these rights in practice, including through its proposals to EHR system manufacturers.


Comments are closed.