On 3 May 2022, the European Commission published its proposal for a regulation on the so-called European Health Data Space (EHDS), after a previous version had been leaked mid of March. The EHDS comes as part of the European Data Strategy and is the first proposal of a so-called common European data space. It will be an integral part of establishing a European Health Union. In particular, the EHDS is designed to:
- Empower people to control and utilise their health data within the EU;
- Foster a single market for digital health services and products; and
- Provide a framework for the use of health data for research, innovation, policymaking and regulatory purposes.
It is hoped that the EHDS will promote the introduction of new and more innovate EU-wide digital health products, as well as bring significant cost benefits that will help improve the effectiveness of healthcare systems across the EU. However, there are several questions and issues surrounding the EHDS proposal, which will have significant implications for a number of stakeholders in different sectors. Here we look at what the EHDS proposal contains, and what businesses must do to prepare for it.
Secure health data environment
At its core, the EHDS is intended to provide a secure and trustworthy health data environment for individuals whose health data are processed by health professionals for the purposes of providing healthcare – the so-called primary use. Regulating the primary use is, from the Commission’s perspective, necessary to generate high quality and quantity of health data to reuse for research and other secondary purposes.
Services such as patient portals, which will be established in each member state, will give individuals more control over their health data, and will enable them to exercise their specific EHDS rights, such as the right to an immediate and free of charge access to their data in an easily readable, consolidated, and accessible form, to transmit their data from one health (or social security) actor to another (also across EU borders) and to obtain information on the healthcare providers that have accessed their data.
EU member states must therefore develop access services for healthcare providers to ensure the mandatory registration and exchange of certain health data in an electronic format. Consequently, the Commission will implement legislation determining which – and how – healthcare providers and health data shall be registered.
A central platform – ‘MyHealth@EU’ – will enable the cross-border access of health data. This platform shall be established by national contact points for digital health in each member state. These contact points will be responsible for connecting primary use actors to the platform ensuring access to and exchange of data for both individuals and healthcare providers across the EU. In accordance with the intentions of the Commission, this shall facilitate cross-border treatment of EU residents.
The provisions for primary use pose many questions, especially regarding the technical implementation of national access services in practice. Also, since member states have discretion regarding the technical development of their access services, it will be a key challenge to develop a cross-border access infrastructure. In addition, it is currently unclear how these access services will interplay with electronic identification procedures.
Electronic Health Record Systems
In order to promote interoperability and data portability, the EHDS introduces a mandatory self-certification scheme for electronic health record (EHR) systems and corresponding obligations for relevant manufacturers, importers and distributors. The rules complement the requirements that have been introduced on software through the Medical Devices Regulation (EU) 2017/745 and the proposed Artificial Intelligence Act, which, according to the Commission, provide for a ‘regulatory gap’ in this regard.
Accordingly, EHR systems are solutions or systems intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health data. They have to be distinguished from software for general purposes, even when used in a healthcare environment and so-called wellness applications (the latter may, however, be voluntarily labelled provided they are interoperable).
EHR systems placed on the EU market or put into service in the EU must comply with so-called essential requirements related to interoperability and security and to be adopted common specifications by the Commission. Manufacturers must, among others, prepare a technical documentation to prove conformity of their EHR system, have to draw up a respective EU declaration of conformity and affix a CE marking to each product. The EHDS further introduces a database for EHR systems and certain so-called wellness applications, similar to EUDAMED, to enhance the overall transparency. The provisions on EHR systems will be evaluated after five years, in particular with regard to the introduction of a conformity assessment procedure involving notified bodies.
The current proposal raises several questions, and it remains to be seen whether and how far these will be addressed by the Commission as well as other stakeholders during the legislative process. For example, it is not yet clear how the scope of products will exactly be distinguished, what common specifications will look like, and how the EHDS will work in relation to existing regulation in member states, for example, the telematics infrastructure in Germany.
Research, policy and regulation
The EHDS will also provide an extensive governance framework and access mechanism for the use of health data for the purposes of research, innovation, policymaking and regulation. Each member state will set up a health data access body (HDAB), which will govern the granting of data requests from researchers, companies or institutions.
HDABs will only grant access to requested data if it is used for specific purposes and without revealing the identity of the individual unless there is a specific justification for processing the data in the clear. It is also strictly prohibited to use the data for decisions, which are detrimental to citizens such as designing harmful products or services or increasing an insurance premium. Once a so-called data user, which can be any actor having a legitimate interest in reusing the health data, is granted a data permit, data holders must upload the health data to a secure processing environment. For the activities of the HDAB and the data holder, the data user must pay fees proportionate with the associated costs of making the data available. Also, the data user is required to make the results of its research public within eighteen months.
The provisions for the data use in the EHDS poses many new questions for actors in the health sector, particularly regarding the interplay with complex EU legislation such as the GDPR or the upcoming Data Act and Data Governance Act. Whilst the EHDS does answer some of these issues, others will only be resolved after its adoption through close cooperation of the HDABs with other relevant authorities, especially privacy authorities, and with the Commission
Transitional provisions
The Commission’s proposal of the EHDS is merely the starting point of the legislative process, which can take 12-18 months until the final text enters into force. As an EU regulation, the EHDS will not need to be transposed into national law but will be directly applicable, according to the current text 12 months after it has entered into force. Certain provisions will apply one or three additional years later: This in particular relates to provisions on access rights of individuals and healthcare professionals to personal health data and, as far as we understand, also to the provisions on EHR systems processing such data, depending on the category of health data. In-house EHR systems need to comply with the provisions on EHR systems three years after the regulation has become applicable.
Getting ready for EHDS
The EHDS has implications for many stakeholders. All companies active in the health care sector (eg as manufacturer, importers or distributors of EHR systems or pharmaceutical companies engaged in research) should explore relevant opportunities and risks. Companies not affected by the EHDS should monitor the Commission’s approach to the structure and regulation of the EHDS, which is the first of many such data spaces envisaged by the Commission (e.g. for finance, mobility and energy).
Opportunities to engage in the legislative process should be explored. For example, for a minimum period of eight weeks stakeholders can currently give feedback to the Commission, which will then be presented to the European Parliament and the Council in the legislative debate.
Given the many questions surrounding the EHDS, the legislative process should be closely monitored, particularly in relation to its interplay with other relevant legislation (eg GDPR, NIS Directive) and ongoing legislative procedures (especially the Data Act and the Artificial Intelligence Act).
