This article provides an overview of the framework for accessing health data for secondary use under the EHDS. It is based on the compromise text of the EHDS published by the Council of the European Union in March 2024.  

Improving access to health data for the purposes of supporting research and innovation activities is one of the key pillars of the EHDS and offers a potentially significant benefit for life sciences and healthcare companies who are looking for improved access to high-quality secondary use data.

By way of reminder, in general terms the EHDS creates a regime under which organisations may apply to a health data access body (“HDAB“) for access to electronic health data held by a third party, for one of a number of permitted secondary use purposes.  When required to do so by the HDAB, the company holding the health data (the health data holder) must then provide the data to the HDAB in order to satisfy the access request. The EHDS provides for safeguards to protect intellectual property rights and trade secrets, and there is some scope for health data holders to recover costs incurred in making data available.  

In more detail, the process operates as follows:

1. Access to secondary health data

The EHDS stipulates a specific process as well as certain requirements for the access to secondary health data.

In order to get access to secondary health data under the EHDS, the applicant must submit a data access application to the health data access body (“HDAB”). Each Member State must designate an HDAB which is, inter alia, responsible for deciding on data access applications, authorizing and issuing data permits, providing access to electronic health data and monitoring and supervising compliance with the requirements under the EHDS.

Further, the HDAB is responsible for ensuring that data that are adequate, relevant and limited to what is necessary in relation to the purpose of processing indicated in the data access application. The default position is that data will be provided in an anonymized format. However, if the applicant can demonstrate that the purpose of processing cannot be achieved with anonymized data, the HDAB may provide access to the electronic health data in a pseudonymised format.

The data access application must include at least the following:

• The applicant’s identity, description of professional functions and operations, including the identity of the natural persons who will have access to electronic health data;

• Which purposes the access is sought for including a detailed explanation of the intended use and expected benefit related to the use (e.g., protection against serious cross-border threats to health in the public interest, scientific research related to health or care sectors to ensure high levels of quality and safety of health care or medicinal products/devices with the aim of benefitting the end-users, including development and innovation activities for products and services);

• A description of the requested electronic health data, including their scope and time range, format and data sources, where possible, including geographical coverage where data is request from health data holders in several member states;

• A description whether electronic health data need to be made available in a pseudonymised or anonymized format, in case of pseudonymised format, a justification why the processing cannot be pursued using anonymized data. Further, where the applicant seeks to access the personal electronic health data in a pseudonymised format, the compliance with applicable data protection laws shall be demonstrated;

• A description of the safeguards, proportionate to the risks, planned to prevent any misuse of the electronic health data as well as to protect the rights and interests of the health data holder and of the natural persons concerned, including to prevent any re-identification of natural persons in the dataset;

• A justified indication of the period during which the electronic health data is needed for processing in a secure processing environment;

• A description of the tools and computing resources needed for a secure processing environment and, where applicable, information on the assessment of ethical aspects

Where an applicant seeks access to electronic health data from health data holders established in more than one Member State, the applicant must submit a single data access application to the HDAB of the main establishment of the applicant which shall be automatically forwarded to other relevant HDABs.

Also, there is the option to only apply for access to health data in anonymized statistical format with less formal requirements as well as a simplified procedure for trusted health data holders. The European Commission is responsible for creating templates for the data access applications.

• Requirements for the technical infrastructure

The HDAB shall only provide access to electronic health data pursuant to a data permit through a secure processing environment. The secure processing environment shall comply with the following security measures:

• Access to the data must be restricted to the natural persons listed in the data access application;

• Implementation of state-of-the-art technical and organisational measures to minimize the risk of unauthorized processing of electronic health data;

• Limitation of the input of electronic health data and the inspection, modification or deletion of electronic health data to a limited number of authorized persons;

• Ensure that access is only granted to electronic health data covered by the data access application;

• Keeping identifiable logs of access to and activities in the secure processing environment for not shorter than one year to verify and audit all processing operations;

• Monitoring compliance and security measures to mitigate potential security threats.

