Novelties brought by the draft Regulation on the European Health Data Space24 November 2022
Is Europe undoubtedly ready for the patients’ access and transfer of personal and non-personal electronic health data across its territory? An answer to this question seems to shape up.
On May 3, 2022, the European Commission published a draft Regulation on the European Health Data Space (the “EHDS,” the” Proposal“). The EHDS represents the first Proposal of such domain-specific common European data spaces and addresses health-specific challenges to electronic health data access and sharing. The EHDS should not be regarded as a stand-alone regulation, as it is built upon other relevant European legislation such as the General Data Protection Regulation (“GDPR“), the Regulation (EU) 2017/745 on medical devices, the Regulation (EU) 2017/746 on in vitro diagnostic medical devices, the proposed Artificial Intelligence Act, the proposed Data Governance Act and the proposed Data Act, the Directive on security of network and information systems (the “NIS Directive“), as well as on the Directive on the application of patients’ rights in cross border healthcare (the “CBHC Directive“). However, at this stage, the relationship between the Proposal’s provisions, the ones contained by the GDPR and Member State laws in the field of personal data processing and access to health data (especially regarding electronic health data) is not fully clarified.
Main objectives of the Proposal
Why does the EHDS seem to be such an impactful piece of legislation? Because it seems to be a rescue package for today’s healthcare issues and a response to the challenges the medical industry is facing due to the lack of interoperability and health data portability, by creating a legal and technical framework that will support, among others, the development of innovative medicinal products, vaccines and of medical devices. More precisely, the main purpose of the Proposal is to facilitate the use and sharing of electronic health data throughout the entire EU, both for primary purposes (i.e., prescription, dispensation, and provision of medicinal products and medical devices) as well as for secondary purposes (i.e., innovation, research, public health policies, patient safety, for regulatory or personalized medicine purposes).
The platform for patients
Specifically, the Proposal aims to make the implementation of the MyHealth European platform (MyHealth@EU platform) mandatory so that patients can access and control their health data at any time. By using this platform, patients will be able to effectively share their electronic personal health data with other health professionals across borders. So, health professionals (including those from other countries) would have quick access to patient health data for proper diagnosis and treatment. For these purposes, Member States will ensure that patient health records, electronic prescriptions, medical images, imaging reports, laboratory results, and discharge notes are issued and accepted in a standard European format.
The new platform for innovation and research
Additionally, by regulating the possibility for data to be used for secondary purposes (e.g., research and innovation purposes), the Proposal would create many more opportunities for prevention, early diagnosis, and future treatments, vaccines, and medical devices for serious diseases. For the secondary use of electronic health data, the Proposal aims to create a HealthData@EU platform, that could be accessed by health data access bodies that will be set up in each Member State. Therefore, the Proposal brings some novelties in the field of medical data sharing and processing, which seems to be the beginning of an increasingly well-defined digital era in the health sector. The Proposal provides a legal basis for processing personal health data within the European Union and mainly aims to:
▸ create a secure framework for EU citizens to access their own medical data & remove barriers to cross-border use of health data for primary purposes;
▸ promote secondary use of health data for research and innovation purposes;
▸ create the European Health Data Space Board (“EHDS Board”) that will facilitate the cooperation between digital health authorities and health data access bodies, in particular the relation between primary and secondary use of electronic health data.
▸ define the obligations of manufacturers of Electronic Health Record (“EHR”)  systems and the requirements related to the conformity of such EHR systems.
Considering these, to whom is the Proposal addressed? The Proposal targets: (a) manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the European Union and users of such products; (b) controllers and processors established in the EU processing electronic health data; (c) controllers and processors established in a third country that has been connected to or are interoperable with MyHealth@EU platform and to (d) data users to whom electronic health data are made available by data holders in the EU.
Benefits for patients & Lack of barriers to cross-border use of health data for primary use
Patients will have access and control over their personal electronic health data
The most significant benefit for natural persons (i.e., the data subjects/patients) is that they will have the right to access their personal electronic health data processed in the context of primary use immediately, free of charge, in an easily readable, consolidated and accessible form, as well as to receive an electronic copy in the European electronic health record exchange format, of their electronic health data which are classified as “the priority categories of electronic health data for primary use” . The priority categories of electronic health data for primary use are the following:
▸ patient summaries – include important clinical facts related to an identified person that are essential for the provision of safe and efficient healthcare to that person, such as personal details; contact information; information on insurance; allergies; medical alerts; vaccination/prophylaxis information; medical devices and implants; pregnancy history, etc.;
▸ electronic prescriptions;
▸ electronic dispensations;
▸ medical images and image reports;
▸ laboratory results;
▸ discharge reports.
Apart from that, natural persons will have the opportunity to insert their electronic health data in their own EHR and that information shall be marked as inserted by the natural person or by his/ her/their representative(s). Natural persons will also benefit from the right to rectification under Article 16 of the GDPR. In this regard, they can easily request rectification online through electronic health data access services. Last but not least, natural persons will have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare, as well as the right to restrict access of health professionals to all or part of their electronic health data.
