Secondary use of electronic health data
Regulating the secondary use of health data opens up research and analytical opportunities, which can drive scientific progress, new products and devices, digital innovation in the healthcare sector, and improvement of the healthcare system.
Categories of electronic data for secondary use
The draft Regulation on the European Health Data Space allows for certain reuse of personal health data collected in the context of primary use. Electronic non-personal health data, such as data collected for the delivery of healthcare more generally, can also be the subject of secondary use for statistical or security purposes.
The draft regulation includes a list of fifteen categories of electronic data which data holders can share for secondary use. Some of these categories are defined explicitly, such as electronic medical records. Others are described in general terms, enabling different interpretations of the boundaries or area of a given category, such as “data impacting on health, including social, environmental behavioural determinants of health,” or “electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health.” This way, with the intention of making as much data available for secondary use as possible, the European Commission would allow new types of data to be included in these categories.
The data categories enumerated in the draft are defined as “minimum categories.” Their number may increase through the mechanism provided in the draft. National health data access bodies will be able to grant access to additional categories of electronic health data entrusted to them in accordance with the laws of the given state or on the basis of voluntary cooperation with data holders, primarily private entities in the health sector.
What is allowed
Secondary use of electronic health data could occur exclusively for the purposes specified in the regulation. The list of purposes is a closed list. This means that the electronic data could be accessed only if the applicant’s intended purpose is to fulfil one or more of the eight purposes listed in the regulation.
First on the list are activities undertaken in the general interest of society, such as public health surveillance, protection against cross-border health threats, ensuring the safety and high quality of healthcare, and fulfilling statistical obligations, also at the international level. Access to electronic health data for processing for reasons of public interest shall be granted only to public sector bodies and institutions, bodies, offices and agencies of the European Union carrying out tasks entrusted to them under EU law or national law.
The second group of purposes includes educational and teaching activities, scientific research, development and innovation activities undertaken in the health and care sectors.
Training, testing and evaluating of algorithms, including in medical devices, AI systems or digital health applications, are listed as a separate purpose.
A specific purpose justifying access to electronic health data is secondary use in personalised healthcare, consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data (e.g. genomic information) of other natural persons.
What is banned
The secondary use of electronic health data, which is a special category of personal data, must not have harmful effects on natural persons. Therefore, the draft regulation prohibits seeking access to and processing of data if its purpose is to cause adverse legal effects or similar significant impact on a natural person on the basis of his or her electronic data, to worsen the conditions or exclusion of insurance for such a person, as well as to conduct advertising activities, to allow access to data by third parties without the required permit, or even to produce products (e.g. illicit drugs) or services harmful to natural persons and the general public.
Permit to access data
Under the draft regulation, secondary use of data will be possible on the basis of a permit to access data. This is an administrative decision issued by the health data access body, permitting processing of the data specified in the permit under the terms defined in regulation. Electronic health data are be transmitted in an anonymised form, unless specific permissible purposes of processing require a pseudonymised form. The permit will have a specific duration, with a maximum of five years, which can be extended once for another five years. Access to data may also require payment of a fee.
An important element of the permit is information on the technical features and tools available to the data user for the purpose of retrieving data from a secure processing environment. Electronic health data could be accessed only through a secure processing environment in which the data access body applies the security measures specified in the regulation.
Altruistically sourced health data
The draft regulation also takes into account an altruistic approach to health data. “Data altruism” is defined in the EU’s Data Governance Act (Regulation 2022/868) as “the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward…, for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change [etc], or scientific research purposes in the general interest.”
Such data collection for general-interest purposes can be handled by entities conducting non-commercial activities in countries that adopt national policies on data altruism.
The draft regulation allows data altruism organisations to process electronic personal health data in a secure processing environment meeting the requirements established by the regulation. It also obliges health data access bodies to cooperate with authorities for registration of data altruism organisations in monitoring their activities.
Cross-border digital infrastructure for secondary use of electronic health data
The digital infrastructure for secondary use of electronic health data foreseen in the draft regulation is similar to that for primary use of such data. It is called HealthData@EU. It is formed by a core platform, set up and operated by the Commission and national contact points linked to it, which can be national health data access bodies. It is also possible to link a third-country point of contact.
Institutions, offices, bodies and agencies of the European Union involved in scientific research, health policy or analysis are also authorised participants in the infrastructure, as are other research structures, mainly those dealing with health, whose operation is based on EU law and which support the use of electronic health data in the interest of the general public. Authorised participants will be joint controllers of processing operations, and the Commission will have the status of a processor.
The draft regulation establishes rules for granting access to cross-border registries and databases, which will be specified in more detail in the Commission’s implementing acts. The cross-border infrastructure also simplifies the procedure in the case of requesting access to electronic health data from more than one country, allowing submission of a single data access request to the health data access body in a selected state; that body will then notify the relevant bodies in other states and authorised participants in the HealthData@EU infrastructure.
Dr Ewa Butkiewicz, attorney-at-law, Life Science & Healthcare practice, Wardyński & Partners