According to a leaked draft legislative proposal by the European Commission, which is expected to be officially published this spring, the EU is planning to introduce a new European Health Data Space Regulation (EHDS).
This new law is part of the wider EU Data Strategy aimed at creating a single market for data in order to ensure Europe’s global competitiveness and data sovereignty. The EHDS is intended to create a European data space for health data and will complement other planned legislation being part of the EU Data Strategy, namely the Data Governance Act and the Data Act. The EHDS would be the first common European data space in a specific area to emerge from the aforementioned EU Data Strategy and is considered to become an integral part of building a European Health Union by the European Commission.
For these purposes, the EHDS will enable individuals to easily access, control and ensure the protection of their personal as well as non-personal health data. It will thereby complement existing rights in the GDPR by providing for certain access and restriction rights of individuals with respect to their data.
Further, the EHDS is designed to help promote healthcare delivery, research and policy. The goal is to enable data to be used for research innovation, policy making and regulatory purposes, as well as personalised medicine, whilst ensuring privacy and security. However, re-using health data created or collected by providing health services to individuals (so-called primary use) for purposes other than what it was originally created or collected for (so-called secondary use) raises potential issues.
On this basis, the EHDS is intended to:
- formalise an EU-wide digital infrastructure for making electronic health data available for primary use, which is thought to be called 'MyHealth@EU’;
- lay down rules and mechanisms supporting the secondary use of health data while establishing safeguards with regards to, for example, public competent bodies designated by the Member States that are meant to be responsible for granting health data access upon the requests of data users; and
- establish an EU-wide infrastructure for facilitating the secondary use of electronic health data.
Furthermore, the EHDS is intended to contain a variety of specific mandatory requirements for electronic health record (EHR) systems (ie solutions or software for storing or processing health data) that are, among other things, supposed to ensure security, safety and interoperability of these systems. Besides those EHR systems, other health and medical software products, like medical imaging software or medical diagnosis software and wellness apps, are also expected to be impacted by the health data space.
In addition to this, it is anticipated that a European Digital and Health Data Board will be created, with at least two expert subgroups (responsible for healthcare delivery and for research, innovation, policy making and regulatory purposes, respectively).
It is also interesting to note that the EHDS proposal explicitly contains provisions to allow for data altruism activities within the healthcare sector, a legal concept that is also included in the Data Governance Act. The aim here is to foster data sharing and collection by providing legal status to non-profit organisations that process data for reasons of the common good, for example, in medical research.
Overall, due to the extensive specifications and rules provided in the EHDS proposal, it is to be expected that the regulation, once in effect, will have a major impact on, and create a great need for, organisational and regulatory adaptation within the entire healthcare and pharmaceutical sector, as well as a need for clarification regarding difficult legal issues, especially in connection with the complex interplay of the EHDS with existing rules such as the GDPR.
Although it remains to be seen how the legislative process will develop, companies with touchpoints in the aforementioned sectors should assess as early as possible whether and, if so, to what extent the planned EHDS could be relevant to them and what the possible implications might look like.