The lead negotiators of the Council of the EU and the European Parliament have reached an agreement on a new EU regulation for the European Health Data Space (EHDS). Once adopted, the regulation will expand individuals’ access to and control over their personal electronic health data both on a national level as well as on a transnational level among EU member states (primary use of data) while simultaneously simplifying the exchange and access of health data for public interest and research purposes (secondary use of data).
According to the draft regulation, the software platform will also enable third-country organizations to access the health data of individuals in the EU as long as such third-country organizations comply with the rules of the General Data Protection Regulation (GDPR). Additionally, third-country organizations will be eligible for secondary use of data if they comply with the new regulations of the EHDS on the same level as any EU entity using such health data.
The draft regulation will now need to be endorsed by both the Council of the EU (Council) and the European Parliament (Parliament). Additionally, the exact wording of the new final regulation will need to undergo a lawyers’ review. The draft regulation was adopted by Parliament on 24 April 2024 and is expected to be formally adopted by the Council in the coming weeks—well before the upcoming EU elections in June of this year. The draft regulation will become effective 20 days after publication in the Official Journal of the European Union (publication).
The final regulation will become effective two years after its publication. Chapter IV, containing regulations on the secondary use of data, will apply four years after its publication, with certain exceptions for categories of electronic data subject to the secondary use of data, such as human genetic, epigenomic, and genomic data, data from clinical trials, and data from research, which will apply six years after the date of publication.
The final regulation aims at designing the EHDS as a trusted environment for secure access to and processing of a wide range of health data. It is based on, among others, the GDPR, the Data Governance Act, the Data Act, and the NIS Directive. These legal acts contain provisions (including security measures) that also apply to the healthcare sector. (For an in-depth analysis of the Data Act, please refer to our 5 December 2023 Law Flash.) However, in order to take into account the particular sensitivity of health data, more specific rules are being developed in the draft regulation.
The EHDS sets out a common EU framework allowing for anonymized and/or pseudonymized use of health data for research, innovation, public health, policymaking, regulatory activities, and personalised medicine. It will draw on the creation of a new and decentralised EU infrastructure for the secondary use of data (HealthData@EU) that will connect health data access bodies which should be set up in all EU member states.
In the 2020 communication A European strategy for data, the EU Commission proposed nine common data spaces to be developed within the EU. The EHDS is the first of the European common data spaces designated for health data. As a regulation (Verordnung) the final regulation will come into effect without further implementation laws of the EU member states. However, certain sections and chapters of the draft regulation currently call for the EU member states to implement certain modifications (see below).
The final regulation will set out the EHDS as a health-specific set of rules, common standards and practices, infrastructures, and governance framework that aims to:
The draft regulation between the Council and the Parliament covers the following key areas:
According to the EU Commission’s policy programme The Path to the Digital Decade, all EU citizens shall, by 2030, have their electronic health data available via access points established by EU member states. A cross-border digital infrastructure (MyHealth@EU) for the primary use of data will connect EU member states and allow patients to share their health data. All EU member states must appoint digital health authorities that will participate in the cross-border digital infrastructure and that will support patients to share their data across borders. The EU member states must appoint the digital health authority as soon as Chapter II of the draft regulation applies (two years after its publication). The supervisory authorities that are responsible for monitoring and enforcement of the GDPR shall also be competent for monitoring and enforcement of the EHDS.
EU member states will also ensure that patient summaries, e-prescriptions, images and image reports, laboratory results, and discharge reports are issued and accepted in a common European format. The European EHR exchange format is stipulated in Chapter II of the draft regulation. As this chapter applies starting two years after publication of the final regulation, we expect the European EHR exchange format to be released by then.
Those institutions that wish to reuse health data will need to apply for a permit from a health data access body. The data permit sets out how the data may be used and for what purpose. The health data may only be accessed and processed in closed secure environments to be provided by the health data access bodies with clear standards for cybersecurity.
The draft regulation does not specify which entity (or entities) shall undertake the role of “health data access body” but leaves this decision up to the EU member states. In Germany, the Federal Ministry of Health (Bundesgesundheitsministerium) is currently in the process of establishing a central access and coordination authority regarding health data (Datenzugangs- und Koordinierungsstelle für Gesundheitsdaten) which will probably become the competent authority for the implementation of the final regulation and the EHDS. Until such central authority is established the task may fall to the Health Research Data Center (Forschungsdatenzentrum Gesundheit) which is currently established at the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte) and is the competent authority when it comes to the implementation of the GDNG (Gesundheitsdatennutzungsgesetz).
A new EHDS board chaired by the EU Commission will be created, composed of the representatives of all digital health authorities and health data access bodies from all the EU member states and observers, depending on their area of work. It will contribute to the consistent application of the final regulation throughout the EU, coordinate and exchange best practices, and cooperate with other bodies at EU level.
EU member states will cooperate at EU level to ensure the smooth functioning of the two cross-border digital infrastructures (primary use of data and secondary use of data).
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: