After a period of uncertainty over the fate the Regulation on the European Health Data Spaces (“EHDS Regulation”), earlier this Spring, the European Parliament and the Council have reached a provisional political agreement on the proposal. The compromise agreement [link] has introduced some new concepts and has also brought clarity on the relationship between the General Data Protection Regulation (GDPR) and the EHDS Regulation. While the text awaits formal approval of the Council, the published draft clearly outlines the direction the EU lawmakers intend to take. This post focuses on five key takeaways that are poised to significantly influence the framework for accessing and utilizing electronic health information within the EU.
If you are interested in EHDS developments, you are welcome to read our earlier blogposts: European Health Data Space: The Debate Continues and European Health Data Space - Untapping The Potential of EU Health Data.
The authors of this article are participating in the following EU-funded projects:
The EHDS Regulation proposal, introduced in May 2022, was designed with the overarching goals of fortifying patients' rights concerning their health data and fostering the reuse of such data for scientific research and innovation, among other objectives. However, as is often the case, the intricacies lie within the details, and the EHDS Regulation has undergone numerous revisions in its text through the compromise agreement between the EU Council and the European Parliament. Below, we delve into five recent developments stemming from this process, which we believe hold significance for companies and researchers operating within the healthcare sector.
The compromise agreement sharpens the obligations of the manufacturers of wellness applications. Wellness application has been broadly defined under the EHDS Regulation, as “any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on the health of individual persons, or the delivery of care for other purposes than the provision of healthcare.”
To ensure that users are properly informed that the wellness application may be connected and supply data to electronic health record (EHR) systems, the EHDS Regulation introduces mandatory labelling schemes for wellness applications claiming interoperability with EHR systems. This label will be issued by the manufacturer of the wellness application prior to its market placement. Additionally, labelled wellness applications will need to be registered in an EU database.
Manufacturers must also ensure that wellness applications claiming interoperability with EHR systems comply with the essential requirements and common specifications outlined in the EHDS Regulation, including those specified in Annex II. These requirements extend to medical devices and AI systems claiming such interoperability. Member States may regulate other aspects of wellness applications provided they align with EU law.
Furthermore, manufacturers must ensure that data sharing from the application is secure and contingent upon user consent.
Importantly, the compromise text incorporates data from wellness applications into the categories eligible for secondary use. Consequently, companies offering such appliances or software will be classified as health data holders.
The delicate balance between patients' rights to control the use of their data for research and the imperative for the scientific community to access the valuable yet often isolated medical data within hospital records has been the subject of intense debate.
Different approaches, ranging from mandatory patient consent (opt-in) to opt-out systems, and even a complete absence of patient input, have been considered since the introduction of the EHDS Regulation. Finally, in the compromise text, a reversible right to opt-out from the secondary use of personal electronic health data is granted to patients within the EU. Member States are tasked with ensuring the provision of a clear and accessible mechanism for individuals to exercise this right. However, the compromise also allows Member States the discretion to override this right in specific national contexts for purposes strongly linked to public interest.
For example, Member States may choose to disregard a patient's decision to opt-out in scenarios vital for public health, such as addressing serious cross-border health threats or conducting scientific research addressing unmet medical needs, including rare diseases or emerging health challenges. This override is limited to health data users within the public sector, including relevant European institutions, bodies, agencies, or entities entrusted with public health responsibilities, and only if the data cannot be obtained through alternative means promptly and effectively.
This nuanced approach seeks to uphold both individual privacy rights and the broader interests of public health and scientific advancement, recognizing the complexity and importance of striking a balance between these competing priorities.
Under the EHDS Regulation the data holders will be required to make certain electronic health data available for secondary use. The definition of health data holders has been updated to specifically mention:
who have either the right or obligation to process personal electronic health data for purposes listed in the EHDS Regulation or the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data. The compromise text also updates the categories of electronic data which will need to be made available for secondary use and clarifies, for example, that automatically generated data from medical devices, wellness applications or data on clinical trials and clinical investigations (once they have ended) is included. It also allows the Member States to provide for additional safeguards and stricter measures for some of the categories, for example human genetic data.
At the same time, the EHDS exempts individual researchers and natural persons and micro-enterprises from the obligations of health data holders.
