Establishing a European Health Data Space
Now that the Digital Markets Act, the Digital Services Act and the Data Governance Act have entered into force (see also our website article), another important pillar of the European data strategy is taking shape: The creation of a European Health Data Space (also called "EHDS"). The European Commission has already published a corresponding draft regulation on 3 May 2022, which is intended to advance the digitisation of healthcare for all member states and better prepare the EU's healthcare systems for the digital future. Discussions on the draft are currently in full swing in the European Parliament, whereby there is still disagreement among MEPs regarding some of the regulations in the EHDS Regulation (hereinafter "Regulation").
What are the concrete provisions of the Regulation and what is its significance for those affected, such as healthcare providers, companies and research institutions? These and other questions will be examined in more detail in this article.
Background
Doctors, pharmacists, researchers and other health professionals process large amounts of health data every day. In order to improve medical care, research and infrastructure within the EU as a whole, the digitisation of the health system is essential. The COVID-19 pandemic in particular has shown that a well-functioning health system is imperative in order to be able to take effective and swift measures for public health.
Therefore, a European Health Data Space is to be created by 2025 at the latest, whereby health data is to be made available electronically in uniform formats throughout the EU. If, for example, a German goes on holiday to Spain and falls ill there, the doctor treating him in Spain will in future be able to view the patient's entire medical history on his computer in Spanish. These and many other advantages are to be made possible by the regulation and represent a milestone for digitalisation in the field of digital health.
About the regulation
The draft regulation consists of two main pillars: The primary use of health data and the secondary use of health data.
1. Primary use
An essential core aspect of primary use is to be the processing of electronic health data for the purpose of assessing, maintaining or restoring the health status of data subjects.
For this purpose, patients should be able to access their electronic health data immediately, free of charge and in an easily readable format. In addition, they should also be able to access an electronic copy of their patient file, consisting of some prioritised data, and to enter health information in their patient file themselves. In addition, they should have the right to restrict access to data by health professionals and to receive information about who has specifically accessed their electronic patient record. In addition to these groups of persons, health professionals should also have access to patients' electronic health data, whereby they must be provided with certain prioritised health data.
Furthermore, a uniform European exchange format for personal electronic health data is to be defined and a central European platform called "MyHealth@EU" is to be created, with which the exchange of data between the individual Member States is to be technically enabled. At the same time, new regulations for EHR systems are to be laid down in the regulation. EHR systems are devices intended by the manufacturer to store, transmit or process electronic patient records. The placing on the market as well as the commissioning of these EHR systems shall only be possible under the conditions specified in the Regulation. This concerns, in particular, requirements for interoperability, compatibility and security of EHR systems as well as data protection. For example, the electronic patient record available in Germany should be able to be connected to systems in other EU countries in the future. Manufacturers of EHR systems are to be obliged to prove conformity with these requirements by means of a CE marking.
2. Secondary use
Secondary use, on the other hand, is intended to regulate the processing of electronic health data for the purposes of research, innovation, patient safety or regulatory activities, whereby data that was originally collected for primary use is also to be recorded. The implementation should then look as follows: Data users must first submit an application for access to electronic health data to a national body established by the member states, which would be responsible for granting authorisation. This body would be responsible for granting authorisation. The national body would ensure that after the application has been granted, the respective data is made available to the data users who are in the possession of the data owner (e.g. hospitals, medical technology companies, etc.). In this respect, the national agency would be responsible for the entire authorisation procedure. The data users would only be allowed to view the data in a secure environment, which is why it would generally not be possible to download the files. The data owner would then have to make the respective data available anonymously and within two months. A European infrastructure is to be created for this purpose, which is to guarantee the cross-border transmission of data.
Critique
Since the publication of the draft regulation, there has been much criticism:
- In particular, the European Data Protection Committee and the European Data Protection Supervisor see an urgent need for improvement in the protection of the data concerned (see Joint Opinion of the EDSA and the EDPS).
- In its press release of 5 April 2023, the Conference of Independent Data Protection Authorities of the Federation and states (Data Protection Conference) calls for improvements to the draft regulation. According to this, the regulation would have to include additional regulations on the form in which the data would have to be encrypted. Furthermore, regulations on the rights of data subjects are missing. Data subjects should be given the possibility to control their data. To this end, the transmission channels and processing procedures must be transparent and the data subjects must be provided with concrete and easily understandable information.
- In particular, it is also criticised that the regulations also refer to so-called wellness apps, such as fitness trackers. However, the data processed in connection with these apps is of a different quality, as much more extensive data about data subjects is processed here. The inclusion of this data would have far-reaching consequences, as it would in particular provide a comprehensive insight into the everyday life of the data subjects. It would possibly be possible (depending on the quality and compilation of the data) to draw conclusions about the specific person despite anonymisation. With classic medical devices, on the other hand, data is only collected selectively, such as "only" the recording of an X-ray image.
- In addition, there are critics who oppose the establishment of a national authority and prefer a uniform European body, which would avoid different decision-making practices.
- Last but not least, the relationship between the General Data Protection Regulation (hereinafter "GDPR"), the EHDS and any national provisions should also be clarified.
Future prospects
Overall, it can be stated that the EHDS is a major step forward with regard to digitalisation in the health sector and represents a milestone for the creation of a European Health Union. Even if, in view of the disagreement regarding some regulations, it cannot yet be estimated with certainty when a concrete conclusion of the legislative process can be expected, the digitisation of the health system in Germany must be caught up on quickly. With the entry into force of the regulation, the European Health Data Space will become directly applicable law, the non-application of which will result in sanctions.
For stakeholders from the health and medical sector affected by the regulation, such as health service providers, companies and research institutions, it will probably come down to finding ways and means to ensure that they can navigate the conflicting priorities of the EHDS regulation and the GDPR in a legally secure manner, especially since breaches of health data protection can result in heavy fines. Therefore, the aforementioned groups should already deal with this issue now. In order to also ensure the requirements with regard to proof through CE marking, manufacturers of EHR systems should promptly consider a corresponding compliance strategy and integrate it into their company. Since importers and distributors are also subject to control and monitoring obligations, they should also take appropriate precautions. It can be assumed that the EHDS - like the GDPR when it was introduced in 2018 - will have a major impact on healthcare providers and other medical companies.