Proposed European Health Data Space Regulation
Client Alert | 11 min read | 06.13.22
On May 3, 2022, the European Commission published a proposed regulation (the “EHDS Proposal”) for the establishment of a European Health Data Space (or “EHDS”). This is the first proposal for establishing domain-specific common European data spaces following the European strategy for data and an important step in building a European “Health Union”.
In short, the proposed regulation establishes the EHDS, a common space for health data where natural persons can control their electronic health data (primary use) and where researchers, innovators and policy makers have access to these electronic health data in a trusted and secure way that preserves the individual’s personal data (secondary use). Data holders (such as health care providers, including private and public hospitals, and research institutions) may be subject to new, burdensome obligations to make their data available for secondary use through the EHDS.
In this client alert we summarize the main principles the European legislature proposes to facilitate the primary and secondary use of health data in the EHDS and examine the consequences of this proposal for the different actors involved with the EHDS (individuals, health professionals, researchers, policy makers and the health care industry).
The starting point of EHDS Proposal is the finding that health data are fundamental for advancing scientific research and medical innovation, patient well-being and public health (as the Covid 19-pandemic has demonstrated), more efficient policy making and regulatory oversight. At the same time, the patient needs to have better control over their health data, protected as personal data. The EHDS Proposal aims to reconcile the regulation of the primary use of the health data by the individual and health professionals and the secondary use by researchers, innovators and policy makers.
The EHDS Proposal is not an isolated piece of legislation: it sits on top of patchwork of relevant legislation, such as the General Data Protection Regulation, the NIS Directive and, specifically for the medical sector, the Medical Devices Regulation, the In Vitro Diagnostics Regulation and the Cross-Border Health Care Directive. Moreover, the proposal cannot be read without considering the proposed Data Governance Act, the proposed Data Act and the proposed Artificial Intelligence Act. While the Data Governance Act and Data Act would provide a generic, horizontal framework for the sharing of data, the EHDS Proposal would make these principles more concrete for health data.
Considering this complex legal framework, the EHDS Proposal is intended to offer some guidance on how electronic health data may be used for various purposes, considering not in the least that health data are protected under the GDPR as a “special category of data”, protected by additional safeguards for its processing. It does so through substantive rules, through technical regulation (e.g. formats of electronic health records or “EHRs” and interoperability requirements) and through regulatory oversight by dedicated national authorities.
The EHDS Proposal consists of two main components, being the primary and secondary use of electronic health data.
Primary Use of Electronic Health Data
The first purpose of the EHDS Proposal is to strengthen the rights of natural persons in relation to the availability and control of their “electronic health data”, a notion that covers both personal and non-personal electronic health data, i.e. data concerning health and genetic data in electronic format within or outside the scope of the GDPR.
The rights of the data subjects regarding the “primary use” of electronic health data would be clarified in the EHDS Proposal, with “primary use” defined as the processing of such data “for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services”.
The EHDS Proposal would also provide more detailed guidance on how the data subject rights under the GDPR (e.g. rights to access, to obtain a copy in a standardized format or to rectify the data) may be exercised in relation to electronic health data, as well as on how to restrict such rights (e.g. delay the exercise of the rights to allow the health care professional the time to communicate with the patient). Individuals would be able to easily access and share these data (e.g. with the healthcare professionals of their choice) in and across Member States. They may even require a data holder to transmit their electronic health data to a “data recipient” in the health or social security sector. They would also be able to exercise better control over their data, in the sense that they would have the right to know which health care professionals have access to their data and to restrict their access to all or part of their data.
The health care professionals, on their end, would also have the right under the EHDS Proposal to access the electronic health data of individuals under their treatment (in particular patient summaries, prescriptions, dispensations, medical images and image reports, lab results and discharge reports, i.e. the “priority categories of personal electronic health data”). At the same time, they would be obligated to ensure that the electronic health data are updated in an European Health Record (“EHR") system, with the information concerning the health services they provided.
