The European Parliament in April adopted the European Health Data Space regulation and EU member states are expected to approve the text in the coming weeks or months.
One of many initiatives under the EU's 2020 "Strategy for Data," including the Data Governance Act and the Data Act, the EHDS is the first of several data spaces the European Commission intends to develop, with others covering agriculture, finance and mobility, for example.
The objective of data spaces is to unlock the vast troughs of existing data and make them available for research, innovation and development — and to do all of that while still complying with applicable data protection laws.
While this will be tricky for every data space, health data raises unique challenges.
In essence, the EHDS targets two main categories of beneficiaries: patients and "data users."
EHDS for patients: Primary use of data for health care
The EHDS enshrines patients' rights to access their health data, to receive a copy of it and to port it between EU member states. It also grants patients the right to restrict access by health professionals and to know the identity of health professionals who accessed their data.
In addition, the EHDS aims to improve health professionals' access to electronic health data to guarantee seamless health care for patients wherever they are in the EU.
The EHDS will initially cover some categories of data, such as patient summaries, prescription data and lab results, with additional categories to be added later.
The exchange of data will be fostered by an "electronic health record exchange format" and interoperable, cross-border identification and authentication mechanisms for patients and health professionals, all of which would be developed by the Commission.
On top of these technical measures, an EU cross-border digital infrastructure, known as "My health @ EU," will serve as a central platform to support and facilitate the exchange of electronic health data. Over time, the platform could be used for additional cross-border services, such as mobile health and the exchange of vaccination certificates.
EHDS for data users: Secondary use of health data
In addition to empowering patients, the EHDS aims to break silos and make data available for research and innovation. To meet this objective, it asks "data holders" to define the data categories they hold and make them available to "health data access bodies" who, in turn, provide the data to "data users," such as scientific researchers, via a secure platform.
In general, data users will only have access to anonymous data, although access to pseudonymized data is also possible, if necessary for the intended use.
The data categories data holders must make available are quite diverse and cover, for example, electronic health records, claims and reimbursement data, clinical trial data, biobanks, registers, genomic data and cohorts. They will also need to make available nonpersonal data, such as data on pathogens and social and environmental behavioral determinants of health.
Data holders, including public and private companies, will have to create a catalog of all the covered data they hold and share it with the health data access body, which makes that publicly available so data users understand the types of data available for their projects.
Data users must request a permit from the health data access body for their project before accessing data. Health data access bodies may approve permits for purposes including scientific research in the health sector, developing products and services, and testing algorithms. Expressly prohibited purposes include advertising and marketing, and developing products that harm individuals and societies.
Upon approving a data user's permit, the health data access body will ask relevant data holders to provide the data requested by the data user so it can combine it with other data, if necessary, and provide it to the data user on a secure platform. Data users can only download anonymous data, the aggregate results of their analysis, from the health data access body's secure platform.
This very ambitious section of the EHDS has probably attracted the most attention and controversy — especially in relation to data protection and intellectual property.
One of the most notable issues raised by this section is the right to opt-in or opt-out. Many members of Parliament believed individuals should have a right to opt-in or opt-out from the use of their data under the EHDS framework. The Commission's proposal did not foresee a right to opt-in or opt-out, and the Commission argued it contained sufficient safeguards for individuals.
It also pointed out, supported by the European Medicines Agency and industry, that an opt-out — let alone an opt-in — would reduce the amount of data available and the integrity of data sets, which could lead to bias in scientific research or when testing algorithms.
Parliament was not convinced. The final text offers individuals a reversible right to opt-out from having their data shared in the context of the EHDS, even in anonymized form. Member states, however, can define use cases that override the opt-out, but only in favor of public data users, not private data users. How the opt-out right will be operationalized and managed in practice is not yet entirely clear.
The EHDS states users only receive access to anonymous data on the health data access body's secure platform. This assumes there is agreement on when data can be considered anonymous, but there is currently no agreed upon European standard. Supervisory authorities for data protection are working on an updated guideline on anonymization, but they have taken very strict positions in the past. Anonymization, especially strict anonymization, also reduces the utility of data for scientific research.
This tension may come to a head under the EHDS. If the applied anonymization standard is too high, data users may begin, by default, to request pseudonymous data simply because the anonymous data is not fit for purpose.
It is also not entirely clear yet who will have to anonymize the data — the data holder, before sharing the data with the health data access body, or the health data access body itself. The recitals of the regulation suggest it should be the data holder, further increasing the burden on data holders.
Legal basis is another notable issue, which under the EU General Data Protection Regulation and Article 9 derogation for data users to access and use pseudonymous health data under the EHDS has been clarified.
The Commission proposal set out the obligations of data holders and health data access bodies — they have an obligation, and derogation under Article 9, to share and host personal health data, respectively.
For data users, however, the Commission's EHDS proposal did not seem to provide for a dedicated Article 9 derogation. The final text appears to have resolved this by stating, albeit in a recital, that the EHDS itself provides the safeguards required under Article 9.
Electronic health records
The Commission has indicated it understands that for cross-border health care, exercise of patient rights and data sharing for secondary use will only happen if there is some level of consistency and interoperability in electronic health records — the most important source of health data.
The EHDS, therefore, contains an important chapter on electronic health records, including a conformity assessment, essential and common specifications, documentation requirements and a CE marking. These technical requirements, combined with the electronic health record exchange format, for the content of the records, should enable an EU-wide sharing of health data contained in electronic health records for health care and scientific research.
Medical devices and high-risk artificial intelligence systems that claim interoperability with electronic health records must also comply with these standards. Wellness apps claiming interoperability with electronic health records, and therefore meeting the same essential requirements, must obtain a label indicating they comply.
Data localization
The Commission's proposal did not contain data localization requirements. However, proposed amendments in Parliament, triggered by concerns expressed by data protection authorities, intended to impose sweeping data localization obligations.
In the final version, the data localization requirements only apply to data processed by the health data access bodies, not data processed by data holders.
International transfers
For international transfers of personal health data, the EHDS proposal contains nothing new — these transfers are already subject to the GDPR. However, the situation is very different for nonpersonal data, for example, anonymous data, which is not currently subject to the GDPR.
Under the EHDS, the nonpersonal data categories covered by its secondary use chapter provided by health data access bodies to data users in third countries qualifies as "highly sensitive," "provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future."
The "highly sensitive" qualification means that, in accordance with article 5(13) of the Data Governance Act, the Commission must set out "special conditions" for such transfers in an implementing act. It remains to be seen when the Commission considers the risk level such that it must trigger the application of this rule and what the safeguards will be.
The EHDS restricts access to nonpersonal data by foreign governments "where such transfer would create a conflict with Union law or the national law of the relevant Member State." It contains several provisions on when such access can be allowed in the absence of an international agreement, such as a mutual legal assistance agreement.
Moving forward
While the EHDS enters into force 20 days after its publication in the Official Journal of the European Union, most provisions don't apply until four years, or in some cases even six to 10 years, later.
This long transition period will be necessary as the EHDS still requires much preparatory work from all stakeholders involved.
Many practical issues still need a solution, certain provisions call for the adoption of secondary legislation, hospitals will likely have to update electronic health records systems, data holders will have to catalogue maintained data, and governments will have to establish various bodies, including health data access bodies.
Still, provided member states and the Commission resist the urge to overcomplicate things and insert national particularities preventing the EHDS from reaching its full potential, it could revolutionize health care and scientific research in the EU.