Broader access for health professionals to personal electronic health data
As per the Proposal’s provisions, health professionals (i.e., doctors, medical units) will have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment. Also, the competent authorities from each Member State will ensure that access to at least the priority categories of electronic patients’ health data is made available to health professionals through health professional access services. However, when access to electronic health data has been restricted by the natural person (i.e., the data subject/patient), the healthcare provider or health professionals will not be informed of the content of the electronic health data without prior authorization by the natural person, except the situations where processing is necessary in order to protect the vital interests of the data subject or of another natural person.
New authority on the horizon & The right to file a complaint
Each Member State will designate a digital health authority responsible for implementing and enforcing the Proposal’s provisions at a national level. Each digital health authority must implement the natural persons’ rights and obligations provided for in the Proposal by adopting necessary national, regional, or local technical solutions and by establishing relevant rules and mechanisms. Moreover, natural and legal persons will have the right to file a complaint, individually or collectively, with the relevant digital health authority.
MyHealth@EU – the channel of communication between EU Member States
The European Commission (“EC”) will be the promoter of the development of a central platform (i.e., MyHealth@EU) for digital health to provide services to support and facilitate the exchange of electronic health data between national contact points for digital health of the Member States. As such, each Member State must designate one national contact point for digital health to ensure the connection to all other national contact points for digital health and to the central platform for digital health. Such a national contact point may be created within the digital health authority.
The national contact points for digital health shall enable the exchange of the priority categories of electronic health data between them. The exchange is based on the European format for exchanging electronic health records.
Furthermore, Member States will ensure the connection of all healthcare providers to their national contact points and that those connected are enabled to perform two-way electronic health data exchange with the national contact point for digital health.
An essential point is that pharmacies will be required to access and accept electronic prescriptions transmitted to them from other Member States through the MyHealth@EU platform. Thus, pharmacies (including online pharmacies) can dispense medicinal products based on an electronic prescription issued by another Member State. From a GDPR perspective, the national contact points will act as joint controllers  (they jointly determine the purposes and means of processing) of the electronic health data transmitted through the MyHealth@EU platform for the processing operations in which they are involved, and the EC will act as a processor.
Obligations related to EHR systems and wellness apps
The Proposal provides specific obligations for manufacturers, importers, and distributors of EHR and apps. Furthermore, the Proposal establishes conformity requirements for EHR systems placed on the market, especially the need to draw up technical documentation, provide users with an information kit about the system, draw up an EU declaration of conformity and apply the CE marking on the products.
Promotion of secondary use of health data for research and innovation purposes
The Proposal aims to make it easier for data users  to access electronic health data for secondary purposes held by data holders  from other Member States without requesting data authorization from all these Member States. In order to achieve this objective, each Member State should designate one or more health data access bodies (may be established a new body or an existing one could be designated for this role), that will offer access to electronic health data for secondary purposes.
Data categories and processing purposes
The categories of electronic data that could be accessed for secondary purposes by the data users are represented, for example, by the following: (i) EHRs; (ii) relevant pathogen genomic data, impacting human health; (iii) person-generated electronic health data, including medical devices and wellness apps; (iv) electronic health data from clinical trials; (v) electronic health data from medical devices and from registries for medicinal products and medical devices; (vi) electronic data related to insurance status, professional status, education, lifestyle, wellness and behavior data relevant to health, etc.
Electronic health data could be processed for secondary use, inter alia, for the following purposes:
▸ activities for reasons of public interest in the area of public and occupational health (g., protection against serious cross-border threats to health);
▸ scientific research related to health sectors;
▸ training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to public health or social security; etc.
The procedure to access data
In fact, the Proposal provides that data users seeking access to electronic health data shall submit an application to one of the concerned health data access bodies of their choice. Further, the health data access body in question shall notify the other relevant health data access bodies of the receipt of an application relevant to them within 15 days.
The health data access body shall assess if the application fulfills one of the purposes listed in the Proposal  and if the requested data is necessary for the purpose indicated in the application. If these conditions are met, the health data access body shall issue a data permit (i.e., an authorization) within 2 months from receiving the application. A data permit shall be issued for the duration necessary to fulfill the requested purposes which shall not exceed 5 years.
By derogating from the procedure described above, if an applicant intends to obtain access to electronic health data only from a single data holder in a Member State, that applicant may file an application directly to the data holder. In this case, the data holder shall assess the application and issue the data permit.
The Proposal aims to unlock the full potential of health data, by helping citizens to access and control their own health data and establishing a coherent framework to support better health research and innovation activities.
It remains to be seen what the final form of this Proposal will be, as some European authorities have already pointed out some inconsistencies with European data protection regulations. Specifically, on July 14, 2022, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space  through which they pointed out the importance of clarifying the relationship between the provisions in this Proposal with the ones contained by the GDPR and Member State data protection laws. One of the concerns is that the Proposal may even weaken the protection of the rights to privacy and data protection, especially considering the categories of personal data and purposes related to the secondary use of data.
So, we are curious and eager to see how this Proposal will be applied in our lives!
 As per the Proposal, EHR represents a collection of electronic health data related to a natural person and collected in the health system, processed for healthcare purposes.
 Article 5 of the Proposal.
 Article 26 of the GDPR.
 As per the Proposal, “data users” means a natural or legal person who has lawful access to personal or non-personal electronic health data for secondary use.
 As per the Proposal, “data holders” means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Proposal, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data.
 Provided in art. 34 para. (1) of the Proposal.