The European Union, in the context of the Covid-19 pandemics, found that timely access to electronic health records in case of a health crisis is crucial, as well as access for diagnosis and secondary use of health data. However, currently the EU does not have centralized and interoperable platform where EU citizens can find all their health records in a single place. This is a problem as data also is not available to practitioners and authorities throughout the EU . The consequence is citizens and the  health professionals that may assist them lack of information when they travel to other countries. Furthermore, health professionals cannot access the complete records and cannot make optimal decisions.

The lack of centralized and accessible electronic health data is also a perceived impairment for the use of health data for secondary purposes such as research, policy making and the development of medicines.

In this context, (and following its Digital Strategy), the European Union has issued a Proposal for a Regulation on the European Health Data Space (EHDS).

General Questions

Which industries and sectors are affected by the EHDS?

• Health care providers in the EU (both public and private);
• Manufacturers and suppliers of EHR systems;
• Wellness providers (apps, devices, etc.)
• Any entity (either private and public) processing electronic health data in the EU, such as service providers;
• Health investigators and pharmaceutical companies;
• Entities that wish to make use of health data for other secondary purposes (e.g., insurance companies, providers of health IT devices).

What  new rights will citizens have regarding EHRs (primary use)?

Natural persons shall have, among others, the following rights:

• Right to access their personal electronic health data immediately and free of charge and to receive a copy;
• All the health data shall be registered electronically;
• Natural persons may insert their electronic health data in their own EHR;
• Natural persons shall have the right to give access to or request a data holder from the health or social security sector to transmit their electronic health data to a data recipient of their choice from the health or social security sector.

How will the EHDS be monitored and enforced?

Each Member State shall designate a digital health authority at the national level. It will be entrusted with several competences, such as issuing guidance, contributing to the solutions enabling natural personas and health professionals to exercise their rights, etc. In addition, Member States shall designate one or more health data access bodies responsible for granting access to electronic health data for secondary use and monitoring compliance during secondary use.

There is not a general sanctioning framework for infringing the EHDS Regulation. However, there are specific protections in relation to some chapters:

• The data protection supervisory authority of each country will be competent to sanction data holders (e.g. health care providers or other entities in the health or care sectors, or performing research in relation to these sectors) if they do not grant natural persons with their access and transmission rights under the EHDS; and
• Health data access bodies are allowed to impose fines against data holders that obstruct the secondary use of electronic health data and even exclude the data holder from participation in the EHDS for a period up to 5 years.

How does the EHDS ensure cross-border consistency?

Each Member State shall designate one national contact point to ensure the connection to all other national contact points for digital health and to the central platform for digital health. The Commission shall establish a central platform for digital health to provide services to support and facilitate the exchange of electronic health data between national contact points. Member States shall ensure connection of all health care providers to their national contact points for digital health.

Member States shall ensure that pharmacies operating in their territories are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU.

Obligations for EHR systems

Manufacturers of EHR systems are bound by several obligations. The EHR systems under the EHDS are those intended by their manufacturer for primary use of priority categories of electronic health data (patients summaries, electronic prescriptions, medical images, etc.). However, general software used in a health care environment are not in the scope of EHR systems obligations. Manufacturers of (covered?) EHR systems shall:

• Ensure that their EHR systems are in conformity with requirements for interoperability and security that are specified in an annex of the regulation;
• Implement procedures to ensure that the design, development and deployment of an EHR system continues to comply with the essential requirements;
• Draw up the technical documentation of their EHR systems;
• Affix the CE marking;
• Comply with the registration obligations.

We will address the implications of EHDS for EHR systems in a future post.

Secondary Use Of Electronic Health Data

Health data is collected  in several different health care settings. However, this data is invaluable for other purposes as well that are not directly related to the purposes for which it is originally collected. The intention of this legislation is to enable health data to be re-used more widely for research, innovation, policy making, regulatory purposes, and patient safety. However, due to the sensitive nature of health data, and the fact that it may contain IP rights, trade secrets and commercially confidential information, appropriate safeguards must also be applied.

Which categories of data shall be available for secondary purposes?

