A new data space in health data: Proposals to aid access, improve healthcare and encourage innovation

The European Health Data Space (the EHDS) is heralded as the first of more than ten strategic data spaces proposed, the concept of which was announced as part of the EU’s Data Strategy in February 2020. It builds on the upcoming EU Data Governance Act (the DGA), the draft EU Data Act, the draft EU Artificial Intelligence Act (the EU AI Act) (more on these developments can be found here, here and here) and the well-established GDPR and NIS Directive.

A Commission Staff Working Document provides more information on the nature of EU data spaces more generally and there is a brief reminder at the end of this note.

A health data space of two halves

Whilst data rich, the Commission does not believe that the EU effectively utilises data for the good of its people or the economy. In particular, the Commission considers that the complexity and lack of harmonisation regarding rules, structures and processes within the EU make it difficult to access and share health data. This in turn leads to challenges in healthcare delivery as well as limiting innovation and data-driven developments. The Covid-19 pandemic only went to highlight these concerns and demonstrate the value of enabling effective access to health data.

As such, the EHDS addresses “primary use” and “secondary use” of electronic health data. The Commission’s work programme for 2022 stated that the EHDS will both “enable citizens to exercise more control over their health data” and “kick-start research into game-changing medicines”. 

Primary use

For the benefit of individuals and healthcare professionals, provisions look to overcome existing discrepancies in digitalisation of Member State health services and account for movement of people across the EU. Individuals will be able to access their electronic health data whether in their home or any other Member State and healthcare professionals across the EU may use the electronic health data to provide health care services to the individual.

Secondary use

To overcome existing issues such as perceived fragmentation of standards and divergent regulatory approaches to reuse health data (notably under the GDPR), provisions aim to make it easier to access larger pools of higher quality, interoperable electronic health data. Whilst acknowledging that the GDPR provides the basis to enable secondary use of data, it is hoped the EHDS will:

• ease research;
• speed entry into markets for those developing products and services in the digital health industry;
• aid innovation (not least through AI); and
• support policy makers in protecting public health.

The implications in more detail

Primary use

Individuals in the EU will see an expansion of their rights under the GDPR and can expect, amongst other things, to:

• have immediate, free access to their personal electronic health data (and that of individuals for whom they act as proxy) in an easily readable, consolidated, accessible, interoperable form.
• gain access through electronic health data access services-ie patient portals on computers or phones established by each Member State. The access right may be delayed where necessary to protect and individual based on patient safety and ethics;
• be able to obtain an electronic copy of the priority categories of personal electronic health data (electronic health data, including patient summaries, e-prescriptions, e-dispensations, medical images and associated reports, laboratory results and discharge reports) in a commonly readable format;
• be empowered to share their personal electronic health data with a healthcare professional of their choice, in an easy, transparent, common format. Specifically, individuals can grant access to, or require a data holder within the health or social security sector to transmit, their electronic health data to a recipient within the health or social security sector, free of charge and without hindrance. It is hoped this development of data portability concept under the GDPR, will make healthcare more efficient, support better medical decisions and improve health outcomes;
• be able to add electronic health data to their electronic health record and to certain other records such as those of their children;
• be able to easily exercise their right of data rectification (under GDPR Article 16) through the electronic health data access service;
• be able to restrict access by healthcare providers and professionals to some or all of their personal electronic health data (other than in cases of vital interest ie where their life is at stake, when the data may be made available with additional restrictions); and
• be able to obtain information, through the patient portals, on which healthcare providers and professionals accessed their electronic health data.

On the other side of the coin, health professionals in the EU:

• may access (through a health professional access app or software) the electronic health data of an individual under their treatment, irrespective of the Member State of the individual’ treatment or affiliation;
• may not be able to access all electronic health data of an individual if that individual has restricted the same (see above);
• should take account of electronic health data shared by an individual; and
• will be expected to update the electronic health data of the patients they treat.