The framework for providing access to data for secondary use has seen numerous changes. For instance, a new concept of ‘trusted health data holder’ has been introduced in the EHDS Regulation to help reduce the bureaucratic and administrative burden of the health data access bodies in relation to data access applications and data requests.
A Member State can designate trusted health data holders by assessing if a health data holder meets the following specific conditions:
The role of trusted health data holders will entail assessing data access applications for the data they control. The health data access body may relay such applications to these trusted health data holders, who will then evaluate it and offer recommendations to the health data access body. It is important to note that while the trusted health data holder's recommendations are considered, the health data access body ultimately retains the authority to issue the data permit. Upon permit approval, the trusted health data holder will prepare the health data for access, including compilation and anonymization or pseudonymization and provide it a secure environment for data user’s processing.
The original EHDS Regulation proposal did not provide for strong enforcement measures. Under the compromise text, health data access bodies will be able to penalise the health data holders and users through GDPR style administrative fines. More specifically, for infringement of their duties, the health data holders and health data uses may be fined up to EUR 10,000,000 or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Even higher fines of up to EUR 20 000 000, or in the case of an undertaking, of up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher may be imposed for gross violations specified in the EHDS Regulation.
The table below provides an overview of the fines applicable to different infringements.
Type of infringement | Fines |
Infringements of the duties of health data holder pursuant to Article 41 (Duties of health data holders) | Up to EUR 10,000,000 or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher |
Infringements of the duties of health data users under Article 41a (1), (4), (5) and (7) (Duties of health data users) | |
Infringements of following provisions: | Up to EUR 20 000 000, or in the case of an undertaking, of up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher |
health data users processing electronic health data obtained via a data permit issued in line with Article 46 for the purposes referred to in Article 35 | |
health data users extracting personal electronic health data from secure processing environments | |
re-identifying or seeking to re-identify the natural persons to whom the electronic health data which they obtained based on the data permit or data request pursuant to Article 41a(3) relate | |
non-compliance with enforcement measures by the health data access body pursuant to Article 43 |
The EHDS Regulation allows Member States to frame appropriate rules on the imposition of administrative fines on public authorities but introduces general conditions to be followed while imposing these fines. These general conditions include different factors of infringement, such as gravity and scale of the infringement, which need to be taken into consideration while deciding the amount of the fine.
The EHDS Regulation will apply 2 years after coming into force and will be implemented in a phased-out manner: the timeline varies between 4 to 10 years. For example, the provisions relating to EHR systems will apply after 4 to 6 years from the date the EHDS Regulation comes into force. Most provisions relating to secondary use of electronic health data will apply after 4 years, with certain categories of data being made available for secondary use only after 6 years. These categories include, among others, data on factors impacting on health, including socio-economic, environmental and behavioural determinants of health, human genetic, epigenomic and genomic data, data from clinical trials, clinical studies and clinical investigations.
Interestingly, the access to the electronic health data through the EHDS Regulation for secondary use by third countries or international organisations is only expected to be implemented after 10 years.
The European Health Data Space Regulation represents a significant advancement in harmonizing regulations surrounding access and utilization of health data. The compromise agreement has introduced innovative concepts like the digital testing environment and trusted health data holder, while also refining governance rules for electronic personal health data. Despite these advancements, Member States retain considerable autonomy in how health data is processed, potentially leading to divergent rules and national exceptions. This divergence could result in increased costs and administrative burdens for stakeholders. Specifically, the landscape concerning conditions for reusing certain types of health data is likely to remain fragmented. Successful implementation of the EHDS hinges on continued collaboration among Member States to address these challenges and ensure cohesive regulation across borders.
The EHDS Regulation has been approved by the Parliament in April 2024 and now needs to be adopted by the Council. Once the Council adopts the new EHDS Regulation, it is expected to be published in the Official Journal in autumn.
Flute, AI4Lungs,RES-Q+ and TOLIFE have received funding from the European Union’s Horizon Europe research and innovation programme. However, the content of this article reflects the opinion of its authors and does not in any way represent opinions of the European Union. The European Commission is not responsible for any use that may be made of the information the article contains.