Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Health care providers (both private and public) store and make use of electronic health records ("EHRs") in the context of providing health care services. However, the configuration of such EHRs by health providers in the EU has often been implemented in a fragmented manner or in ways that do not ensure interoperability, hindering the access or use of data from other regions.
The European Health Data Space ("EHDS") (still a proposal for a regulation) aims to solve these issues by creating an interoperable and common environment for handling and using EHRs in the European Union. This will enhance the rights of natural persons.
As significantly, the EHDS would also create a new "secondary use" regime enabling the re-use of electronic health data held by a wide range of entities for secondary purposes (research, patient safety, personalised medicine, etc.). The EHDS clarifies the conditions for secondary purposes and the procedure and agreements that need to be entered into.
The European Union, in the context of the Covid-19 pandemics, found that timely access to electronic health records in case of a health crisis is crucial, as well as access for diagnosis and secondary use of health data. However, currently the EU does not have centralized and interoperable platform where EU citizens can find all their health records in a single place. This is a problem as data also is not available to practitioners and authorities throughout the EU . The consequence is citizens and the health professionals that may assist them lack of information when they travel to other countries. Furthermore, health professionals cannot access the complete records and cannot make optimal decisions.
The lack of centralized and accessible electronic health data is also a perceived impairment for the use of health data for secondary purposes such as research, policy making and the development of medicines.
In this context, (and following its Digital Strategy), the European Union has issued a Proposal for a Regulation on the European Health Data Space (EHDS).
Natural persons shall have, among others, the following rights:
Each Member State shall designate a digital health authority at the national level. It will be entrusted with several competences, such as issuing guidance, contributing to the solutions enabling natural personas and health professionals to exercise their rights, etc. In addition, Member States shall designate one or more health data access bodies responsible for granting access to electronic health data for secondary use and monitoring compliance during secondary use.
There is not a general sanctioning framework for infringing the EHDS Regulation. However, there are specific protections in relation to some chapters:
Each Member State shall designate one national contact point to ensure the connection to all other national contact points for digital health and to the central platform for digital health. The Commission shall establish a central platform for digital health to provide services to support and facilitate the exchange of electronic health data between national contact points. Member States shall ensure connection of all health care providers to their national contact points for digital health.
Member States shall ensure that pharmacies operating in their territories are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU.
Manufacturers of EHR systems are bound by several obligations. The EHR systems under the EHDS are those intended by their manufacturer for primary use of priority categories of electronic health data (patients summaries, electronic prescriptions, medical images, etc.). However, general software used in a health care environment are not in the scope of EHR systems obligations. Manufacturers of (covered?) EHR systems shall:
We will address the implications of EHDS for EHR systems in a future post.
Health data is collected in several different health care settings. However, this data is invaluable for other purposes as well that are not directly related to the purposes for which it is originally collected. The intention of this legislation is to enable health data to be re-used more widely for research, innovation, policy making, regulatory purposes, and patient safety. However, due to the sensitive nature of health data, and the fact that it may contain IP rights, trade secrets and commercially confidential information, appropriate safeguards must also be applied.
The EHDS envisages a quite broad list of categories of data that shall be available to reuse, including; (i) EHRs, (ii) pathogen genomic data, (iii) genetic data, (iv) identification data related to health professionals, (v) electronic health data from clinical trials, and (vi) electronic health data from biobanks.
The health data access bodies shall inform the data users about the available datasets and their characteristics through a metadata catalogue.
There is a closed list of allowed secondary purposes of processing:
Purposes for which secondary purposes are prohibited include, among others:
The EHDS is clear about this. Health data access bodies and data users shall be deemed joint controllers. Data holders do not have any data processor or joint controllership role vis-à-vis data users, except when there is a single data provider and the request is directly handled by the same, in which case they will be considered joint controllers.
No. They shall be provided with general public information on all data permits, by using the exception to inform envisaged in art. 14.5 of the GDPR. However, natural persons shall be informed of any finding that may impact on their health.
In any case, data access bodies shall make publicly available and easily searchable the conditions under which electronic health data is made available for secondary use, including legal basis of processing, natural persons rights and the results or outcomes of the projects for which the electronic health data were used.
The EHDS provides a legal basis of processing under the GDPR for the data holders, as well as an exception to process health data. However, the EHDS does not provide for legal bases for data users. A data user shall demonstrate its legal basis pursuant to the GDPR and explain the specific legal basis on which it relies as part of the application for access to electronic health data. The only legal bases that are allowed for data users are legitimate interest or exercise of a task in the public interest.
Yes. Where the data in question are not held by a public body, the fees may also include compensation for part of the costs for collecting the electronic health data specifically under the Regulation.
Fees shall be transparent and proportionate to the cost of collecting and making electronic health data available.
The access applications will be managed by a unique body: the health data access body. Each member state shall designate one or more health data access body. Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice. However, where an applicant requests access to electronic health data only from a single data holder, that applicant may file a data access application or a data request directly to this data holder.
The application shall contain a detailed explanation of the purposes, the requested health data, the adopted safeguards, etc. When the health data access body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant. The data permit shall set out the general conditions applicable to the data user.
The EHDS will mean a revolution for the handling of EHRs and the possibilities for secondary use. Companies in the health care sector (and EHR systems manufacturers) will need to adapt to the new obligations and invest significant efforts. Organisations currently holding electronic data may also have concerns that the proposal could result in them being required to make available data protected by IP rights, trade secrets or other commercially confidential information. However, EHDS will also potentially bring great opportunities for many industries that will be able to benefit from accessing data for secondary use.
Authored by Juan Ramón Robles and Nick Westbrook.