The HDAB shall ensure regular audits, including by third parties, of the secure processing environments and, if necessary, take corrective actions for any shortcomings or vulnerabilities identified.

• Data protection roles

From a data protection law perspective, the health data holder shall be deemed controller for the disclosure of the requested electronic health data to the HDAB pursuant to Art. 4 No. 1 GDPR. When fulfilling its tasks under the EHDS, the HDAB shall be deemed controller for the processing of personal electronic health data. However, where the HDAB provides electronic health data to a health data user pursuant to a data access application, the HDAB shall be deemed to act as processor on behalf of the health data user. The EU Commission may establish a template for controller to processor agreements in those cases.

• Fees for the access to health data for secondary use

The HDAB may charge fees for making electronic health data available for secondary use. Such fees shall cover all or part of costs related to the procedure for assessing a data access application and granting, refusing or amending a data permit, including the costs related to the consolidation, preparation, anonymization, pseudonymization and provisioning of electronic health data. The fees further include compensation for the costs incurred by the health data holder for compiling and preparing the electronic health data to be made available for secondary use. The health data holder shall provide an estimate of such costs to the HDAB.

Conclusion

The access to electronic health data for secondary use is a big opportunity especially for companies operating in the life science and healthcare sectors to get access to potentially large volumes of high-quality electronic health data for research and product development purposes. Although Chapter IV of the EHDS, which deals with the secondary use of electronic health data, will become applicable 4 years after the EHDS enters into force, companies are well-advised to begin preparation to gain access to electronic health data for secondary use at an early stage in order to gain a competitive advantage and to ensure that they are able to make direct use of the opportunities granted by the EHDS. Such preparation includes, inter alia, the early determination of the specific electronic health data required for the specific purpose the company wants to achieve as well as the set up of an infrastructure which meets the requirements under the

In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of the GDPR allegedly committed by their competitors. The ECJ further ruled, that the data of a pharmacist’s customers, which are provided when ordering pharmacy-only but non-prescription medicines on an online sales platform, constitute “health data” within the meaning of Art. 4 (15) and Art. 9 GDPR (to that extent contrary to the Advocate General’s opinion of 25 April 2024).

Background

The plaintiff and the defendant in the main proceedings each operate a pharmacy. The defendant also holds a mail order license and sells its range of products, including pharmacy-only medicines, through the online sales platform Amazon Marketplace, which allows the seller to offer products directly to consumers. The plaintiff sought an injunction to prohibit the defendant selling pharmacy-only pharmaceuticals via the online sales platform. In the plaintiff’s opinion, such distribution constitutes an unfair commercial practice because the defendant was violating a statutory provision within the meaning of Section 3a of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – “UWG”).

The District Court upheld the claim. The Higher Regional Court dismissed the defendant’s appeal and ruled that the defendant’s sale of pharmacy-only medicines via Amazon Marketplace violates the provisions of the UWG, as this distribution involves the processing of health data within the meaning of Art. 9(1) GDPR, to which the customers have not explicitly consented. According to the Higher Regional Court, the provisions of the GDPR must be regarded as market conduct rules within the meaning of national competition law, with the result that the plaintiff, as a competitor, is entitled to claim injunctive relief based on national competition law by relying on an infringement of the provisions of the GDPR by the defendant.

The defendant then appealed to the German Federal Court of Justice (Bundesgerichtshof – “BGH”), in which it maintained its application for dismissal of the injunction. The BGH stated that the key factor for the decision is how Chapter VIII and Art. 9 of the GDPR are to be interpreted, and referred the following questions to the ECJ for a preliminary ruling:

1. Do the rules in Chapter VIII GDPR preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of GDPR against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

2. Do the data of the customers of a pharmacist, who acts as a seller on an online sales platform, provide when ordering pharmacy-only but not prescription-only medicines  (customer’s name, delivery address and information required for individualising the pharmacy-only medicine ordered) constitute data concerning health within the meaning of Article 9(1) GDPR?

