Strike agreement on new regulations of the Council of the EU and the European Parliament – ​​Publication

The chief negotiators of the Council of the EU and the European Parliament have reached an agreement on a new EU regulation on the European Health Data Space (EHDS). If adopted, this regulation will expand individual access and control over personal electronic health data both at the national level and at the cross-border level of EU member states (the primary use of the data), while Information exchange and access is simplified. Data for public interest and research purposes (secondary use of data).

According to the draft regulation, the software platform will also allow organizations in third countries to access the health data of individuals in the EU, as long as they comply with the rules of the General Data Protection Regulation (GDPR). Additionally, organizations in third countries will be eligible for secondary use of data if they comply with the new EHDS regulations to the same level as the EU institutions using such health data.

The draft regulation will now need to be approved by both the Council of the European Union (Council) and the European Parliament (Parliament). Additionally, the exact language of the new final regulations will need to be reviewed by legal counsel. The draft regulation was adopted by Parliament on 24 April 2024 and is expected to be formally adopted by the Council in the coming weeks, well ahead of the EU elections in June this year. The draft regulation is Official Gazette of the European Union (Publication).

The final regulations are expected to become effective two years after promulgation. Chapter IV, which contains regulations regarding secondary uses of data, provides that, with certain exceptions for categories of electronic data that are subject to secondary uses of data, such as human genetic data, epigenomic data, genomic data, and clinical data, It applies four years after its publication. Data obtained from trials and studies apply six years after the date of publication.

The final regulations aim to design the EHDS as a trusted environment for secure access and processing of a wide range of health data. This is based on the GDPR, Data Governance Act, Data Act, NIS Directive, etc. These legal acts contain provisions (including security measures) that also apply to the medical field. (For a detailed analysis of data law, see the Dec. 5, 2023 Law Flash.) However, the draft regulation provides more specific rules to account for the particular sensitivity of health data. It is being developed.

The EHDS sets out a common EU framework that allows the anonymized and/or pseudonymized use of health data for research, innovation, public health, policy-making, regulatory activities and personalized medicine. This will take advantage of the creation of a new decentralized EU infrastructure for secondary use of data (HealthData@EU), connecting health data access authorities to be established in all EU member states.

EHDS background

In the 2020 Communication “European Data Strategy”, the EU Commission proposed nine common data spaces to be developed within the EU. EHDS is Europe's first common data space designated for health data. As a rule (Velodnung) The final regulation will enter into force without further implementing legislation in EU Member States. However, certain sections and chapters of the draft regulation currently require EU Member States to implement certain amendments (see below).

The final regulations establish EHDS as a set of health-specific rules, common standards and practices, infrastructure, and governance frameworks to:

• Empowering individuals by increasing digital access and control of electronic personal health data nationally and across the EU (main uses of data)
• Foster a single market for electronic health record (EHR) systems, related medical devices, and high-risk AI systems.
• It provides a reliable and efficient setup for secondary use of data (research, innovation, policy making, regulatory activities, etc.).

Key elements of the draft regulation

The draft regulations between the Council and Parliament cover the following key areas:

• Opt-out (main use of data): EU Member States shall allow patients to opt-out of access to and use of their health data by healthcare professionals. Article 8 of the draft regulation does not contain specific instructions on how to exercise this right and does not allow health professionals to restrict such restrictions to medical data in the event of imminent danger to the patient. It is also not specified whether access can be avoided.
• Opt-out (secondary use of data): All EU member states implement opt-outs for further use of health data. However, each of them may allow legitimate exceptions to the right to opt-out for public interest, policy-making, statistical, or research purposes. These exceptions must respect the essence of patients' fundamental human rights and be proportionate.
• Sensitive data: All EU member states can enact an absolute right to object to access by anyone other than the original healthcare provider who provided the treatment. If you choose to do so, you will need to establish rules and specific safeguards regarding such mechanisms. Such rules and specific safeguards may also relate to specific categories of personal electronic health data, such as genetic data.
• Trusted data holders: To reduce administrative burdens, EU member states may establish trusted data holders that can securely process requests for access to health data.
• Data localization: Article 60aa of the Draft Regulation generally states that all health data in the EHDS will be processed and stored within the EU. However, as an exception, health data may be stored and processed in a third country which is subject to an adequacy decision under Article 45 of the GDPR.
• Clinically significant findings: When researchers notify health data access authorities of findings that may affect the health of patients whose data were used in scientific research, each health data access authority must The Data Holder may be notified and the Data Holder must notify the patient or healthcare provider. Please consult your relevant health care professional regarding these findings.
• Evaluation of EHR systems: The draft regulations provide for an initial digital testing environment that must be in place before EHR systems can be placed on the market or used.

How EU nationals can access their health data

According to the EU Commission's policy program 'Pathway to the Digital Decade', by 2030 all EU citizens will have access to electronic health data via access points set up by EU Member States. A cross-border digital infrastructure primarily for data use (MyHealth@EU) connects EU member states and enables patients to share health data. All EU member states should participate in cross-border digital infrastructures and appoint a digital health authority to help patients share data across borders. EU Member States must appoint a digital health authority as soon as Chapter 2 of the Draft Regulation applies (two years after publication). The supervisory authority responsible for monitoring and enforcing the GDPR shall also have the power to monitor and enforce the EHDS.

EU member states will also ensure that patient summaries, e-prescriptions, images and image reports, test results and discharge reports are issued and accepted in a common European format. The European HER EHR exchange format is set out in Chapter 2 of the Draft Regulation. This chapter will apply two years after publication of the final regulation, so it is expected that the European EHR exchange format will be released by then.

Who will implement and supervise the secondary use of data?

Institutions wishing to reuse health data must apply for permission from the Health Data Access Authority. Data permissions govern how data is used and for what purposes. Health data can only be accessed and processed within a closed, secure environment provided by a health data access authority with clear cybersecurity standards.

The draft regulation does not specify which entity will take on the role of “health data access authority”, leaving this decision to EU member states. In Germany, the Federal Ministry of Health (German Federal Ministry of Higher Education) is currently in the process of establishing a central access and coordination body for health data (Datenzugangs- und Koordinierungsstelle für Gesundheitsdaten) will likely be the competent authority for the final regulations and implementation of the EHDS. Until such a central authority is established, that task may fall to the Health Research Data Center (Forschungsdetenzentrum Gesundheit) is currently established at the Federal Institute for Drugs and Medical Devices (Federal Institute for Alzunai Mittel and Medical Products) and is the competent authority regarding the implementation of GDNG (Gesundheitsdatennutsunggesets).

Who will oversee compliance with the final regulation at EU level?

A new EHDS Committee will be established, chaired by the EU Commission, and made up of representatives from all digital health authorities and all health data access authorities in EU Member States, as well as observers according to their areas of work. It contributes to the consistent application of final regulations across the EU, coordinates and exchanges best practices and cooperates with other institutions at EU level.

EU member states will cooperate at EU level to ensure that two cross-border digital infrastructures (primary use of data and secondary use of data) function smoothly.