26 juillet 2022
As part of its digital strategy, the European Commission has committed to creating a series of European data spaces in key strategic sectors which will complement the GDPR and ensure a high standard of data security in the EU. The first of these is for health data.
The Commission believes EU-wide legislation is needed because the EU GDPR leaves Member States some space in the area of health data, which has led to a lack of harmonisation. Additionally, although existing EU law from 2011 (Directive 2011/24/EU) included rules on patients' rights in cross-border healthcare, the provisions were voluntary and have had a limited impact.
As a result, the European Commission published a draft Regulation for a European health data space (EHDS) on 3 May 2022. The aim is to strengthen the links between national healthcare systems throughout the EU by means of secure, efficient access to and exchange of health data. This is intended to optimise healthcare delivery, research and infrastructure across health systems. The EHDS also aims to create a uniform legal framework, in particular for the development, marketing and use of electronic health records (EHR) systems.
The EHDS is based on three pillars:
The EHDS sets out requirements for primary and secondary use of health data.
Primary use can be defined as the processing of personal electronic health data for the provision of health services. In the context of primary use, the EHDS contains a new right of access to health data by individuals, as well as new requirements for data processing by health professionals.
Data access by individuals
The EHDS establishes the right of individuals to access their personal electronic health data processed for primary use immediately, free of charge and in an easily readable, consolidated and accessible format. To this end, they have the right to:
Data processing by healthcare professionals
The EHDS also contains provisions on access for healthcare professionals. Among other things, it stipulates that where they process data in an electronic format, they should have access to the electronic health data of their patients, irrespective of their Member State and of the nature of their treatment. Member States are required to provide corresponding access services.
Health professionals must have access to specified priority health data irrespective of any restrictions. This includes patient summaries, medical images and image reports, laboratory results and discharge reports. The European Commission will establish a European exchange format for this personal (prioritised) electronic health data to facilitate trans-European exchange.
The EHDS defines the further processing of health data, eg data previously collected and stored in hospitals or by other healthcare providers, as secondary use data. It sets out limited permitted purposes for secondary use of health data. Whether the data was initially collected for primary use or directly for secondary use is irrelevant in this regard.
Secondary use of health data may be for, among other things, development and innovation activities, training, testing and evaluating algorithms, or education and teaching activities. There are also prohibitions on certain types of processing including, for example, using the data to make decisions that are detrimental to individuals; for promotional or marketing activities directed at healthcare professionals, organisations or individuals (eg patients or study participants); or to develop products or services that may harm individuals or society.
Any secondary use of health data also requires prior approval by a competent body. This approval must state, in particular, in what way and for what purpose the data may be used. Member States are obliged to establish a national body for this purpose to ensure the data is made available to data users after the request has been granted and to maintain an administrative system to record and process data access requests, data inquiries and data sharing approvals.
The EHDS allows for a number of ways to ensure and demonstrate data quality. These include an EU quality certification label, using metadata and source information, harmonised technical and data management processes, and transparency around access, provision, and data enrichment.
The different national datasets will be interconnected and linked across the EU by the Commission through an ‘EU Datasets Catalogue’. This will also help ensure data quality in a broader sense, as users may consult this catalogue for information on the data quality of the datasets.
In order to ensure the protection of personal data as well as accessibility, data used for secondary use purposes data must always be provided in anonymised form. If the processing purposes cannot be achieved with anonymised data, access to pseudonymised data (eg information on symptoms or medication without reference to the identity of the person) is allowed provided there is no re-identification of the individual.
To improve interoperability of electronic health data, the draft Regulation places special requirements on EHR systems, (systems used in connection with electronic health records which are intended by their manufacturer for the primary use of prioritised electronic health data). In particular, EHR systems may only be placed on the market and put into operation if the specific requirements of the EHDS are met. These are primarily taken from the criteria listed in Annex II which the Commission intends to specify further by means of implementing acts.
Among other things, EHR systems must enable the comprehensive exchange of personal electronic health data between different systems and be interoperable and compatible with the structures provided for in the EHDS. Finally, they must not prohibit, restrict or place an undue burden on the authorisation of use of or access to health data.
Creating a strong infrastructure is the third pillar to facilitating cross-border healthcare under the EHDS and secondary use by interconnecting authorised participants.
Particular innovations include the establishment of an EHDS Board, cross-border infrastructure for the primary use of electronic health data (MyHealth@EU) and cross-border infrastructure for the secondary use of electronic health data (HealthData@EU).
The EHDS Board is intended to facilitate cooperation and information exchange among Member States. It will be composed of high-level representatives of the digital health authorities and the health data access bodies of all Member States.
MyHealth@EU is a central platform that, through its services, will support and facilitate the exchange of electronic health data between the national digital health contact points that each Member State must designate. The Commission will adopt measures through implementing acts, for the technical development of the platform, setting detailed requirements concerning the security, confidentiality and protection of health data. In addition, the Commission will also set conditions for entry and exclusion within MyHealth@EU.
HealthData@EU is composed of national contact points designated by the Member States for secondary use of health data by certain EU institutions and bodies, certain research infrastructures, and (in some circumstances) third countries and international organisations.
The European Parliament and the Council will now progress the draft legislation but it remains to be seen what their views on the EHDS will be. All Member States are expected to be involved in the MyHealth@EU program by 2025.
The creation of a European Health Data Space underpinned by data protection is seen by the Commission as key to advancing digitalisation and, by extension, the quality of healthcare across the EU. However, we will need to wait and see whether the EHDS in its current form can remedy existing difficulties, especially with regard to the secondary use of health data, given the complexities of the approval requirement.