Decision

First question (competitor’s right to bring injunction claims)

According to the ECJ, neither the wording of the provisions of Chapter VIII of the GDPR nor their context precludes competitors from bringing claims based on an infringement. On the contrary, where the infringement of the substantive provisions of the GDPR is likely to affect primarily the data subjects, it may also affect third parties. The Court notes that, in the context of the digital economy, access to personal data and the use that can be made of it are of considerable importance. Accordingly, in order to take account of real economic developments and to maintain fair competition, it may be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices. The judgment recognises that the GDPR does not contain a specific opening clause, which expressly authorises Member States to allow competitors to seek an injunction to prevent an infringement of the GDPR. However, according to the Court, it is clear that the EU legislature, when adopting the GDPR, did not intend to achieve full harmonisation of the remedies available in the event of a breach of the provisions of the GDPR and, in particular, did not intend to exclude the possibility for competitors of an alleged infringer of the rules on the protection of personal data to bring an action under national law on the basis of the prohibition of unfair commercial practices.

Moreover, such an action for an injunction brought by a competitor could prove to be a particularly effective means of ensuring such protection, since it makes it possible to prevent numerous infringements of the rights of the data subjects (in this respect, the Court refers to its judgment of 28 April 2002, Meta Platforms Ireland, C-319/20, in which the Court ruled that the GDPR does not preclude national legislation which allows a consumer protection association to bring an action, in the absence of a mandate given to it for that purpose and irrespective of the infringement of specific rights of the data subjects).

In the light of the foregoing, the answer to the first question is that the provisions of Chapter VIII of the GDPR must be interpreted as not precluding a national law which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation, and the means of redress available to the data subjects, gives competitors of the alleged infringer the power to take action against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices for infringements of the GDPR.

In the present case, it is therefore for the national court to determine whether the alleged infringement of the substantive provisions of the GDPR at issue in the main proceedings, if established, also constitutes an infringement of the prohibition of unfair commercial practices under the relevant national legislation.

Second question (scope of the protection of health data)

In the second part of its decision, the ECJ once again interpreted the term ‘special categories of personal data’ and, in this case specifically the term health data (Art. 4 no. 15 GDPR), very broadly. The Advocate General in its Opinion on the case had assumed that it is not possible to deduce the state of health of the customer with sufficient probability from orders of pharmacy-only but non-prescription medicines and therefore had found that such information is not health data.

The ECJ has now decided otherwise. The Court ruled that the provisions of the GDPR cannot be interpreted as meaning that the processing of personal data that only indirectly reveals sensitive information about a natural person would be exempt from the increased protection. For personal data to be classified as health data within the meaning of Article 9(1) of the GDPR, it is sufficient that the health of the data subject can be inferred by association or deduction. The Court affirms that the data provided by a customer when ordering pharmacy-only medicines via an online platform can be used to infer, by association or deduction, the health status of the data subject, since the order establishes a link between a medicinal product, its therapeutic indications and uses, and an identified natural person or a person who can be identified by information such as his or her name or delivery address.

Moreover, the prohibition on processing health data shall apply in principle, regardless of whether the information disclosed by the processing in question is accurate or not, and regardless of whether the data controller acts with the aim of obtaining information falling within one of the special categories referred to in Article 9(1) of the GDPR. Consequently, the information provided by customers when ordering non-prescription medicines online constitutes health data, even if those medicines are only intended for those customers with a certain probability and not with absolute certainty. In this context, the Court also mentions the possibility that the order data may allow conclusions about the health of third parties (e.g. by means of a different delivery address).