The EHDS envisages a quite broad list of categories of data that shall be available to reuse, including; (i) EHRs, (ii) pathogen genomic data, (iii) genetic data, (iv) identification data related to health professionals, (v) electronic health data from clinical trials, and (vi) electronic health data from biobanks.

The health data access bodies shall inform the data users about the available datasets and their characteristics through a metadata catalogue.

For which purposes is secondary use permitted?

There is a closed list of allowed secondary purposes of processing:

• Scientific research related to health or care sectors;
• Development and innovation activities for products or services contributing to public health, or ensuring high levels of quality and safety of health care, medicinal products or medical devices;
• Training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health, or ensuring high levels of quality and safety of health care, medicinal products or medical devices;
• Providing personalised health care based on the health data of other natural persons;
• Education or teaching activities in health or care sectors.

For which purposes is secondary use NOT permitted?

Purposes for which secondary purposes are prohibited include, among others:

• Taking decisions detrimental to a natural person based on their electronic health data;
• Excluding natural persons from the benefit of an insurance contract or modifying their contributions and insurance premiums;
• Developing products or services that may harm individuals and societies at large, including tobacco, alcoholic beverages, etc.
• Advertising or marketing activities towards health professionals, organisations in health or natural persons.

What is the data protection relationship between data users and data holders and data access bodies?

The EHDS is clear about this. Health data access bodies and data users shall be deemed joint controllers. Data holders do not have any data processor or joint controllership role vis-à-vis data users, except when there is a single data provider and the request is directly handled by the same, in which case they will be considered joint controllers.

Do natural persons whose data is used for secondary purposes need to be informed of each access permit?

No. They shall be provided with general public information on all data permits, by using the exception to inform envisaged in art. 14.5 of the GDPR. However, natural persons shall be informed of any finding that may impact on their health.

In any case, data access bodies shall make publicly available and easily searchable the conditions under which electronic health data is made available for secondary use, including legal basis of processing, natural persons rights and the results or outcomes of the projects for which the electronic health data were used.

What is the legal basis of processing for data users?

The EHDS provides a legal basis of processing under the GDPR for the data holders, as well as an exception to process health data. However, the EHDS does not provide for legal bases for data users. A data user shall demonstrate its legal basis pursuant to the GDPR and explain the specific legal basis on which it relies as part of the application for access to electronic health data. The only legal bases that are allowed for data users are legitimate interest or exercise of a task in the public interest.

Can data holders and health data access bodies charge access fees for secondary use?

Yes. Where the data in question are not held by a public body, the fees may also include compensation for part of the costs for collecting the electronic health data specifically under the Regulation.

Fees shall be transparent and proportionate to the cost of collecting and making electronic health data available.

How does the application for access to health data for secondary purposes work?

The access applications will be managed by a unique body: the health data access body. Each member state shall designate one or more health data access body. Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice. However, where an applicant requests access to electronic health data only from a single data holder, that applicant may file a data access application or a data request directly to this data holder.

The application shall contain a detailed explanation of the purposes, the requested health data, the adopted safeguards, etc. When the health data access body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant. The data permit shall set out the general conditions applicable to the data user.

Conclusion

The EHDS will mean a revolution for the handling of EHRs and the possibilities for secondary use. Companies in the health care sector (and EHR systems manufacturers) will need to adapt to the new obligations and invest significant efforts. Organisations currently holding electronic  data may also have concerns that the proposal could result in them being required to make available data protected by IP rights, trade secrets or other commercially confidential information. However, EHDS will also potentially bring great opportunities for many industries that will be able to benefit from accessing data for secondary use.

Next steps

• Health care providers will need to adapt to the EHDS requirements regarding the handling of EHRs and health data in general.
• Manufacturers of EHRs shall ensure that EHR systems are in conformity with EHDS and affix the CE marking, among other obligations.
• Companies interested in secondary use of health data (pharma companies, researchers, etc.) should keep an eye on this proposal for the regulation as this will bring business opportunities.
• We recommend monitoring the legislative development of the EHDS. 

Authored by Juan Ramón Robles and Nick Westbrook.