The European Commission published a proposal on 03 May 2022 for a regulation to create a European Health Data Space (“EHDS”). This proposed EU regulation establishes a health-specific ecosystem of rules, common standards and practices, infrastructures, and a governance framework, which processes a wide range of electronic health data and allows access to it. The EHDS aims are:
- Easier access to health data: individuals will have faster and easier access to electronic health data (whether they’re in their home country or another member state). This will enhance digital access to personal electronic health data, to support its free movement, and to facilitate a single market for electronic health record systems;
- Better research potential: provide researchers and policy-makers with access to specific kinds of anonymised, secure health data to inform scientific research, develop treatments and improve patient care; and
- Ensuring interoperability: digitalisation across European Union (“EU”) Member States varies, making it difficult to share data across the EU. The EHDS requires all electronic health data systems to comply with the requirements of the European electronic health record exchange format.
The EU currently does not have a centralised system that houses individual health records, making it difficult for health professionals to access such data and make decisions regarding an individual’s health when they travel abroad. The EHDS is part of the European Data Strategy and builds on existing legislations and regulations such as the General Data Protection Regulation (EU 2016/679) (“GDPR”), the Data Act, the Data Governance Act and the Network and Information Systems Directive 2.
Primary Use of Health Data
The EHDS intends to provide a trusted and secure cross border digital infrastructure called MyHealth@EU that will connect Member States and will allow individuals to share their health data via access points established by Member States, also known as the primary use of health data. By creating a single platform, natural persons will be able to share their electronic health data with their chosen healthcare providers. Essentially, it will allow them to access their health data free of charge in an easily readable and accessible form. This will also benefit EU citizens by supporting better informed decisions and ultimately providing them with greater control over how their data is used.
There are six priority categories that Member States will be required to make available on the EHDS: (i) patient summary, (ii) electronic prescription, (iii) electronic dispensation, (iv) medical image and image report, (v) laboratory results, and (vi) discharge report. The implementation of the EHDS will be in a staged process with a transition period; this will facilitate the implementation process as some types of electronic health data are more of a priority than others.
Natural persons have several rights regarding their electronic health record such as the right to receive an electronic copy of their health data, provide authorisation to insert health data into their electronic health records, transmit their data to recipients of their choice from the health or social security sector, and the right to restrict access to all or part of their electronic health data to health professionals. Where health data is not registered electronically before the implementation of the EHDS, Member States may be required to convert the individual’s health data into electronic format.
Member States will be required to set up a digital health authority whose responsibilities will include ensuring that any additional individual’s rights are properly implemented and publishing guidelines. Member States must also appoint a national contact point to establish a connection with other national contact points and with the MyHealth@EU platform. Each national contact point will facilitate the exchange of the electronic health data with all other national contact points based on the European electronic health record exchange format. The national contact points will act as joint controllers of the electronic health data communicated through MyHealth@EU for the processing operations they are involved, whereas the European Commission will act as a processor.
Electronic health data will need to be securely transmitted and protected when processed between different electronic health record systems. Economic operators of such systems (i.e., manufacturers) will need to ensure that their systems are interoperable, compatible, and compliant with the EHDS.
Secondary Use of Health Data
The EHDS will also allow access to a minimal set of health data for secondary use by the data holders to provide support for health research, innovation, policy-making, regulatory activities and personalised medicine. There are fifteen types of data which can be made available such as human genetic, genomic, and proteomic data, data impacting on health including social, environmental behavioural determinants of health, and electronic health data from medical registries for specific diseases. The proposal also includes categories where the secondary use of health data is prohibited, for example developing products or services that could harm individuals or societies, including but not limited to drugs and tobacco products. Fees can be charged for the secondary use of health data.
For secondary use of health data, data access applications would need to be made outlining, among other matters, a detailed explanation of the purpose to use the electronic health data, a description of the electronic health data, their format, and data sources, and where possible the geographical coverage of where the data is requested from the Member States. The health data used for secondary purpose will be provided in an anonymised format; however, where the purpose to use the electronic health data cannot be achieved, such data can be provided in pseudonymised format. Where pseudonymised format is used, the applicants would need to provide additional information in their data access applications, such as a description on how the processing would comply with the GDPR. If an application is successful (which will be assessed by a competent health data access body set up by each Member State), a data permit will be issued to the applicants to allow the secondary use of health data.
A separate platform called HealthData@EU will be established for this purpose.
Data Protection
The European Commission has stressed that the EHDS will need to comply with the GDPR, which means ensuring the GDPR principles are complied with when electronic personal health records are shared on its platform. For example:
- Ensuring an appropriate GDPR legal basis/ condition: Recital 37 of the proposed regulation suggests that the GDPR legal basis for processing for data holders is established by the EHDS (the EHDS references Articles 6 and Article 9 of the GDPR). However, data users, who wish to access electronic health data, must demonstrate which legal basis and/or condition (pursuant Articles 6 and 9 of the GDPR) they rely on as part of the application process; and
- Implementing appropriate technical and organisational measures: the European Commission has said that data available via the EHDS will be encrypted and minimised (i.e., anonymised or pseudonymised). The European Commission has also highlighted that the EHDS will have to comply with very high standards of privacy and cybersecurity, and no personal data can be downloaded.
Challenges for the EHDS
The key issue regarding the EHDS will be whether patients have the option to opt-in or out of the system. Whilst some argue that patients should have the right to object to the registration and storage of their health data in the EHDS and should be allowed to prevent certain health professionals from accessing their data, others argue that by allowing patients to opt-out, the opt-out process could undermine the quality of the data for research purposes. To maximise data availability, the Guild of European Research-intensive Universities proposes the implementation of ‘dynamic consent’ which will allow patients to have more control and involvement in research activities.
Also, achieving anonymisation in the EU has been a challenge for many companies in the health space. The GDPR defines anonymous data as data that “does not relate to an identified or identifiable natural person or to personal data rendered anonymous” so “the data subject is not or no longer identifiable.” If electronic health data can be anonymised, the GDPR will no longer apply. The problem is it’s difficult to achieve anonymisation in practice. With conflicting EU regulatory guidance, coupled with the high standards of anonymisation, companies in the health space have been embracing pseudonymisation. However, Recital 43 of the proposed EHDS suggests that it is possible to anonymise individual electronic personal health data for secondary use. It will, therefore, be interesting to see if further guidance will be issued to assist achieving anonymisation via the EHDS.
Next Steps
On 06 December 2023, the European Council issued a press release confirming the agreement on the European Council’s mandate on the EHDS. Several key concepts were discussed such as the creation of two steering groups to manage MyHealth@EU and HealthData@EU and providing Member States with the discretion to allow patients to opt-out of the EHDS. On 13 December 2023, the European Parliament adopted the proposal to create the EHDS, and placed emphasis on proposing an opt-out system for secondary use of health data and mandatory explicit consent for sensitive data (such as genetic and genomic data). Trilogue talks have been underway in January 2024; it’s expected an agreement will be reached within two months before the EU elections in June 2024.
Separately, in December 2023, the European Commission and the World Health Organization have entered into a €12 million agreement to boost the health data governance and strengthen the health information systems in Europe, which will be driven by the principles of the EHDS.
The post Shaping the Future: the European Health Data Space appeared first on Data, Privacy & Cybersecurity Insights.