Member State connection to the Commission’s central MyHealth@EU platform will be mandatory, so facilitating cross-border sharing for such primary use of electronic health data. Each Member State designates a national contact point for digital health to ensure the connection, alongside establishing links to national contact points of other Member States and to the Member State’s healthcare providers to enable the infrastructure to operate.

Each Member State’s national contact point is expected to act as joint controller when it comes to the processing of personal data carried out through MyHealth@EU, with the Commission being the processor and, through implementing legislation, allocating responsibilities amongst the various roles.

Detailed rules concerning the security, confidentiality and protection of electronic health data, the conditions and compliance checks necessary to be connected to MyHealth@EU and conditions for exclusion from MyHealth@EU shall be specified by the Commission. Any decision to connect a national contact point of a third country will be taken by the joint controllership group of the MyHealth@EU.

To support oversight, implementation and enforcement in relation to primary use of electronic health data each Member State must establish a digital health authority to, amongst other things:

• implement and enforce the rights for individuals under the EHDS;
• contribute to technical standards and solutions;
• cooperate with other regulators and bodies at an EU and national level (including electronic health record system manufacturers, insurers, healthcare providers and stakeholders from the health tech sector); and
• receive and process complaints in connection with the EHDS (informing data protection authorities where relevant).

The digital health authority will cooperate with the Member State’s relevant data protection supervisory authority, which shall also be involved in monitoring application of the individual rights under the EHDS.

Secondary use

In order to facilitate better use of the electronic health data, for the likes of research, innovation, policy making and regulatory decisions, comprehensive provisions address various access routes to the data. Here we note some of the key provisions.

Data holders must make certain electronic health data (and associated metadata) available for secondary use by data users. Failure to meet data holder obligations may result in a fine (to be set at the national level).

A data holder is widely defined, covering public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector (but does not include micro enterprises).

When coupled with the very broad range of electronic health data categories within scope (for example, electronic health records; clinical trial data; disease and public health registries; human genetic; genomic and proteomic data; electronic health data generated through wellness devices; research cohorts; questionnaires; electronic data related to insurance status; amongst many others), the spectrum of electronic health data available for secondary use is potentially very significant.  

The recitals of the EHDS touch on how the Commission considers the EHDS interacts with the GDPR. For instance, the EHDS states that it supports of secondary use of data by providing the GDPR Article 6 legal basis for data holders to share the electronic health data and the GDPR Article 9 conditions to process special category data in certain scenarios.

Health data access bodies (designated by each Member State) are tasked with gathering this electronic health data and, following a data user’s application (meeting certain content conditions), the relevant health data access body will grant a permit for access to the relevant electronic health data.

The permit (revocable for non-compliance) will detail applicable conditions including access duration, fees payable and, critically, the limited set of purposes for which the data can be used. From the perspective of research, industry and innovation, the most notable purposes include:

• scientific research related to health or care sectors;
• development and innovation for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices; and
• training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices.

Importantly, access will not be granted for the purposes of:

• taking decisions (producing legal or similar effect) detrimental to an individual based on their electronic health data;
• taking decisions in relation to an individual or groups of individuals to exclude them from the benefit of an insurance contract or to modify their contributions and insurance premiums;
• certain advertising or marketing activities;
• making available the electronic health data to third parties not mentioned in the data permit; or
• developing products / services that may harm individuals and wider society (for instance illegal drugs, alcoholic drinks, tobacco products, or goods or services which contravene public order or morality).

The electronic health data shall be anonymous and will be limited to that relevant for the data user’s purpose of processing. Where anonymisation prevents the data user achieving its purpose, the data will be provided in a pseudonymous form subject to:

• the data user providing further information such as the GDPR legal basis it is relying on to process the data;
• a prohibition on re-identification; and
• the key being held by the health data access body.

The health data access bodies and data users will be deemed joint controllers of the electronic health data processed under the permit. That data may only be accessed and processed in GDPR compliant secure environments provided by the health data access bodies, with technical and organisational measures, security and interoperability requirements (as detailed in the EHDS) in place. Data users may only download non-personal electronic health data from the secure processing environment.

