European Health Data Space: the future of health data access and sharing in the EU

By Ira Peric Ostojic and Sara Pavlovic

The Covid-19 pandemic has highlighted the need to have timely access to and sharing of health data, which has in turn encouraged legislative developments at the EU level, including the recently published proposal of the first domain-specific EU data space – European Health Data Space (EHDS). The EHDS proposal provides for better availability of health data and represents an important step in building a “European Health Union”, which should in turn improve the delivery of healthcare to patients across Europe and unleash the full potential for research and innovation.

The exchange of and access to clinical information and health-related personal data can be vital for our preparedness and response to health threats, as well as for the treatment of patients, better health outcomes, and secondary use of health data which contributes to innovations and the development of science.

Currently, the question of processing personal health data and rights of natural persons over their health data are subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). However, constant technological developments and the Covid-19 pandemic demonstrated that more specific regulation is needed in order to allow better access to health data and the improved sharing of such data.

Today, natural persons have difficulties in exercising their rights over their electronic health data, including the access to and transmittance of their electronic health data domestically and across borders, despite the applicable provisions of the GDPR. In addition, the current EU legislative framework creates certain situations where natural persons cannot benefit from innovative treatments, and policy makers cannot react effectively to a health crisis, all due to barriers impeding access to necessary electronic health data for researchers, innovators, regulators and policy makers.

Furthermore, the GDPR has been inconsistently implemented and interpreted by Member States when it comes to legal bases for the processing of health data which has created considerable legal uncertainties, confusion and delays for researchers across the EU in accessing datasets comprising personal data and has resulted in barriers to secondary use of electronic health data.

EHDS: a shift towards the digital transformation of healthcare and integrated healthcare system in the EU, unleashing the full potential for research and innovation

In order to eliminate such barriers and address accelerated technological developments and the increased amount of data being processed and created through the use of digital applications and devices, in 2020 the European Commission launched the European strategy for data (EU Data Strategy). It proposes the implementation of numerous data related regulations, and the most relevant for the topic of the future of the health data are:

• Regulation of the European Parliament and of the Council on European data governance (Data Governance Act), which entered into force on 23 June 2022, creating the processes and structures to facilitate data sharing and envisaging the creation of sector-specific legislation on data access and the creation of a single market for data and domain-specific common European data spaces in 13 sectors;
• a proposal for the Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data, which was published on 23 February 2022, (Data Act) complementing the Data Governance Act, with the aim of clarifying persons authorised to use data and creating value from data generated by digital devices and the applicable conditions; and
• a proposal for the Regulation of the European Parliament and of the Council on the European Health Data Space which was published on 3 May 2022 (EHDS Proposal), complementing both the Data Governance Act and Data Act and providing more specific rules for the health sector and better availability (access and exchange) of health data, and proposing a single European market for data through the first domain-specific data space – European Health Data Space (EHDS).

The general objective of the EHDS Proposal is to create the EHDS, a common space where natural persons in the EU can easily control their electronic health data with the aim of facilitating healthcare delivery (primary use of electronic health data for the purposes for which they were initially collected).

It will also make it possible for researchers, innovators and policy makers to use this electronic health data in a way that is trusted, secure and preserves privacy, to facilitate health research, innovation, policy-making, regulatory purposes and personalised medicine, and to promote better diagnosis, treatment and the well-being of natural persons (secondary use of electronic health data for the purposes for which they were not initially collected).

The proposal also aims to contribute to a genuine single market for digital health products and services by harmonising rules, resulting in a boost to healthcare system efficiencies.

The proposal consists of two main parts, setting out the rules and mechanisms for supporting such primary and secondary uses of electronic health data across the EU. It also introduces the European Health Data Space Board, which will facilitate the cooperation between digital health authorities and health data access bodies, particularly the relationship between primary and secondary use of electronic health data.

Primary use – improves the delivery of healthcare to patients across Europe

Under the EHDS Proposal, individuals benefit from enhanced rights to 1) access and receive a copy of their personal electronic health data for primary use, immediately and free of charge (subject to certain safety and ethics exceptions and limitations), to 2) rectify their electronic health data more easily and quickly online, and 3) enhanced rights of data portability / sharing of such data (e.g. with the healthcare professionals of their choice) across Member States.

The framework laid down by the EHDS Proposal builds on the right to data portability established in the GDPR by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers and to all electronic health data.