The court of the main proceedings will therefore have to decide whether the processing of health data of the customers of the defendant is permissible on the basis of one of the exceptions in Article 9(2) of the GDPR – in particular, because the data subject has given explicit informed consent, or whether the processing is permissible on the basis of Article 9(2)(h) of the GDPR because it is necessary for the purposes of health care and on the basis of Union or Member State law or pursuant to contract with a health professional .

Practical note

This is the third decision by the ECJ that allows actors other than data protection supervisory authorities to take legal action against controllers: in addition to the Meta Platforms decision of April 2022 mentioned above (C-319/20), in July this year, the ECJ clarified that the right of a consumer protection association to challenge the infringement of a data subject’s right “occurring in the course of processing” also extends to information obligations pursuant Articles 12(1) and 13(1) GDPR (C-752/22).

These rulings have significant consequences – they not only increase compliance risks, but also legal defense costs. In practice, consumer protection organisations – out of ignorance or lack of knowledge of business contexts – often take a more dogmatic approach than the competent data protection supervisory authority.

With the competitors, further inexperienced players are now entering the ring. Unlike in the past, it can be assumed that going forward, competitors will make use of the right to sue for injunctive relief if a controller is,  in its view, violating the provisions of the GDPR and this is deemed unfair within the meaning of national competition law. As the acts against unfair competition are based on the EU Directive 2005/29/EC and therefore largely harmonized within the European Union, the ECJ’ decision is likely to affect all data controllers in the European Union.

Accordingly, in order to identify potential shortcomings that could be the subject of a competitor’s claim, controllers are well advised to review their existing processes in light of their specific business model. With respect to the potential processing of health information, a careful assessment is necessary. In particular, the question arises as to which constellations the extensive interpretation of the ECJ still covers in relation to health data – for example, dietary supplements. Or whether – as we believe – it should remain limited to pharmacy-only medicines.

Furthermore, this aspect should be considered in the planning of future business activities in order to avoid a cease-and-desist order.

For any questions about this decision or any assistance please contact your local DLA Piper contact.

In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.

Facts of the case

Meta Platforms Ireland Limited (“Meta“) provides users of  Facebook with free games from third-party providers (known as the “App Center”). When accessing the App Center, users were informed that by using certain games, the third-party provider will collect their personal data and has permission to publish this data. The user was also informed that, by using the applications concerned, they accepted general conditions of those applications and the relevant data protection policies.

The Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband – “VZBV“), brought an action before the Regional Court of Berlin (Landgericht Berlin), claiming that the information provided to users by the games in the App Center was unfair, particularly in relation to the failure to obtain valid consent from users in compliance with data protection law. It further argued that the information by means of which the applications were given permission to publish certain personal information on behalf of users constituted a general condition which unduly disadvantaged those users.  

The Landgericht Berlin upheld the action and Meta appealed this decision before the Higher Regional Court of Berlin. This appeal was dismissed and Meta then further appealed to the Federal Court of Justice. The Federal Court of Justice did not rule out the possibility that the VZBV might have lost its prior right of action during the proceedings following the entry into force of the GDPR. As a result, the German Federal Court of Justice temporarily suspended the proceedings and referred a question to the ECJ for a preliminary ruling on the interpretation of Article 80 (1) and (2) and Article 84 (1) GDPR. In its judgment of 28 April 2022 (Meta Platforms Ireland C-319/20), the ECJ ruled that Article 80 (2) GDPR must be interpreted as not precluding a national provision that allows an association to bring an action to protect consumer interests due to a violation of personal data protection through unfair commercial practices or the use of ineffective general terms and conditions, provided that the data processing in question may affect the rights of natural persons under the GDPR.

However, the judgment did not address whether a violation of the information obligation under Article 12 (1), first sentence, and Article 13 (1)(c) and (e) GDPR constitutes a breach “as a result of processing” within the meaning of Article 80 (2) GDPR. Consequently, the German Federal Court of Justice has once again suspended the proceedings and referred this specific question to the ECJ for clarification.

