Council of the EU adopts the European Health Data Space Regulation

As we have previously reported, the EHDS Regulation is intended to enhance the accessibility, interoperability and security of electronic health data in the EU. It aims to give individuals access to their health record and allow healthcare professionals across the EU to access a patient’s personal health data with a view to facilitating treatment. Other entities such as public health authorities, researchers and industry will also be able to use health data made available by so-called data holders in anonymised or pseudonymised forms for secondary uses.

The EHDS Regulation applies to the processing of personal electronic health data for both primary and secondary use. It complements the rights laid down in the GDPR and introduces additional rights of access and portability of personal electronic health data and related obligations specific to the healthcare sector.

Key features of the EHDS Regulation include:

• Enhanced rights of individuals, including the right to access their personal electronic health data immediately after registration in an Electronic Health Record (EHR) system, free of charge and in an easily readable format; 
• The right to download an electronic copy of their health data in the European electronic health record exchange format; the right to insert their own information into their EHR, and the right to opt out of the access to their health data by anyone other than the original healthcare provider;
• Individuals also have the right to restrict the access of health providers to all or parts of their personal electronic health data;
• the right of individuals to obtain detailed information regarding any access to their personal electronic health data by healthcare providers or other individuals, including the identity of the person who accessed the data, the date and time of access, and which data was accessed (this information must be available for at least three years from each date of access);
• Interoperability and security requirements for electronic health data systems and data exchange, with a mandatory European electronic health record exchange format and logging mechanisms to ensure compliance with record access, transparency, and accountability;
• A framework for the secondary use of health data, contemplating designation of national bodies responsible for granting access to health data for secondary use, data permits for the processing of health data for secondary use, and requirements to secure processing environments to ensure data privacy and security;
• Health data holders (which includes anyone in the healthcare or care sectors, anyone developing products or services in these sectors, and anyone performing related research) are required to make relevant electronic health data available for secondary use upon request by health data access bodies;
• Health data holders are required to communicate a description of the datasets they hold to the health data access body and keep this information updated;
• Health data holders of non-personal electronic health data must provide access to their data through trusted open databases, which should ensure unrestricted access for all users and maintain robust, transparent, and sustainable governance;
• EU Member States are required to establish electronic health data access services at national, regional, or local levels and designate digital health authorities responsible for the implementation of and enforcement of the EHDS Regulation;
• A European Health Data Space Board (EHDS Board) composed of representatives of Member States and the European Commission will facilitate cooperation and exchange of information;
• Health data access bodies, trusted health data holders, and the EU health data access service are required to store and process personal electronic health data in the EU when performing pseudonymisation, anonymisation, and any other personal data processing operations – this also applies to any entity performing those tasks on behalf of such bodies, holders, or service (however, an exception is made for storage and processing in a third country or territory covered by the European Commission’s adequacy decision under the GDPR); and
• Specific provisions are included for international transfer of non-personal electronic health data to third countries, with restrictions and limitations for non-personal data presenting a risk of re-identification; the EHDS Regulation refers to the Data Governance Act for the protective measures for international transfers of non-personal health data.

The EHDS Regulation will now be formally signed by the Council and the European Parliament. It will enter into force 20 days after publication in the EU’s Official Journal. Most of the provisions will apply from the second anniversary of coming into force, with exceptions and longer transitional periods for specific situations.

The press release is available here and the adopted version of the EHDS here.