Secondary Use
Acknowledging the importance of health data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other patients, the EHDS Proposal would explicitly implement the possibilities to reuse personal data for secondary purposes authorized under the GDPR.
Under the proposal, the “data holder” (a notion similar to the one in the proposed Data Act) would be under the obligation to make certain categories of electronic data available for secondary use. These categories of data cover a wide variety of data, including EHRs but also data impacting on data, genomic data, socio-economic data, etc. from various sources (generated using connected devices, administrative data, data from clinical trials, questionnaires, biobanks etc.).
The obligation to make these data available for secondary use would be required, even where the data may be protected under intellectual property rights or trade secrets, and measures must be taken to maintain this protection (although the EHDS Proposal does not indicate who would be responsible for these measures).
Access to these data would be managed by a “health data access body”, which would grant requests for access (in the form of a “data permit”) only for the broad objectives of scientific research, innovation, policy-making and regulatory activities.
In particular, the EHDS Proposal would authorize the processing of data for one of the following limited purposes: (a) public interest activities in public and occupational health (e.g. epidemics or pandemics), (b) supporting various public authorities in the health or care sector, (c) producing statistics, (d) education or teaching in the health or care sectors, (e) scientific research related to health or care sectors, (f) development and innovation in relation to products or services in public health or social security, medicinal products or of medical devices or, (g) training, testing and evaluating of algorithms (including in medical devices, AI systems and digital health applications) for medical applications (public health or social security, medicinal products or of medical devices); or (h) providing personalised healthcare.
Inversely, the EHDS Proposal would explicitly prohibit the use of data for a number of prejudicial secondary uses. It would forbid the use the data for taking decisions that are detrimental to the natural person, based on their electronic health data, or decisions that exclude natural persons from their insurance contracts or modify the terms to their detriment, developing harmful products or services. The data may not be used for advertising or marketing activities and the data may not be transferred in any way to a third party which is not mentioned in the data permit.
Interestingly, the “data users” may include any person who has lawful access to electronic health data – although some purposes are reserved for public authorities. This means that members of the pharmaceutical industry may request access to the data, even if they have a commercial purpose, as long as they intend to pursue one of the legitimate purposes, such as scientific research, innovation or the use of data to develop and train selected algorithms.
Whether this “permit-based approach” will be sufficient to facilitate the sharing of health data for secondary use, while at the same time guaranteeing the rights of individuals, remains to be seen: the success will largely depend on the practice and staffing of these national health data access bodies. It is noted that the GDPR follows a risk-based approach, creating more flexibility due to self-assessments and sufficient documentation.
Technical Provisions
The EHDS Proposal not only contains substantive provisions on the use and reuse of health data but also organizes Europe’s technical infrastructure to support the primary and secondary uses of health data.
In order to make electronic health data accessible and transmissible, they should be processed using a common, interoperable format, the “European electronic health record exchange format” for which the Commission will determine the technical specifications. The natural person, the health care provider and the data recipient should be able to use this format to read and access the health data.
In order to guarantee a minimum level of security and interoperability, the EHDS Proposal would impose a self-certification scheme for EHR systems. The proposal also introduces a voluntary label for wellness applications to ensure transparency for users (and procurers) regarding the interoperability and security requirements (so the data generated by these apps can be added to the EHR). This scheme should also reduce cross-border market barriers for manufacturers (which must be established in the EU or have an authorized representative in the EU, prior to making an EHR system available in the EU). In the same vein, importers and distributors have specific obligations (e.g. verification of the conformity of the EHR system). A system of market surveillance of EHR systems is also provided, as Regulation 2019/1020 on market surveillance and compliance of products also applies to EHR systems. These rules apply in addition to compliance obligations resulting from the AI or medical device regulations.
Furthermore, a cross-border infrastructure at the European level would be set up under the name ‘MyHealth@EU’. It will bring together the “national contact points for digital health” and the “central platform for digital health”, in view of facilitating the exchange of electronic health data for primary use. The EHDS Proposal designates which Member States are joint controllers and the Commission as a processor.