Decision

The ECJ held that where processing of personal data is carried out in breach of the data subject’s right to information under Articles 12 and 13 GDPR, the infringement of that right to information must be regarded as an infringement of the data subject’s rights ‘as a result of the processing’, within the meaning of Article 80(2) GDPR. The ECJ further held that it therefore follows that the right of the data subject, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) GDPR, to obtain from the controller, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to processing, constitutes a right whose infringement allows recourse to the representative action mechanism provided for in Article 80(2) GDPR.

Practical note

This ruling by the ECJ will have significant implications for controllers in practice. Data protection notices, such as publicly accessible notices on websites, will be open to scrutiny by consumer protection associations such as the VZBV. There has been an increase in recent years of both consumer and privacy associations scrutinizing potential violations of data protection requirements, with the VZBV, for example, initiating numerous cases before the German courts – particularly recent actions relating to the use of cookies. In a recently published statement, the VZBV has supported the ECJ judgement, stating that the “ruling sends a positive signal to consumers”.

While the review of data protection notices has not been a primary focus of German data protection supervisory authorities thus far, and there have been few enforcement actions in this regard, the ECJ ruling increases the risk of being sued by consumer protection associations due to inadequate data protection notices.

Accordingly, controllers should undertake a thorough review of their data protection notices to ensure compliance with the requirements set out in Articles 12 (1) and 13 or 14 of the GDPR. In particular, controllers should ensure that data protection notices comply with the requirement under Article 12 (1) GDPR, to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, to which the ECJ expressly refers in its judgement.

Alongside the better-known provisions of the EHDS dealing with secondary use of health data, the draft Regulation also sets out specific technical requirements for electronic health record systems (“EHR systems”).  In so doing, the law attempts to ensure the interoperability of such systems within the EU, and therefore the secure and seamless processing and transfer of health data – a key objective of the EHDS.

The following article provides an overview of the key requirements that manufacturers of EHR systems will need to observe in order to be able to place an EHDS-compliant EHR system on the market.

1. What exactly is an EHR system?

An EHR system is any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view certain categories of personal electronic health data, and where the system is intended by the manufacturer to be used by healthcare providers in providing patient care, or by patient to access their health data.

As such, EHR systems lie at the heart of the EHDS – they are the central technical prerequisite for fulfilling the objective of ensuring the secure and smooth processing and cross-border transfer of health data.

An EHR system under the EHDS must consist of two core elements which form an integral part of the software:

• The interoperability component: EHR systems must have the ability to interact with software applications and devices from the same or different manufacturers in order to transfer and receive personal electronic health data. The technical specifications with regard to the health record exchange format which shall be commonly used to provide health data in a machine-readable format and support transmission of structured and unstructured health data will be determined by the European Commission.

• The logging component: EHR systems must be able to record logging information about access to personal electronic health data by users of the system. As a minimum standard, the logging information shall contain the following information on each time the data is accessed:

• Identification of the health provider or other individuals having accessed personal electronic health data;
  • Identification of the specific individuals having accessed to personal electronic health data;
  • Categories of data accessed;
  • Time and date of access; and
  • Origin(s) of data.

Additional data quality requirements for EHR systems are to be determined by the European Commission by means of implementing acts.

2. Which requirements apply to the manufacturers of EHR systems?

The requirements of EHR systems which, in accordance with the EHDS, need to be fulfilled to ensure compliance with the EHDS, include the following core requirements:

a) Ensure conformity with the essential requirements laid down in Annex II of the EHDS and the common specifications to be adopted by the EU Commission by way of a common template document

In common with other regulatory frameworks for products, manufacturers of EHR systems will need to undertake an assessment to demonstrate that their product complies with certain minimum requirements before it can be put onto the market in the EU.  Those requirements, under Annex II of the EHDS, are:

• General requirements, such as designing the EHR systems in such a way as to ensure they are suitable for their intended purpose without putting patient safety at risk. In addition, EHR systems must be designed and developed in a way which allows the system to be supplied and installed in accordance with the instructions of the manufacturer without adversely affecting its characteristics and performance during its intended use.

