Adoption of the regulation for the creation of a European Health Data Space (EHDS)

On April 24, 2024, the European Parliament adopted the regulation for the creation of a European Health Data Space (EHDS), the first sector-specific version of the Data Governance Act (DGA).

The regulation establishes a cross-border infrastructure and common rules and mechanisms for the primary and secondary use of electronic health data.

Requirements for electronic medical records and wellness applications

The regulation establishes common rules for electronic medical record systems (her systems) with regard to mandatory software components, namely the European interoperability component fherEHR systems and the European logging componenheror EHR systems, and wellness applications that claim interoperabilher with EHR systems in relation to these components for primary use.

The technical specifications will be defined in delegated acts of the European Commission.

Her (Electronic Health Record) systems marketed in the EU must be able to store and transmit high-quality health data securely, and to this end be subject to a mandatory self-compliance assessment system.

A mandatory labeling system for wellness applications claiming interoperability with EHR systems will be introduced to help users choose appropriate wellness applications with high standards of interoperability and security.

Primary use of data

Primary use is defined as the processing. the processing of personal electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services

One of the main objectives of the EHDS is to guarantee the security and free circulation of electronic health data within the Union, by setting up a cross-border MyHealth@EU infrastructure enabling the primary use of personal health data throughout the EU.

Secondary use of data, access and fees

Secondary use of electronic health data is defined as the processing of electronic health data for purposes other than the original purpose for which it was collected or produced, including the improvement of care and treatment, the safety of healthcare, medicines and medical devices, scientific research including innovation and training, the testing and evaluation of DMs, AI systems and digital health applications. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use.

Access bodies of each Member States are responsible for ruling on access requests, authorizing and issuing access permits for health data falling within their remit, handing over data for secondary use, and ruling on requests for data in the form of anonymized statistics.

Models for data access requests will be defined by the Commission by means of delegated acts.

Any fees charged to users of health data shall be transparent and non-discriminatory. It may be charged (i) by access bodies (proportional to the cost of making the data available, covering 1) the costs associated with managing the access request, and 2) the costs associated with the technical operations of consolidation, preparation, anonymization, pseudonymization and making the data available) or (ii) by holders (covering the costs incurred in compiling and preparing the data for secondary use).

Impact on existing legislation, including the GDPR and the French Data Protection Act (Loi Informatique et Libertés)

The EHDS Regulation clarifies and complements the rights provided by the GDPR for individuals regarding the primary and secondary use of their personal electronic health data.

Individuals have the right to refuse, at any time and without giving any reason, the processing of their health data for secondary use.

On the other hand, Member States may no longer maintain or introduce other conditions, including limitations and specific provisions requiring the consent of individuals, with regard to the processing of personal electronic health data for secondary use.

The Regulation applies without prejudice to the Medical Devices Regulation (MDR), and without prejudice to access to health data by public or private bodies entrusted under national law with a mission of public interest for the purposes of fulfilling their missions.

Similarly, the Regulation does not affect access to health data for secondary use agreed under contractual or administrative arrangements between public or private entities.

The implementation of the regulation's provisions will be spread over the next two to six years, and will require adaptations to our Data Protection Act, notably concerning the re-use of health data.