Given the nature of electronic health data shared, the EHDS anticipates that it may be subject to intellectual property, trade secrets and confidentiality rights. As such, health data access bodies must take measures to protect those rights. The ability of data users to manage confidentiality, for example, may also be impacted by the EHDS requirements. As a quid pro quo for secondary use of electronic health data, data users must make public any results or output (as anonymised data only) within 18 months of processing. Separately, data users must inform the relevant health data access body of any clinically significant findings that may influence the health status of those individuals whose data are within the data set. How such information is made public will no doubt be the subject of careful consideration.

Health data access bodies are subject to a range of ancillary obligations that may aid researchers and industry, including amongst others:

• transparency (for example maintaining a public data set catalogue, details of permits, results communicated by data users); and
• providing information for individuals (regarding legal basis under which access was granted, technical and organisational measures taken to protect rights, public information in lieu of a GDPR privacy notice, rights regarding secondary use for instance).

In order to further the secondary use of electronic health data, the EHDS envisages the establishment of infrastructure (HealthData@EU) to facilitate cross-border access to electronic health data by authorised participants. Each authorised participant, falling within one of the following categories, must meet various criteria and technical specifications to connect:

• designated national contact points (which shall facilitate the access, cooperating closely with the Commission and other national contact points)
• EU institutions and bodies involved in research, health policy or analysis;
• health-related structures functioning based on EU law and supporting use of electronic health data for research, policy making, patient safety and regulatory purposes (including health data access bodies); and
• third countries or international organisations that meet the secondary use requirements and allow data users located in the EU to access electronic health data available to their health data access bodies (the Commission may determine that a national contact point of a third country or an international level system meets the relevant criteria).

The GDPR governs the approach to international transfers of personal data. However, the EHDS considers that non-personal electronic health data may also be subject to residual risk of re-identification and as such constitute highly sensitive data under the DGA. Where the non-personal data is transferred to a third country, the transfer must be compliant with the DGA and the associated conditions to transfer (details of which are yet to be determined).

The EHDS also provides for limits on the international transfer of non-personal electronic health data where a transfer or international governmental access would create a conflict with EU law. Subject to certain exceptions, digital health authorities, health data access bodies, the authorised participants in the HealthData@EU (as well as MyHealth@EU) and data users must all take all reasonable technical, legal and organisational measures, including contractual arrangements to prevent the transfers.

Electronic Health Record Systems

Electronic health record (EHR) systems are those appliance or software intended to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records (rather than software for general purposes even if used in healthcare).

Where those EHR systems are placed on the market and put into service in the EU, they must be able to operate in a secure way and respect the rights of individuals and health professionals. As such, under the EHDS, manufacturers of EHR systems are subject to certain obligations. For example manufacturers must:

• ensure EHR systems meet certain conformity requirements and specifications, for example regarding interoperability and security;
• establish implementing procedures to maintain compliance with those requirements and specifications;
• correct any lack of conformity;
• notify lack of conformity to distributors, importers and Member State market surveillance authorities (authorities designated to ensure compliance with the EHR system and wellness application requirements and to share information regarding serious incidents involving EHR systems with the Commission and other authorities);
• draw up technical documentation;
• provide information and instructions sheets containing specified details (and which do not mislead as to purpose, interoperability and security of EHR systems); and
• certify and mark conformity.

Where healthcare providers develop EHR systems “in house” they should also comply with the requirements placed on manufacturers.

Manufacturers of wellness applications (ie those applications used by a natural person for processing electronic health data for purposes such as well-being and pursuing healthy life-style) are not subject to mandatory certification but where they claim interoperability with an EHR system (and therefore compliance with requirements and specifications under the EHDS), they may choose to comply with a voluntary labelling scheme. This labelling is intended to provide transparency for users regarding the application’s compliance with interoperability and security. This reduced obligation reflects the lower relevance of the data from these applications for healthcare, even if the applications are able to export data in an interoperable format.