• Requirements for interoperability, such as providing an interface enabling access to and receipt of personal electronic health data processed in the European health record exchange format. An EHR system must not include features that prohibit, restrict or place undue burden on authorised access or exporting of personal electronic health data for permitted purposes.

• Requirements for security and for logging, such as providing reliable mechanisms for the identification and authentication of health professionals and supporting different retention periods and access rights taking into account the origins and categories of electronic health data. EHR systems must include tools to review and analyse the log data or must support the connection and use of external software for the same purposes.

b) Draw up the technical documentation of EHR systems before placing them on the market, and subsequently keep them up to date

The technical documentation must be drawn up in a way that demonstrates conformity with the above-mentioned essential requirements, and must be provided upon request to the market surveillance authority at short notice. As a minimum standard, the technical documentation shall contain the following elements:

• A detailed description of the EHR system, including, among other things, its intended purpose, date and version of the EHR system, how the EHR system can be used to interact with other hardware and software, a description of the hardware on which the EHR system is intended to run, a description of the system architecture and the technical specifications such as features, dimensions and performance attributes;

• A detailed description of the system in place to evaluate the EHR system performance, where applicable;

• The references to any common specification used;

• The results and critical analyses of all verification and validation tests undertaken to demonstrate conformity of the EHR system with the requirements under the EHDS;

• A copy of the information sheet which accompanies the EHR system;

• A copy of the EU declaration of conformity;

c) Ensure that the EHR system is accompanied, free of charge for the user, by the information sheet and clear and complete instructions for use

EHR systems shall be accompanied by an information sheet for professional users which shall specify:

• the identity, registered trade name or registered trademark, and the contact details of the manufacturer and, where applicable, of its authorised representative;

• the name and version of the EHR system and date of its release;

• its intended purpose;

• the categories of electronic health data that the EHR system has been designed to process;

• the standards, formats and specifications and versions thereof supported by the EHR system.

d) Draw up the EU declaration of conformity

By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the EHR system with the requirements laid down in the EHDS when it is placed on the market or put into service. Annex IV of the EHDS sets out the specific information which needs to be included in the EU declaration of conformity.

e) CE marking

The EHDS stipulates that EHR systems shall be affixed with a CE marking. The CE marking shall be subject to the general principles for CE markings set out in Article 30 of EU Regulation 765/2008. The Member States should build upon existing mechanisms to ensure correct application of the regime governing the CE marking.

f) Representative in the EU

Manufacturers of EHR systems established outside the European Union shall appoint an authorised representative established in the European Union. The representative in the European Union shall, among other things, be authorised by the manufacturer to communicate with consumers and professional users and to cooperate with the market surveillance authorities.

As well as the abovementioned requirements, there are also further requirements for manufacturers of EHR systems. These include a post-market surveillance regime of product monitoring as well as cooperation with the respective market surveillance authority. Further obligations also apply to other actors in the supply chain, including importers, other economic operators or distributors of EHR Systems.

3. Conclusion

The EHDS is a ground-breaking law for manufacturers of EHR systems.  It imposes a comprehensive pre- and post-market compliance framework that is designed to ensure that systems processing electronic health data are high-quality, secure, and capable of inter-operability across the EU market.  As such, manufacturers of EHR- systems are well-advised to begin preparation on these requirements at an early stage in order to gain a competitive advantage and to ensure that their products are capable of being sold and used lawfully on the European market.

1. What is the EHDS about

In a nutshell, the goal of the EHDS is to create a common infrastructure and governance framework for the accessibility of health data across the borders of Member States to support both healthcare delivery (“primary use”) and health research and policy-making (“secondary use”) in a secure and trustworthy way. The EHDS touches on different areas of law, such as medical law, data protection law and laws related to products used in a medical context. It also makes reference to several European directives and regulations.

