This is Part 2 in a series of articles on the European Health Data Space ("EHDS"). Part 1, which provides a general overview of the EHDS, is available here.
Alongside the better-known provisions of the EHDS dealing with secondary use of health data, the draft Regulation also sets out specific technical requirements for electronic health record systems (“EHR systems”). In so doing, the law attempts to ensure the interoperability of such systems within the EU, and therefore the secure and seamless processing and transfer of health data - a key objective of the EHDS.
The following article provides an overview of the key requirements that manufacturers of EHR systems will need to observe in order to be able to place an EHDS-compliant EHR system on the market.
What exactly is an EHR system?
An EHR system is any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view certain categories of personal electronic health data, and where the system is intended by the manufacturer to be used by healthcare providers in providing patient care, or by patient to access their health data.
As such, EHR systems lie at the heart of the EHDS – they are the central technical prerequisite for fulfilling the objective of ensuring the secure and smooth processing and cross-border transfer of health data.
An EHR system under the EHDS must consist of two core elements which form an integral part of the software:
- The interoperability component: EHR systems must have the ability to interact with software applications and devices from the same or different manufacturers in order to transfer and receive personal electronic health data. The technical specifications with regard to the health record exchange format which shall be commonly used to provide health data in a machine-readable format and support transmission of structured and unstructured health data will be determined by the European Commission.
- The logging component: EHR systems must be able to record logging information about access to personal electronic health data by users of the system. As a minimum standard, the logging information shall contain the following information on each time the data is accessed:
- Identification of the health provider or other individuals having accessed personal electronic health data;
- Identification of the specific individuals having accessed to personal electronic health data;
- Categories of data accessed;
- Time and date of access; and
- Origin(s) of data.
- Additional data quality requirements for EHR systems are to be determined by the European Commission by means of implementing acts.
Which requirements apply to the manufacturers of EHR systems?
The requirements of EHR systems which, in accordance with the EHDS, need to be fulfilled to ensure compliance with the EHDS, include the following core requirements:
a) Ensure conformity with the essential requirements laid down in Annex II of the EHDS and the common specifications to be adopted by the EU Commission by way of a common template document
In common with other regulatory frameworks for products, manufacturers of EHR systems will need to undertake an assessment to demonstrate that their product complies with certain minimum requirements before it can be put onto the market in the EU. Those requirements, under Annex II of the EHDS, are:
- General requirements, such as designing the EHR systems in such a way as to ensure they are suitable for their intended purpose without putting patient safety at risk. In addition, EHR systems must be designed and developed in a way which allows the system to be supplied and installed in accordance with the instructions of the manufacturer without adversely affecting its characteristics and performance during its intended use.
- Requirements for interoperability, such as providing an interface enabling access to and receipt of personal electronic health data processed in the European health record exchange format. An EHR system must not include features that prohibit, restrict or place undue burden on authorised access or exporting of personal electronic health data for permitted purposes.
- Requirements for security and for logging, such as providing reliable mechanisms for the identification and authentication of health professionals and supporting different retention periods and access rights taking into account the origins and categories of electronic health data. EHR systems must include tools to review and analyse the log data or must support the connection and use of external software for the same purposes.
b) Draw up the technical documentation of EHR systems before placing them on the market, and subsequently keep them up to date
The technical documentation must be drawn up in a way that demonstrates conformity with the above-mentioned essential requirements, and must be provided upon request to the market surveillance authority at short notice. As a minimum standard, the technical documentation shall contain the following elements:
- A detailed description of the EHR system, including, among other things, its intended purpose, date and version of the EHR system, how the EHR system can be used to interact with other hardware and software, a description of the hardware on which the EHR system is intended to run, a description of the system architecture and the technical specifications such as features, dimensions and performance attributes;
- A detailed description of the system in place to evaluate the EHR system performance, where applicable;
- The references to any common specification used;
- The results and critical analyses of all verification and validation tests undertaken to demonstrate conformity of the EHR system with the requirements under the EHDS;
- A copy of the information sheet which accompanies the EHR system;
- A copy of the EU declaration of conformity;
c) Ensure that the EHR system is accompanied, free of charge for the user, by the information sheet and clear and complete instructions for use
EHR systems shall be accompanied by an information sheet for professional users which shall specify:
- the identity, registered trade name or registered trademark, and the contact details of the manufacturer and, where applicable, of its authorised representative;
- the name and version of the EHR system and date of its release;
- its intended purpose;
- the categories of electronic health data that the EHR system has been designed to process;
- the standards, formats and specifications and versions thereof supported by the EHR system.
d) Draw up the EU declaration of conformity
By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the EHR system with the requirements laid down in the EHDS when it is placed on the market or put into service. Annex IV of the EHDS sets out the specific information which needs to be included in the EU declaration of conformity.
e) CE marking
The EHDS stipulates that EHR systems shall be affixed with a CE marking. The CE marking shall be subject to the general principles for CE markings set out in Article 30 of EU Regulation 765/2008. The Member States should build upon existing mechanisms to ensure correct application of the regime governing the CE marking.
f) Representative in the EU
Manufacturers of EHR systems established outside the European Union shall appoint an authorised representative established in the European Union. The representative in the European Union shall, among other things, be authorised by the manufacturer to communicate with consumers and professional users and to cooperate with the market surveillance authorities.
As well as the abovementioned requirements, there are also further requirements for manufacturers of EHR systems. These include a post-market surveillance regime of product monitoring as well as cooperation with the respective market surveillance authority. Further obligations also apply to other actors in the supply chain, including importers, other economic operators or distributors of EHR Systems.
Conclusion
The EHDS is a ground-breaking law for manufacturers of EHR systems. It imposes a comprehensive pre- and post-market compliance framework that is designed to ensure that systems processing electronic health data are high-quality, secure, and capable of inter-operability across the EU market. As such, manufacturers of EHR- systems are well-advised to begin preparation on these requirements at an early stage in order to gain a competitive advantage and to ensure that their products are capable of being sold and used lawfully on the European market.