In the middle of March 2024, the Council of the European Union and the European Parliament reached a deal on a provisional agreement for the European Health Data Space (“EHDS”) regulation as part of the broader EU data strategy. The Council of the European Union published the compromise text of this agreement as a work-in-progress which provides many insights into the forthcoming regulation and its implications.
What is the EHDS about
In a nutshell, the goal of the EHDS is to create a common infrastructure and governance framework for the accessibility of health data across the borders of Member States to support both healthcare delivery (“primary use”) and health research and policy-making (“secondary use”) in a secure and trustworthy way. The EHDS touches on different areas of law, such as medical law, data protection law and laws related to products used in a medical context. It also makes reference to several European directives and regulations.
In addition to the definitions contained in the specific legislation referred to by the EHDS refer, the EHDS itself provides, inter alia, the following key definitions that must be kept in mind in order to fully understand the scope and implications of the EHDS:
“EHR” means a collection of electronic health data related to a natural person collected and processed for the purpose of the provision of healthcare. This is, for example, in Germany, comparable to the electronic patient medical records.
“EHR system” refers to any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view personal electronic health data and is intended by the manufacturer to be used by healthcare providers for providing patient care or by patients to access their health data.
“Health data holder” is any natural or legal person, public authority, agency or other body in the healthcare or the care sectors including reimbursement services as well as any natural or legal person developing products or services intended for the health sector, developing or manufacturing wellness applications or performing research in the healthcare sector, who
- has the right to process electronic health data in its capacity as a controller or joint controller, including for the provision of healthcare, research and innovation purposes; or
- has the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, trough control of the technical design of a product and related services.
This definition applies, for example, to hospitals as health care providers, companies which develop medical devices and pharmaceutical companies who are the data holders of their clinical trial data.
“Health data user” means a natural or legal person which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, data request or an access approval by an authorized participant in the framework for multi-country secondary use of electronic health data, HealthData@EU.
“Wellness application” means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on the health of individual persons, or the delivery or care for other purposes than the provision of healthcare.
In our opinion, this definition is broad enough to also cover medical devices as it explicitly includes appliances and software. However, it must be seen how this will be interpreted once the EHDS comes into force.
Who is affected by the EHDS?
The EHDS will be applicable to natural persons with regard to their health data, as well as companies and institutions in the healthcare sector. The following overview will focus on the effect of the EHDS on the latter. In order to determine which companies and institutions are affected by the provisions of the EHDS and who needs to take action under the EHDS, it is necessary to distinguish between primary and secondary use of health data:
Primary use
The primary use of health data to facilitate healthcare delivery and improve patient outcomes as governed by the EHDS generally affects two types of health data holders, the healthcare providers and the manufacturers of EHR systems. Manufacturers of wellness applications have the opportunity to claim interoperability with an EHR system, after relevant conditions are met.
(i) Healthcare providers:
To enable seamless cross-border healthcare delivery, healthcare providers shall register relevant personal health data free of charge in an electronic format to be determined by the EU Commission in an EHR System. The EU Commission will establish a central interoperability platform for digital health (the “MyHealth@EU” platform) to provide services to support and facilitate the exchange of personal electronic health data between national contact points for digital health of the Member States. More detailed criteria regarding how and to which extent the healthcare providers must register personal health data will be determined by the Member States.
Challenges: The main challenge for healthcare providers will be to implement robust interoperability standards and to ensure that their system can effectively communicate with other systems to secure effective provision of personal health data, both within their country and across the EU. This may involve an adjustment or upgrade of the existing infrastructure to support the requirements under the EHDS and to avoid the high effort of extracting and transferring data from disparate information systems. Healthcare providers must manage this potential transition carefully, including training staff and adapting workflows. When providing personal health data, the healthcare providers must maintain certain data quality requirements and must observe the requirements of applicable data protection and regulatory laws. With these legal circumstances in mind, it is essential to review possible technical solutions for their compliance with applicable laws.
(ii) Manufacturers of EHR systems:
EHR systems are crucial to achieve a seamless cross-border transfer of health data as the objective of primary use under the EHDS as they build the underlying infrastructure. The EHDS contains a whole chapter to set out the requirements on EHR systems and the obligations of manufacturers of EHR systems, such as including a so-called “European interoperability component for EHR systems” and a “European logging component for EHR systems”, sufficient technical documentation, affix a CE marking if applicable, cooperation with authorities etc. The European Commission will develop a European digital testing environment for the assessment of the harmonized components of EHR systems prior to putting them on the market.
Challenges: The requirements on the compliance of EHR systems with the provisions of the EHDS are high with regard to harmonized components as well as with regard to technical aspects in terms of security, identification and authentication and documentation obligations. As some components of EHR systems could potentially qualify as a medical device, manufacturers have the challenge to navigate how the requirements of the EHDS align with the requirements of other regulations, e.g., under medical or data protection laws. As EHR systems handle large amounts of sensitive personal data in the form of health data, manufacturers must enhance security measures to protect data privacy and prevent security incidents.
