What is the European Health Data Space?
On 3 May 2022, the EU Commission published a draft Regulation on the European Health Data Space (“HDS”). The Regulation is the first sector-specific proposal in the Commission’s “European Strategy for Data”, which aims at creating a ‘single market for data’, thereby unlocking greater access to data whilst still safeguarding fundamental rights (such as data privacy and IP).
The Regulation will attempt to make it easier to use and share electronic health data throughout the EU, both for primary purposes (i.e., patient treatment) as well as secondary purposes (such as research and public health planning).
What do I need to know?
Here are 5 key takeaways from the draft Regulation:
1. Part of a broader package of EU data reform.
It’s important to remember that the Regulation does not exist in isolation. As mentioned above, it is part of an ambitious strategy for data that also includes parallel legislative proposals such as the Data Act and the Data Governance Act. It will also need to function alongside existing regulation of data in the EU, most notably the GDPR. However, HDS is significant because it is the first sector-specific proposal in the EU’s data strategy – highlighting the importance that the EU places on health data to Europe’s economy and society.
2. Promotes secondary use of health data for research.
The Regulation aims to make it easier for organisations to access electronic health data for secondary purposes, such as research and the training and testing of algorithms / AI systems. Electronic health data is broadly defined and would appear to encompass not just data generated in the context of the provision of healthcare services, but also (for example) clinical trial data, public health registry data, and data about HCPs.
Holders of such data will have to make it available to prospective data users, and applications to access the data will be overseen by ‘health data access bodies’ established by each Member State. These bodies will grant ‘permits’ to data users, permitting them access to health data from a data holder. The Regulation foresees data holders being able to charge fees to data users for providing access to the data.
Where health data is re-purposed, the Regulation provides that both: (i) data protection; and (ii) IP rights / trade secrets, must be preserved.
3. Will provide a legal basis for processing health personal data.
Alignment with GDPR and the protection of personal data is a key concern of the Regulation. The Regulation provides that, wherever possible in connection with the secondary purpose, anonymised health data must be used. Where this isn’t possible, then pseudonymised data must be used instead. The data access application submitted by the prospective data users must contain a description of the safeguards and security measures that will apply to the health data.
The Regulation is intended to provide the legal basis (under both Articles 6 and 9 GDPR) for the processing of personal data necessary to make electronic health data accessible for secondary use (Recital 37). Consequently, the implication seems to be that, if data holders and data users comply with their obligations under the Regulation, they should not have any difficulty in demonstrating legal basis for GDPR compliance. This responds to a key difficulty which has long plagued the re-use of health data in the EU – uncertainty and inconsistency regarding applicable legal bases and their potential availability in this context.
4. Creates requirements for manufacturers of Electronic Health Record (EHR) systems.
The Regulation creates a range of requirements for the manufacturers of EHR systems – i.e., software used for processing electronic health records, which are any records collected in the health system, related to a natural person, and used for healthcare purposes.
In common with other EU product safety frameworks, EHR system manufacturers will need to prepare technical documentation, information sheets and declarations of conformity, and will need to apply CE markings. Member States will need to designate market surveillance authorities, and there will be incident reporting and other post-market surveillance obligations in relation to EHR systems.
5. Removes barriers to cross-border use of health data for primary purposes.
In addition to promoting greater secondary use of electronic health data, the Regulation will also make it easier for health data to be processed across the EU for primary purposes associated with the delivery of healthcare to the patient.
Part of this will be about ensuring consistent and interoperable standards for EHR systems (see above). In addition, patients will have rights to access their electronic health data (whether personal or non-personal data) in a common format, and to exchange and to provide access to personal electronic health data to the healthcare professionals of their choice, in a way that builds on, but goes beyond the right to data portability under GDPR. Meanwhile, HCPs will be able to access the electronic health data of their patients, irrespective of the Member State in which that health data was created / resides.
 These difficulties have not been fully resolved by the EDPB’s ‘Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research’. In this respect, we also await with interest the promised but now overdue guidelines of the EDPB on scientific research purposes.