The European Commission recently announced its proposal for the draft Regulation for European Health Data Space (EHDS) (the Regulation). The goal of the Regulation is the creation of EHDS as a standardised health data space across the EU, allowing individuals to control and utilise their health data at home or in Member States. Importantly, the Regulation will provide a legal framework for innovators in the digital health space with access to this data to develop treatments, vaccines, medical devices, and other important health measures. In short, it will revolutionise the way in which health data is accessed, stored and used in the EU.
As such, the EHDS has large scale legal implications for individuals and digital health operators across the EU, particularly relating to privacy and data protection. To grapple with the changing health data landscape, the Regulation provides for various restrictions and rules which digital health operators will need to familiarise themselves with once the Regulation comes into force.
This summary provides an operational overview of the EHDS, before breaking down the compliance and regulatory framework, then concluding with a consideration of the larger impacts for innovators in the digital health space.
How will the EHDS operate and what are the key objectives?
Key objectives of the EHDS are to provide individuals with immediate access to their digital health data, free of charge, in a format standardised throughout the EU. This health data can be shared with health professionals in any Member State, placing EU citizens in full control of their data — including adding information, rectifying errors, restricting access, etc. This in turn will make it possible for researchers, innovators and policy makers to use this electronic health data in a trusted and secure way that preserves privacy.
Interoperability of the health record system among Member States and data security are mandatory requirements underpinning EHDS. Manufacturers of health record systems will need to certify compliance with these standards, ensuring that data is issued and accepted in a common European format. This includes patient summaries, ePrescriptions, images/image reports, laboratory results, and discharge reports. Member States must appoint digital health authorities to oversee compliance with the EHDS and to manage the cross-border digital infrastructure labelled MyHealth@EU.
Along with health professionals and individuals, access to the data will be available to researchers, public institutions, and innovators, albeit under strict conditions. The objective of such access is to develop novel treatments, vaccines, and medical devices, thereby strengthening the health system in aggregate. Innovators can gain access to the health data via a new decentralised infrastructure called HealthData@EU. In total, the EU plans to provide €810 million in funding to build the necessary infrastructure.
EHDS compliance and regulatory framework
The Regulation provides that access to the data in the health record system will require a permit administered by a relevant body in each Member State. Researchers, institutions, and companies will be granted a permit only if the data is kept anonymised and used for specific purposes, in a closed and secure environment. The data cannot be used for decisions “detrimental to citizens”, eg creating products deemed harmful, selling data to third parties, using data for marketing purposes, or increasing insurance premiums. Although it remains to be seen how it will operate in practice, the permitting process creates a new regulatory environment for the health data industry to navigate.
The Regulation provides for the establishment of digital health authorities responsible for enforcing the Regulation, who will have significant powers including the ability to impose fines of up to 4% of global turnover. The Regulation also provides for the establishment of the European Digital and Health Data Board to ensure cooperation between the equivalent data protection bodies the European Data Protection Board and European Data Protection Supervisor, particularly the use of primary and secondary health data.
Relationship with other legal frameworks
The Regulation is intended to complement a number of different legal frameworks being established in the EU, such as the Data Governance Act and the Data Act, which intend to better regulate the use of data. The Regulation will also operate alongside the General Data Protection Regulation (GDPR) and function as a legal basis to access and use health data under GDPR which currently is preventing the use of such data for public interests purposes, such as research and innovation. However, considerable uncertainty remains as to how compliance with each of these legal frameworks will operate in practice, especially GDPR. This uncertainty was also identified by the European Data Protection Board (EDPB) in its recent opinion on the Regulation. While welcoming the concept of strengthening individuals’ rights over their health data, the EDPB raised concerns regarding the risks that will arise from the primary and secondary use of significant volumes of health data and underlined the need for effective supervision.
The Regulation will now proceed through the EU legislative process, including through discussions with the European Parliament and EU Council. The Regulation notes its expectation that Member States will be in a position to implement the MyHealth@EU platform by 2025 and so quick progression through the legislative process should be expected.
The Regulation will bring about fundamental change to the way in which health data is accessed, stored and used in the EU. It presents an exciting opportunity for both established and start up innovators in the digital health industry. However, much is still to be decided regarding the regulatory framework and those in the industry should monitor developments as the Regulation passes through the legislative process.
For more information, contact a member of our Privacy and Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.