What is the EHDS and what are the main principles?
While individuals have been given the means to enforce their rights to access and control personal data (including health data), the uneven implementation and interpretation of the provisions of the GDPR[1] by individual Member States makes the execution of rights significantly more difficult. Barriers to accessing health data are also encountered by researchers and innovators. As a result, there are situations in which patients are unable to benefit from innovative treatments and further development of innovations in the health sector does not proceed as quickly as would be possible with an open data market. An important contributor to the work on data sharing regulations is also the Covid-19 pandemic, which has shown that free access to electronic health data is essential to respond efficiently to health threats - especially when they are global in nature. The European Health Data Space is intended to be the answer to these problems.
The main principles of the EHDS are:
- providing individuals with practical control and management of electronic health data,
- enabling access to electronic data, which will have a direct impact on better diagnosis and treatment and, consequently, on increasing the efficiency of healthcare systems (primary use of data),
- interoperability, harmonisation and a common EU approach to the use of electronic health data for specific purposes,
- introducing a framework for better exchange of electronic health data for research, innovation, but also for policy-making and regulatory purposes (secondary use of data).
Relationship to other legislation
The EHDS Regulation touches on areas that – to a large extent – already appear in regulations adopted to date at the European level, including GDPR, NIS[1] or DGA[2] . Thus, the EHDS repeats several rights of individuals established in the GDPR and develops some of them. It also complements the NIS and the DGA by introducing specific solutions applicable to the medical sector. In the EHDS Regulation, we will also find references to the Artificial Intelligence Act (which is currently being worked on) or Regulation 2017/745[3] on medical devices.
Primary and secondary use of electronic health data
The EHDS Regulation distinguishes between primary and secondary use of electronic health data.
The primary use of electronic health data is the processing of data for the purposes of providing health services to the individual to whom the data relate, including the provision of medicinal products and medical devices, and for social security, administrative or reimbursement services.
Secondary use of electronic health data involves the processing of data for, among others, public health, research, innovation or policy-making purposes, as well as for regulatory purposes. The EHDS Regulation contains a closed catalogue of data that can be used in secondary uses.
In the framework of the primary and secondary use of electronic health data, the EHDS Regulation introduces specific instruments to facilitate access to data and to support the cooperation of the actors involved.
Primary use of electronic health data
With regard to the initial use of electronic health data, the EHDS Regulation confirms the individual's right of access to his or her electronic personal health data by indicating that access should be granted without delay. At this point, it is worth recalling that, on the Polish ground, the unclear relationship between the right of access expressed in Article 15 of the GDPR and the right of access to medical records under Chapter 7 of the Act on Patients' Rights and the Ombudsman for Patients' Rights[1] and the related fee for such access (Article 28 of the same Act) has been quite widely discussed. Under the EHDS Regulation, data should be made available free of charge in an easy-to-read, consolidated and accessible format.
The right of access covers at least the data belonging to the priority categories explicitly indicated in the Regulation, which include:
- patient health summaries;
- electronic prescriptions and their dispension;
- medical images and image reports;
- laboratory results;
- discharge reports.
The Commission will lay down the technical specifications defining the European format for the exchange of electronic health record data by means of implementing acts.
The right of access will only be able to be restricted when necessary for patient safety and ethical reasons (i.e. a health centre will be able to postpone the electronic transmission of a diagnosis indicating a serious illness on the grounds that the information must be presented during a consultation with the patient).
Data subjects will also gain the right to be informed about the healthcare providers and professionals who have used access to their data for the provision of healthcare services.
Healthcare professionals, in turn, are to be provided with access to the electronic personal health data of individuals to whom they provide services, irrespective of the Member State of affiliation and the Member State of treatment with the appropriate cross-border infrastructure for the primary use of the data throughout the Union.
We need to make the most of the potential of e-health to provide high-quality healthcare and reduce inequalities. I want you to work on the creation of a European Health Data Space to promote health-data exchange and support research on new preventive strategies, as well as on treatments, medicines, medical devices and outcomes. As part of this, you should ensure citizens have control over their own personal data.
Cross-border infrastructure for primary data use - MyHealth@EU
To enable the primary use of electronic health data, it will be mandatory to join the MyHealth@EU infrastructure, a central e-health platform facilitating the exchange of electronic health data between national contact points in the Member States. With the solutions introduced in the EHDS Regulation and the MyHealth@EU platform, an individual will receive medical care based on his or her complete medical history regardless of where it is provided.
By means of implementing acts, the EC will issue detailed rules on the security, confidentiality and protection of electronic health data. The MyHealth@EU infrastructure was established under Directive 2011/24/EU[1] , with connection to it being optional until now – this will change once the EHDS Regulation comes into force.
Healthcare providers and pharmacies are to be connected to the MyHealth@EU infrastructure, with plans to gradually expand it to include other categories of electronic health data (including, in particular, medical images, laboratory results, discharges, etc.).
For electronic health data submitted through the MyHealth@EU infrastructure, the national contact points for digital health will act as joint controllers. In turn, the EC will act as processor.