Both manufacturers of EHR systems and labelled wellness applications are required to register the same on the Commission’s public register prior to placing them on the market or putting them into service.

Importers and distributors are also subject to certain obligations in a manner similar to that contained in the EU AI Act. 

The territorial application of these obligations extends beyond EU borders. Manufacturers are caught by requirements even if established in a third country, so long as their product is placed on the market and put into service in the EU. Prior to making an EHR system available on the EU market, a manufacturer of an EHR system established outside of the Union must appoint an authorised EU-established representative.

As such, organisations operating on an international scale may implement EHDS requirements regarding EHR systems put on the market in other jurisdictions so as to maintain a harmonised approach across global markets.

EU level governance

Whilst penalties for infringement of the EHDS will be set at the Member State level, the Commission will establish a new EU level European Health Data Space Board (the Board). The Board will ensure cooperation between Member States and the sharing of views with various EHDS stakeholders. The Board, chaired by the Commission, will consist of representatives of Member State digital health authorities and health data access bodies, with the European Data Protection Board and European Data Protection Supervisor amongst those that may be invited to meetings (perhaps aiding consistency of approach across the legislative framework).

Is the proposal good to go?

It is well known that digitising health data and digitalising health services can pose significant, expensive, time consuming challenges. To achieve an interoperable, integrated, secure system for utilising electronic health data across the EU will take more than regulatory proposals alone.

The existing MyHeath@EU digital health infrastructure is to be the starting point for the primary use arrangements and whilst this cross-border system currently allows individuals in some Member States to access their health information cross-border, the infrastructure will require an expansion of both geographical and data scope. The aim is to achieve full EU coverage of the MyHealth@EU by 2025. Secondary use proposals will require new infrastructure and a call for proposals for a pilot has already been made.

Beyond the computational power and connectivity infrastructure to support the EHDS, the EU’s population will need to be on-board. As with all data (particularly personal data) related regimes, trust is key to engagement and engagement is key to a functional system. The legislature, relevant regulatory authorities and implementing bodies, will need to ensure individuals are comfortable with the levels of data protection and bring them along on the journey.

Likewise, an innumerable number of public and private sector organisations will need to coordinate to ensure the EHDS proves effective and operates in line with existing ecosystems and regulatory requirements.

The interplay with other regulations in development may also require careful consideration. For example: the DGA looks to facilitate data intermediaries (which facilitate data sharing more widely); the DGA will establish a European Data Innovation Board that will assist the Commission in preparing guidelines regarding EU data spaces (eg on standards, interoperability, competition, data transfers outside the EU, cybersecurity); the draft EU Data Act addresses the sharing of certain data with EU public bodies and the provision of compensation for availability of data; the upcoming Cyber Resilience Act concerns cybersecurity requirements for digital products and ancillary services. 

So what now?

Given: a) the significant benefits that might be harnessed by the EHDS for individuals, Member States, industry and research organisations; but b) the delicacy of sharing highly sensitive health data including special category personal data, don’t expect the path to finalisation of the EHDS to progress without interest. Both the Council of the EU and the European Parliament must now consider the Commission’s proposals and a public consultation is open until 28 July 2022.

The press release and associated documents are available here.

A reminder-what are EU data spaces?

The broader aim of the EU’s data spaces is to facilitate “the development of the European economy, to harness the value of data for the benefit of the European society” and overcome legal and technical barriers to data sharing. The data spaces are intended to be secure, privacy-preserving infrastructure to pool, access, share, process and use data in a fair, transparent, proportionate, non-discriminatory manner-all concepts many will be very familiar with.

Data spaces are expected to employ practical structures with governance mechanisms, to meet EU regulation and rules (eg regarding data protection) and involve a variety of individuals, data holders and organisations in the process of data sharing.

The Commission is looking to invest in common data spaces in strategic economic sectors and domains of public interest that, beyond health, include manufacturing, the EU’s Green Deal, mobility, energy, media, open science, security, financial, construction, smart communities and others.