The European Health Data Space
True cross-border healthcare based on medical documentation accessible throughout the EU via interoperative electronic health data systems. Unleashing the potential of health data for science and developing new drugs and treatments. These are among the benefits promised by the European Health Data Space.
European Data Strategy
In early 2020, the European Commission published the European Data Strategy, envisioning the creation of a single European Data Space. One of the pillars of the strategy is creation of common European data spaces in nine strategic sectors of the economy, such as the green deal, energy, agriculture, and finance. The first draft, of the European Health Data Space Regulation, was announced in May 2022.
When presenting the draft regulation, the Commission emphasised the inherent potential of health data, which can be used for the benefit of patients, the healthcare system, science, and the development of new medical products and therapeutic programmes, through the digitisation of health data, the possibility of freely transferring health data within the European Union on a common platform, and sharing and reuse of health data.
Objectives of the European Health Data Space
The regulation aims to serve three purposes:
- Empowering natural persons by increasing digital access to and control over their personal health data and facilitating the free flow of such data
- Defining standards for electronic medical record systems to ensure their interoperability, security and use while respecting the rights of individuals with regard to their personal health data
- Creating a consistent and effective framework for the secondary use of natural persons’ personal health data for the needs of research, innovation, policy-making, official statistics, patient safety, and regulatory activities.
Legal basis
By nature, personal health data overwhelmingly means natural persons’ personal health data, which is a special category of data. The draft regulation supports implementation of natural persons’ rights established in the General Data Protection Regulation to protect electronic personal health data. Based on the provisions of the GDPR on personal health data, the draft regulation outlines the rules for the European Health Data Space, where data can be freely transferred within the EU and used for specific purposes, while maintaining the required security standards.
The draft regulation also takes into account numerous other European directives and regulations applicable to electronic personal health data, and in accordance with the subject of the regulation, clarifies the provisions of the new Data Governance Act and the planned Data Act.
An effort to maintain consistency with other EU laws in this area is also evident in incorporation into the draft regulation of all definitions (as in the case of the GDPR) or some definitions (e.g. from the Medical Device Regulation, Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare, and the European Digital Identity Framework Regulation) used in other regulations.
Subject of regulation
The draft also includes thirty new definitions. For purposes of this act, some of them clarify the conceptual scope of terms previously used. Thus, for example, the definition of “electronic personal health data,” in addition to health and genetic data under the GDPR, includes “data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form.”
The draft regulation defines a “data holder” as “any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, … or, in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict the access or exchange certain data.”
It is already clear from these two definitions that the regulation is intended to be almost universal in sweep. It encompasses all electronic health data, whether obtained from data owners, or other natural or legal persons (e.g. medical personnel), data processed in connection with the provision of health services or data obtained in connection with the use of devices and equipment for the well-being of a natural person (data derived, for example, from medical devices measuring various processes occurring in the body of the person who uses them independently), as well as data in the form of conclusions, diagnoses or observations, including those obtained by automated means.
The collection of electronic health data, as defined, as well as processing, sharing, and so on, will require the involvement of a number of entities indicated in the definition of a data holder, which will be required to comply with the new regulation.
Primary use of electronic health data
The draft regulation divides the use of electronic health data into primary and secondary. “Primary use” is defined as “the processing of personal electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services.”
With regard to primary use of electronic health data, the draft regulation envisages strengthening natural persons’ rights to such data and the possibility to use it regardless of the member state where they are located.
For this purpose, the draft regulation makes it mandatory for member states to participate in the MyHealth@EU infrastructure (until now, such participation has been voluntary, and ten countries have collaborated under MyHealth@EU). Member states are to include providers and pharmacies in MyHealth@EU. The platform is intended to ensure the exchange of electronic personal health data and in this way to facilitate the use of health services by natural persons in any member state.
Secondary use of electronic health data
Types of data exhaustively listed in the draft regulation can be the subject of secondary use of electronic health data. The Commission intends these categories of data to be broad and flexible enough to accommodate the changing needs of data users over time.
Making such data available by data holders is to take place on the basis of data access authorisation, i.e. an administrative decision issued to a data user by a health data access authority or data holder, authorising the processing of data specified in the authorisation and for the purpose specified in the authorisation, under the terms set out in the regulation. The processing purposes permitted by the regulation include those related to the public interest, scientific research, educational activities, the development of innovative products and services for public health and healthcare, or work on artificial intelligence systems.
Widespread use of this data throughout the EU will be possible through the operation of the HealthData@EU online platform, to which the relevant authorities of member states and stakeholders, namely data holders and data users, will be connected.
In subsequent articles, we will discuss in more detail the system designed for primary and secondary use of electronic health data, as well as the planned organisational solutions and safeguards.
Dr Ewa Butkiewicz, attorney-at-law, Life Science & Regulatory practice, Wardyński & Partners