What is the European Health Data Area?
On May 3, 2022, the European Commission published a draft regulation on the European health data area (“HDS”). The regulation is the first sectoral proposal of the Commission’s ‘European data strategy’, which aims to create a ‘single market for data’, allowing better access to data while safeguarding fundamental rights (such as privacy data and intellectual property). .
The regulation will attempt to facilitate the use and sharing of electronic health data across the EU, both for primary (i.e. treatment of patients) and secondary (such as research and planning) purposes. public health).
What should I know?
Here are 5 key takeaways from the proposed regulations:
1. Part of a wider EU data reform package.
It is important to remember that regulation does not exist in isolation. As mentioned above, it is part of an ambitious data strategy that also includes parallel legislative proposals such as the Data Act and the Data Governance Act. It will also need to work alongside existing data regulations in the EU, including GDPR. However, HDS is significant because it is the first sector specific proposal in the EU Data Strategy – highlighting the importance the EU places on health data for the European economy and society.
2. Promotes secondary use of health data for research.
The regulations aim to make it easier for organizations to access electronic health data for secondary purposes, such as research and training and testing of AI algorithms/systems. Electronic health data is broadly defined and appears to encompass not only data generated in the course of health service delivery, but also (for example) clinical trial data, public health registry data and data on health professionals.
Holders of this data will have to make it available to potential users of the data, and data access requests will be overseen by ‘health data access bodies’ established by each Member State. These bodies will grant “permits” to data users, allowing them to access a data holder’s health data. The regulation provides that data holders can charge data users fees for data access.
When health data is reused, the regulation provides for both: (i) data protection; and (ii) intellectual property rights/trade secrets must be preserved.
3. Will provide a legal basis for the processing of personal health data.
Alignment with the GDPR and the protection of personal data is a major concern of the regulation. The regulation provides that, as far as possible within the framework of the secondary purpose, anonymised health data must be used. Where this is not possible, pseudonymised data should be used instead. The data access request submitted by potential data users should contain a description of the safeguards and security measures that will apply to the health data.
The Regulation aims to provide the legal basis (under Articles 6 and 9 of the GDPR) for the processing of personal data necessary to make electronic health data accessible for secondary purposes (recital 37). Therefore, the implication seems to be that, if data holders and data users comply with their obligations under the regulation, they should have no difficulty in demonstrating the legal basis for GDPR compliance. This addresses a key difficulty that has long plagued the re-use of health data in the EU – the uncertainty and inconsistency regarding the applicable legal bases and their potential availability in this context.
4. Creates Requirements for Manufacturers of Electronic Health Record (EHR) Systems.
The regulations create a series of requirements for manufacturers of EHR systems – i.e. software used for processing electronic health records, i.e. all records collected in the EHR system. health, linked to a natural person and used for health care purposes.
As with other EU product safety frameworks, manufacturers of EHR systems will need to prepare technical documentation, information sheets and declarations of conformity, and will need to apply CE markings. Member states will have to designate market surveillance authorities, and there will be incident reporting and other post-market surveillance obligations in relation to EHR systems.
5. Remove barriers to cross–border use of health data for primary purposes.
In addition to promoting greater secondary use of electronic health data, the regulation will also facilitate the processing of health data in the EU for primary purposes related to the provision of health care to the patient.
Part of this will be ensuring consistent and interoperable standards for EHR systems (see above). In addition, patients will have the right to access their electronic health data (whether personal or not) in a common format, and to exchange and provide access to personal electronic health data to healthcare professionals. of their choice, in a way that builds on, but goes beyond the right to data portability under the GDPR. In the meantime, healthcare professionals will be able to access their patients’ electronic health data, regardless of the Member State in which this health data was created / resides.