In addition to the definitions contained in the specific legislation referred to in the EHDS, the EHDS itself provides, inter alia, the following key definitions that must be kept in mind in order to fully understand the scope and implications of the EHDS:

“EHR” means a collection of electronic health data related to a natural person collected and processed for the purpose of the provision of healthcare. This is, for example, in Germany, comparable to the electronic patient medical records.

“EHR system” refers to any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view personal electronic health data and is intended by the manufacturer to be used by healthcare providers for providing patient care or by patients to access their health data.

“Health data holder” is any natural or legal person, public authority, agency or other body in the healthcare or the care sectors including reimbursement services as well as any natural or legal person developing products or services intended for the health sector, developing or manufacturing wellness applications or performing research in the healthcare sector, who

• has the right to process electronic health data in its capacity as a controller or joint controller, including for the provision of healthcare, research and innovation purposes; or

• has the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, trough control of the technical design of a product and related services.

This definition applies, for example, to hospitals as health care providers, companies which develop medical devices and pharmaceutical companies who are the data holders of their clinical trial data.

“Health data user” means a natural or legal person which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, data request or an access approval by an authorized participant in the framework for multi-country secondary use of electronic health data, HealthData@EU.

“Wellness application” means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on the health of individual persons, or the delivery or care for other purposes than the provision of healthcare.

In our opinion, this definition is broad enough to also cover medical devices as it explicitly includes appliances and software. However, it must be seen how this will be interpreted once the EHDS comes into force.

2. Who is affected by the EHDS?

The EHDS will be applicable to natural persons with regard to their health data, as well as companies and institutions in the healthcare sector. The following overview will focus on the effect of the EHDS on the latter. In order to determine which companies and institutions are affected by the provisions of the EHDS and who needs to take action under the EHDS, it is necessary to distinguish between primary and secondary use of health data:

1. Primary use

The primary use of health data to facilitate healthcare delivery and improve patient outcomes as governed by the EHDS generally affects two types of health data holders, the healthcare providers and the manufacturers of EHR systems. Manufacturers of wellness applications have the opportunity to claim interoperability with an EHR system, after relevant conditions are met.

1. Healthcare providers: To enable seamless cross-border healthcare delivery, healthcare providers shall register relevant personal health data free of charge in an electronic format to be determined by the EU Commission in an EHR System. The EU Commission will establish a central interoperability platform for digital health (the “MyHealth@EU” platform) to provide services to support and facilitate the exchange of personal electronic health data between national contact points for digital health of the Member States. More detailed criteria regarding how and to which extent the healthcare providers must register personal health data will be determined by the Member States.
   

Challenges: The main challenge for healthcare providers will be to implement robust interoperability standards and to ensure that their system can effectively communicate with other systems to secure effective provision of personal health data, both within their country and across the EU. This may involve an adjustment or upgrade of the existing infrastructure to support the requirements under the EHDS and to avoid the high effort of extracting and transferring data from disparate information systems. Healthcare providers must manage this potential transition carefully, including training staff and adapting workflows. When providing personal health data, the healthcare providers must maintain certain data quality requirements and must observe the requirements of applicable data protection and regulatory laws. With these legal circumstances in mind, it is essential to review possible technical solutions for their compliance with applicable laws.

2. Manufacturers of EHR systems: EHR systems are crucial to achieve a seamless cross-border transfer of health data as the objective of primary use under the EHDS as they build the underlying infrastructure. The EHDS contains a whole chapter to set out the requirements on EHR systems and the obligations of manufacturers of EHR systems, such as including a so-called “European interoperability component for EHR systems” and a “European logging component for EHR systems”, sufficient technical documentation, affix a CE marking if applicable, cooperation with authorities etc. The European Commission will develop a European digital testing environment for the assessment of the harmonized components of EHR systems prior to putting them on the market.