Provisions for electronic health record systems and wellbeing applications
Businesses will receive guidance on the requirements that will be placed on their products. The essential requirements for EHR (electronic health record) systems and products for which interoperability with medical record systems is declared are included in Annex II to the EHDS Regulation - these will apply to both medical devices as referred to in Article 2(1) of Regulation 2017/745 on medical devices and high-risk artificial intelligence systems, as defined to be adopted in the EHDS Regulation. These include both interoperability requirements and safety requirements.
Compliance with the provisions of the EHDS Regulation will condition the ability to market EHR systems. The provisions of Regulation 2019/1020 will also apply to the aforementioned products. The market surveillance authorities may be the digital health authorities designated under the provisions of the EHDS Regulation.
Currently, the technology used in consumer-facing devices allows for the generation of a wide range of data, including health data (e.g. body temperature, blood sugar, pulse measurement).
The EC has recognised the benefits of data generated by wellbeing applications (with both devices and mobile apps) in the context of healthcare. Such data will be able to be used for primary data use - users of wellbeing apps will need to be informed if the apps can be linked to EHR systems, but also for secondary data use - as we discuss below.
Secondary use of electronic health data
Recent years have brought significant technological developments in the medical field. An example is the development of a machine learning algorithm to predict a hypotension minutes before it occurs with a certain degree of probability based on high-fidelity arterial pressure waveform analysis[1] . However, to ensure further technological development, it is essential to enable the use of health data for research and development, including the teaching of new artificial intelligence systems to support doctors in their work.
The EHDS Regulation identifies categories of electronic health data that can be processed for secondary use. Such data may include, in particular, data from the healthcare system (e.g. disease registries, electronic health records), but also health impact data (e.g. consumption of various substances, minimum income, environmental factors) and data generated by individuals through the use of e-health devices or applications, including wellness applications.
Both public and private entities, excluding micro-enterprises, will be obliged to make data available for secondary use. The exclusion of smaller entities from such obligations and supporting the development of smaller market players by allowing them greater access to data is, in fact, a recurring feature of the legal acts of the European Digital Decade[2] .
When applying for access to electronic health data for secondary use, a valid legal basis must be indicated. Access to the data will be granted if the intended purpose of the processing carried out by the applicant is compatible with the purposes enumerated in the EHDS Regulation (among others, research in the health or health care sector, development and innovation activities in the health area, public statistics on health sectors at national, multinational and EU level).
The EHDS Regulation also includes a catalogue of purposes that exclude the possibility of accessing electronic health data - including, among others, for the purpose of making decisions in relation to an individual to exclude him or her from an insurance contract or to change his or her contribution and insurance premiums, or for the development of products or services that may be harmful to individuals and the community at large (including, in particular, alcoholic beverages, tobacco products and illicit drugs).
Member States will be obliged to designate one or more data access body, which will be the entity competent to review and decide on a request for access. Other tasks of the data access body include the obligation to support the development of artificial intelligence systems, to train, test and validate artificial intelligence systems, and to develop harmonised standards and guidelines on the basis of the Artificial Intelligence Act (on which work is also currently underway).
Data access body will monitor and supervise compliance by users and data holders with the requirements set out in the EHDS Regulation. In situations where the data access body observes non-compliance, after a prior investigation procedure and the opinion of the monitored entity, the data access body will be able to revoke the access authorisation and suspend or completely withdraw access to electronic health data for a period not exceeding 5 years.
Cross-border infrastructure for the secondary use of data - DataHealth@EU
For the secondary use of electronic health data, a new common infrastructure, HealthData@EU, will be established. Its aim is to facilitate the secondary use of data. As with primary use, participation in the infrastructure for secondary use of data will be mandatory.
The entity responsible for making electronic health data available for secondary use will be the national contact point for secondary use of electronic health data, to be established in each Member State.
Coordination and management at European level
In order to secure a coherent application and interpretation of the rules (in particular through cooperation and exchange of information between Member States), a European Health Data Space Board will be established.
Summary
Undoubtedly, action in the area of improving the exchange of electronic health data is necessary. At this point in time, legislative action must therefore be assessed positively, although work is still in progress. The proposal for the EHDS Regulation was presented at the beginning of May 2022. The regulation will become effective 12 months after its entry into force, with several transitional periods foreseen for the different areas to which the regulation applies.
The regulation will bring many benefits to individuals (among others, by gaining access to and the ability to share health data and eliminating situations where tests need to be repeated due to the inability to obtain a patient's previous medical history), healthcare providers (among others, by increasing the quality of services as a result of broader access to patient data, allowing faster and more accurate diagnosis), scientists and researchers, and the market (among others, by gaining access to data). High hopes are that enabling broader, interpretive, and legally clear access to health data will allow innovation to flourish for companies building new health solutions - such as devices for wellbeing, devices for medicine, as well as algorithms to support doctors in their diagnostic and treatment activities. Hopes are particularly high in this area for the diagnosis and effective treatment of very rare diseases - as the collection of very high-volume data and from extremely large numbers of patients is necessary for the successful development of this area of medicine. Hopefully, the EHDS will bring a breakthrough in this area as well.