The EHDS builds out the infrastructure for patients to exercise these rights in practice, which includes the issuance of proposals for electronic health record (EHR) systems intended to be used to store and share the electronic health data of natural persons. The proposed regulation sets out essential requirements specific to such EHR systems in order to promote the interoperability and data portability of such systems (EHR must be compatible between each system and allow the easy transmission of electronic health data between them). It also requires the Member States to ensure the placement of such systems on the market, putting them into service and the systematic registration of health data in the electronic format by HCPs.

Finally, the EHDS designates a common infrastructure / a central platform MyHealth@EU to facilitate the cross-border exchange of electronic health data (e.g., sharing of personal electronic health data with healthcare providers when travelling abroad). The Member States should join this digital infrastructure through national contact points for digital health and should establish connections of healthcare providers and pharmacies to the platform, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State.

In practice, this will allow patients to share their personal electronic health data in the language of the country of destination when travelling abroad or to take their personal electronic health data with them when moving to another country and will require the market operators in the health sector (either healthcare providers or providers of digital services and products) to share electronic health data with user-selected third parties from the health sector cross-border.

Secondary use – unleashes the full potential for research and innovation

The EHDS Proposal also introduces a new regulatory pathway through which “data holders” (defined widely to include most hospitals, public health bodies, pharma and Medtech but excludes micro-enterprises) must make a wide range of personal and non-personal “electronic health data” from various sources (such as e.g., medical devices, wellness applications’ administrative data, data from clinical trials, questionnaires, etc.) available to “data users” for a defined list of permitted secondary uses following their successful application to single “data holders” or to the newly established “health data access bodies”.

These permitted uses include scientific research, certain development and innovation activities, policy making, regulatory purposes and training, the testing and evaluating of algorithms, the provision of personalised healthcare/medicine, producing statistics, etc. The proposal also defines prohibited purposes, such as e.g., the use of data against persons, commercial advertising, increasing insurance, developing dangerous products, etc.

Interestingly, the “data users” may include any person who has lawful access to electronic health data – although some purposes are reserved for public authorities. This means that members of the pharmaceutical industry may request access to the data, even if they have a commercial purpose, as long as they intend to pursue one of the legitimate purposes, such as scientific research, innovation or the use of data to develop and train selected algorithms.

If the requirements are met, the data would need to be made available to lawful users for secondary use even if they are protected under intellectual property rights, trade secrets or similar types of protection, subject to an obligation to take appropriate measures to maintain this protection.

The proposed regulation encourages the use of anonymised electronic health data which is devoid of any personal data, but in any case, the personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body.

Furthermore, the proposed regulation provides the legal basis (under both Articles 6 and 9, GDPR) for the processing of personal data necessary to make electronic health data accessible for secondary use. Consequently, the implication seems to be that, if data holders and data users comply with their obligations under the proposed regulation, they should not have any difficulty in demonstrating the legal basis for GDPR compliance. It also defines the responsibilities for the health data access bodies and data users as joint controllers of the processed electronic health data in the sense of Article 26 of the GDPR.

The end? Actually, just the beginning …

Based on the opinions of EU bodies, better access to health data across borders will improve the quality and continuity of the care provided to individuals, which will in turn lead to reduced healthcare costs.

In addition, health data access bodies and single data holders may charge fees for making electronic health data available for secondary use, which then enables them to have additional sources of revenue.

But there is a potential flipside. Organisations face being compelled to hand over potentially valuable datasets to competitors, and there is a lack of clarity on key issues such as the preservation of IPR, and how the EHDS interacts with existing Member State laws on patient confidentiality.

While the EHDS Proposal introduces new instruments in order to achieve its aim, it relies heavily on the GDPR in some important areas. Surely, the development of the following issues will remain of great interest: the practical coordination of these two systems, new obligations of the national data supervisory authorities (remaining competent to monitor the processing of personal electronic health data and to address any complaints lodged by natural persons), working in cooperation with the digital health authorities and the permit-system in relation to the secondary use of the health data.

Furthermore, it will be interesting to monitor the consequences this system will have on the market (the possible clash with the IPR and laws on patient confidentiality) as well as whether this “permit-based approach” will be sufficient to facilitate the sharing of health data for secondary use, while at the same time guaranteeing the rights of individuals.