Challenges: The requirements on the compliance of EHR systems with the provisions of the EHDS are high with regard to harmonized components as well as with regard to technical aspects in terms of security, identification and authentication and documentation obligations. As some components of EHR systems could potentially qualify as a medical device, manufacturers have the challenge to navigate how the requirements of the EHDS align with the requirements of other regulations, e.g., under medical or data protection laws. As EHR systems handle large amounts of sensitive personal data in the form of health data, manufacturers must enhance security measures to protect data privacy and prevent security incidents.

3. Manufacturers of wellness applications: As the market of wellness applications and devices using wellness applications is steadily growing, the data collected and processed by such wellness applications may be valuable for the treatment of their users. In order to provide their users the feature to have the data collected by the wellness applications included in an EHR system, the manufacturers of wellness applications may claim interoperability with an EHR system after the relevant conditions are met. The data of the users of wellness applications will not automatically be shared with the EHR system as such sharing is subject to the consent of the users of the wellness applications.

2. Secondary use

The main purpose of secondary use of health data is to support research and innovation activities. Researchers will have access to larger amounts of high-quality data in a more efficient and cost-effective manner. Potentially, every health data holder will have to provide certain health data when requested by a natural or legal person. On the flipside, health data holders themselves can apply for access to health data and benefit from the system.

Member States shall designate Health Data Access Bodies (“HDAB“) to receive, review and approve requests for access to health data and to be entrusted with the relevant tasks and powers with regard to the secondary use of health data.

The EHDS establishes a detailed procedure for access to electronic health data for secondary use. The request for access must be submitted to the competent HDAB and must include detailed information on, for example, the identity of the natural or legal person requesting access to the health data, the purposes for which access to the data is requested, the intended use and scope of the data and a description of the safeguards. Based on this information, the HDAB reviews the request and denies or approves the request for access to health data. In case of approval, the HDAB will request the health data holder to provide the relevant electronic health data. This data will generally be provided in an anonymised form. The HDAB may charge a fee for this service. These fees shall be proportionate to the costs of providing the data, including the costs of consolidating, preparing, anonymising, pseudonymising and making the electronic health data available.

3. Who is in charge?

Each Member State shall designate one or more digital health authorities responsible for the implementation and enforcement of the primary use of health data under the EHDS at national level. These digital health authorities shall be entrusted with various tasks and powers and shall serve as a contact point for complaints from natural persons in relation to the relevant provisions of the EHDS. In addition, the competent data protection authorities will cooperate with the digital health authorities and will be responsible for monitoring and enforcing the rights of data subjects under the EHDS.

With regard to the secondary use of health data under the EHDS, the HDAB shall be entrusted with monitoring and supervisory tasks. In addition, the data protection authorities shall be responsible for monitoring and enforcing the right to object to the processing of personal electronic health data for secondary use.

A European Health Data Space Board will also be established to facilitate cooperation and the exchange of information among Member States and the Commission.

4. When does the EHDS come into force?

The exact implementation date is not yet specified. However, it is expected that the provisional agreement will be endorsed by the European Council and the European Parliament and will be formally adopted by both within 2024. The EHDS shall then enter into force twenty days after its publication in the Official Journal of the European Union. In general, the EHDS shall apply 2 years after entry into force with exemptions for specific provisions which shall apply from 4 or from 6 years after entry into force. This applies, for example, for Chapter IV of the EHDS which governs the secondary use of health data and will apply from 4 years after entry into force.

5. Conclusion

The EHDS is a very ambitious project with the aim of creating an EU-wide common health data governance framework with a seamless exchange across EU borders to enhance healthcare delivery. Even though building the EHDS will require significant development efforts and numerous determinations and clarifications on an EU and Member State level, it is already foreseeable that the EHDS will create a new market for EHR systems, as manufacturers of EHR systems will play an essential role in achieving interoperability and data exchange. In light of these considerations, healthcare providers and private companies should begin preparing for EHDS provisions now, in order to be able to implement and benefit from them once they come into force.