Similarly, a cross-border infrastructure at the European level would be set up for the secondary use of electronic health data, under the name “HealthData@EU”. The Member States must designate a national contact point for secondary use of electronic health data, which will be responsible for facilitating such use by “authorised participants” in a cross-border context.
To optimize the secondary use of the health data, the EHDS Proposal contains some technical requirements to ensure the health data quality and utility for secondary use: a description of the available data sets, a data quality and utility label, a EU datasets catalogue and minimum specifications for cross-border data sets for secondary use.
Regulatory Supervision
The EHDS Proposal would introduce new regulatory authorities, with distinct responsibilities for the primary and the secondary use of the electronic health data
Member States will be required to set up a digital health authority responsible for monitoring and guaranteeing the rights of individuals, under this primary use component.
The health data access bodies, to be created by the Member States, will decide whether access for secondary use is permissible and issue a “data permit”. Interestingly, they will also collect the data from various data holders (who must inform the heath data access body about the data sets they hold), prepare and disclose the data to the data user, only for the permitted purposes, while preserving IP rights and trade secrets and allowing data subjects to exercise their rights. They would also have support, documentation, publicity and technical management obligations. They should also facilitate cross-border access to electronic health data for secondary use hosted in other Member States through HealthData@EU. Finally, they would monitor and supervise the compliance of data users and data holders with their respective obligations.
The EHDS Proposal contains detailed provisions on the content of the data permit, the application process and the access to the data (in a secure processing environment).
Opportunities
The EHDS Proposal introduces an ambitious framework for facilitating the access to and (re-)use of health data. Its first purpose is to improve the access to health data for the data subjects, while at the same time strengthening their rights, and health care providers (primary use).
The harmonization of technical requirements and the self-certification scheme for EHRs may reduce the barriers for EHR-developers, importers and distributors and facilitate access to the EU-wide market.
It is, however, the incentives to unlock these sensitive data for secondary purposes that show the Commission’s ambitions.
Importantly, research and innovation in data-intensive applications (including training algorithms for AI-applications, medical devices or medicinal products) are explicitly mentioned as authorized secondary purposes, meaning that data users can apply for a data permit for such intended purposes. As the EHDS Proposal intends to assure a certain data quality and the availability of large quantities of data from different sources, research institutions and industry actors should be able to leverage this new regulation to pursue faster and better innovations than if they only had access to their own data sets.
Health professionals should benefit from the EHDS as well, in particular with the secondary use of “providing personalized healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons”.
Finally, data holders (such as healthcare providers, including private or public hospitals, and research institutions) may be subject to new, burdensome obligations to make their data available for secondary use through the health data access bodies. The definition of “data holder” in the EHDS Proposal could use some clarification, as the current description covers any entity or body health or care sectors (or researchers in these sectors) that has the right or the legal obligation to make available certain data (in case of non-personal data the control of the technical design of a product or service suffices). On the other hand, they may also develop additional sources of revenue: data holders are indeed entitled to a fee, which is based on the cost of conducting the access procedure but (except for public sector bodies) may also include compensation for part of the cost of collecting and formatting the data.
We also note that entities that are operating in the US and the EU will likely need to navigate rules regarding health data that may not be harmonized, including US regulations governing health data privacy, interoperability, certification of EHRs, and oversight of medical devices.
Insights
Client Alert | 2 min read | 11.14.24
SEC ESG Enforcement Is Still Alive
On November 8, 2024 the SEC announced a settled enforcement action against Invesco Advisers, Inc. for making misleading statements about its integration of environmental, social, and governance (ESG) factors into the firm’s investment decisions. Invesco agreed to pay a $17.5 million civil penalty to settle the matter. This enforcement action makes it clear that, even though the SEC dissolved its ESG Task Force, the Commission continues to monitor firms’ statements and representations for misleading statements about ESG.
Client Alert | 8 min read | 11.12.24
Client Alert | 3 min read | 11.11.24
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Client Alert | 1 min read | 11.08.24
A Common-Sense Change to the Continuous SAM Registration Requirement at FAR 52.204 7