After long debates between the Commission, Parliament and the Council, the Council has adopted the regulation of the European Health Data Space (EHDS). Given the controverse debates around certain aspects, the final version of the EHDS includes several twists compared to the Commission’s initial proposal dating back to 3 May 2022 (see our analysis of the initial proposal here). From further strengthening patient’s rights to tightening obligations for manufacturers, some of the changes are rather significant.
Key goals of the EHDS
As we have described in more detail in our previous analysis, the EHDS has the overarching goal to improve individuals’ access to and control over their personal electronic health data, while also enabling certain data to be reused for research and innovation purposes for the benefit of European patients. It provides for a health-specific data environment that will ensure cross-border access to digital health services and products within the EU.
New rights for patients (Article 3 EHDS)
The EHDS foresees new rights of natural persons regarding their electronic health data. These rights share similarities with data subject rights under the EU GDPR, in particular regarding data access, control, and transparency. Both, the EHDS and the EU GDPR, emphasize individuals’ rights to access their personal data, rectify inaccuracies and restrict access in certain circumstances.
For instance, the EHDS allows individuals to obtain electronic copies of their personal electronic health data that belong to the ‘priority categories’ (ie patient summaries, electronic prescriptions, electronic dispensations, medical imaging studies and related imaging reports, medical test results, and discharge reports). Member States may, however, restrict such access for reasons of patient safety and ethics for a limited period of time, e.g. until a health professional can properly explain the impact of the data to the patient’s health. Further, the right to transparency is strengthened which includes automatic notifications of individuals of any access to their electronic health data.
Right to ‘opt-out’ (Article 10 EHDS)
A key topic of the discussions during the legislative process was the question whether and how individuals should be able to decide about the use of their personal electronic health data for healthcare purposes, including assessing, maintaining, or restoring health, prescribing medication and providing relevant administrative services (so-called ‘primary use’).
The EHDS ultimately contains a compromise by way of an ‘opening clause’ leaving it up to the Member States to decide whether individuals will have an “opt-out” right. Nevertheless, if a Member State chooses to grant this right, it must ensure it can be reversed. Additionally, such Member State would need to establish guidelines for the opt-out process. This includes instances where healthcare providers need access to the data for protecting the patient’s or another person’s health, even if the patient has opted out initially.
Compliance requirements for electronic health record systems (Chapter III EHDS)
The final EHDS sets out detailed requirements for electronic health record systems (HER systems) which must include 'harmonised software components', both for interoperability and logging. EHR systems refer to any software or combination of hard- and software which (i) enables the storage, intermediation, export, import, editing, or viewing of electronic health data, and (ii) is designed by manufacturers to be used by healthcare providers for patient care or by patients when accessing their data. This definition is quite broad and covers a range of systems, including platforms used in hospitals and clinics for managing patient records, as well as medical imaging devices like ultrasound machines, MRI scanners, and x-ray systems.
In Chapter III, the EHDS lays down conformity requirements for EHR systems. Thus, manufacturers of EHR systems must ensure that (i) the harmonised software components of the EHR systems are in conformity with the list of essential requirements in Annex II of the EHDS, (ii) draw up the technical documentation of the EHR system, (iii) provide certain information to the user free of charge, (iv) draw up the EU declaration of conformity, (v) affix the CE marking, and (vi) fulfil registration obligations.
In this regard, the Commission’s proposal already provided for a self-certification scheme obliging manufacturers to demonstrate compliance with essential requirements by drawing up technical documentation. In addition, the final EHDS requires manufacturers to utilise the ‘European digital testing environment’ to self-assess the conformity of the ‘harmonised software components’. Compliance with the essential requirements is presumed for elements passing this test. It will be up to the Members States to set up such digital testing environments in accordance with the general specifications laid down by the Commission through implementing acts.
The final text of the EHDS further strengthens the power of market surveillance authorities which may enforce corrective actions on manufacturers of EHR systems if they find non-compliance with regulatory requirements. Such corrective action may be a restriction, prohibition or even recall of the EHR system.
Data access vs IP and trade secrets (Article 52 EHDS)
With respect to IP rights and trade secrets, the EHDS is seeking to strike a balance between promoting data accessibility for purposes other than the purposes for which they were collected or produced such as scientific research ('secondary use') and safeguarding the rights of health data holders. Health data holders must identify and inform health data access bodies about any data protected under IP or trade secret laws that are part of the electronic health data, and health data access bodies must implement appropriate measures to safeguard these rights. Health data access bodies may further impose conditions on data access to data users (such as agreeing on confidentiality agreements or implementing certain technical and organisational measures). In exceptional cases, however, they may even refuse access if there is a serious risk of infringing the data holder’s rights.
Data localisation requirements (Article 87 EHDS)
During the legislative process, a few voices required the mandatory storage of health data exclusively in the EU. As a result, the EHDS foresees that health data access bodies, trusted health data holders, and Union health data access services must store and further process electronic health data generally only within the EU. As an exception, they may store and process the data also in a third country for which the Commission has granted an adequacy decision under the EU GDPR – currently, this includes, inter alia, the US (to the extent the data recipient is certified), the UK, Switzerland, Japan and Canada. In addition, Member States may choose to enact national laws requiring that electronic health data processed for primary use (eg by healthcare providers for healthcare provision) must be stored and processed exclusively within the EU.
Fines and enforcement measures under the EHDS (Articles 63 et seqq. EHDS)
The EHDS foresees the possibility of the appointed national authorities to impose fines as well as to take other enforcement actions in case of a violation of the EHDS. Generally, the health data access bodies established by the Members States will be responsible for monitoring compliance with the EHDS. However, data protection supervisory authorities shall be specifically responsible to enforce violations of the right to opt out from the processing of personal electronic health data for secondary use.
Similar to the GDPR, and depending on the violation, fines can range from up to EUR 10 million or 2 % of the total worldwide annual turnover for certain breaches, to up to EUR 20 million or 4 % of the total worldwide annual turnover for more severe infractions.
Next steps
After being formally signed by the Council and the Parliament and its publication in the EU’s Official Journal, the EHDS will start to apply two years after its entry into force (instead of only twelve months which was the timeline under the Commission’s proposal), i.e. by the beginning of 2027. In addition, the application dates of specific provisions have also been significantly extended to four or six years after the date of entry into force. Organisations that are subject to the EHDS will likely welcome these less tight timelines considering that the implementation of new procedures to comply with the EHDS will require considerable efforts from all stakeholders involved.