(iii) Manufacturers of wellness applications:
As the market of wellness applications and devices using wellness applications is steadily growing, the data collected and processed by such wellness applications may be valuable for the treatment of their users. In order to provide their users the feature to have the data collected by the wellness applications included in an EHR system, the manufacturers of wellness applications may claim interoperability with an EHR system after the relevant conditions are met. The data of the users of wellness applications will not automatically be shared with the EHR system as such sharing is subject to the consent of the users of the wellness applications.
Secondary use
The main purpose of secondary use of health data is to support research and innovation activities. Researchers will have access to larger amounts of high-quality data in a more efficient and cost-effective manner. Potentially, every health data holder will have to provide certain health data when requested by a natural or legal person. On the flipside, health data holders themselves can apply for access to health data and benefit from the system.
Member States shall designate Health Data Access Bodies ("HDAB") to receive, review and approve requests for access to health data and to be entrusted with the relevant tasks and powers with regard to the secondary use of health data.
The EHDS establishes a detailed procedure for access to electronic health data for secondary use. The request for access must be submitted to the competent HDAB and must include detailed information on, for example, the identity of the natural or legal person requesting access to the health data, the purposes for which access to the data is requested, the intended use and scope of the data and a description of the safeguards. Based on this information, the HDAB reviews the request and denies or approves the request for access to health data. In case of approval, the HDAB will request the health data holder to provide the relevant electronic health data. This data will generally be provided in an anonymised form. The HDAB may charge a fee for this service. These fees shall be proportionate to the costs of providing the data, including the costs of consolidating, preparing, anonymising, pseudonymising and making the electronic health data available.
Who is in charge?
Each Member State shall designate one or more digital health authorities responsible for the implementation and enforcement of the primary use of health data under the EHDS at national level. These digital health authorities shall be entrusted with various tasks and powers and shall serve as a contact point for complaints from natural persons in relation to the relevant provisions of the EHDS. In addition, the competent data protection authorities will cooperate with the digital health authorities and will be responsible for monitoring and enforcing the rights of data subjects under the EHDS.
With regard to the secondary use of health data under the EHDS, the HDAB shall be entrusted with monitoring and supervisory tasks. In addition, the data protection authorities shall be responsible for monitoring and enforcing the right to object to the processing of personal electronic health data for secondary use.
A European Health Data Space Board will also be established to facilitate cooperation and the exchange of information among Member States and the Commission.
When does the EHDS come into force?
The exact implementation date is not yet specified. However, it is expected that the provisional agreement will be endorsed by the European Council and the European Parliament and will be formally adopted by both within 2024. The EHDS shall then enter into force twenty days after its publication in the Official Journal of the European Union. In general, the EHDS shall apply 2 years after entry into force with exemptions for specific provisions which shall apply from 4 or from 6 years after entry into force. This applies, for example, for Chapter IV of the EHDS which governs the secondary use of health data and will apply from 4 years after entry into force.
Conclusion
The EHDS is a very ambitious project with the aim of creating an EU-wide common health data governance framework with a seamless exchange across EU borders to enhance healthcare delivery. Even though building the EHDS will require significant development efforts and numerous determinations and clarifications on EU and Member State level, it is already foreseeable that the EHDS will create a new market for EHR systems, as manufacturers of EHR systems will play an essential role in achieving interoperability and data exchange. In light of these considerations, healthcare providers and private companies should begin preparing for EHDS provisions now, in order to be able to implement and benefit from them once they come into force.
/Passle/596df0e43d947619ec025f26/MediaLibrary/Images/2024-06-07-08-32-37-760-6662c5a5e17f2f97387a4d96.png)
/Passle/596df0e43d947619ec025f26/SearchServiceImages/2024-06-28-12-58-36-879-667eb37c684459b968901a3e.jpg)
/Passle/596df0e43d947619ec025f26/MediaLibrary/Video/Transcoded/2024-06-28-11-44-02-495-CST0723_Pride_in_Life_Sciences_Zac_Fargher_Takeda_V/thumbnails/2024-06-28-11-44-02-495-CST0723_Pride_in_Life_Sciences_Zac_Fargher_Takeda_V_HLS_Video_2M_1080P_00002.png)
/Passle/596df0e43d947619ec025f26/SearchServiceImages/2024-06-18-13-00-23-373-667184e7ac267ede1239d93e.jpg)
/Passle/596df0e43d947619ec025f26/MediaLibrary/Images/2024-06-11-13-47-24-098-6668556c2247d4a71ef1f367.jpg)
