Update: On May 3, 2022, the European Commission published the official version of the proposal for a European Health Data Space Regulation.  It’s open for feedback until July 14, 2022.


Original blog post: On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published.  The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data).  The European Commission has not yet released an official version of the proposal.  It is expected to do so on May 3.

The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules.  Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:

  • create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
  • establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
  • sets out rules that apply to digital health services and wellness apps; and
  • introduces a harmonized scheme for providing access to electronic health data for secondary use.

New patient rights and use of electronic health data for primary care

The draft regulation provides patients new rights over their personal electronic health data (e.g., patient summaries, electronic prescriptions and dispensation, medical image and image reports, laboratory results and discharge reports).  These rights include:

  • the right to access and rectify their personal electronic health data immediately, free of charge and in an easily readable and accessible form, such as in a unified electronic health record, using a personal electronic health data access service;
  • the right to grant or restrict third parties access to their personal electronic health data, as well as the right to object to the processing of their personal electronic health data in electronic form; and
  • the right to have the registration of new personal electronic health data be linked to a recognized electronic identification mechanism.

Health professionals will be required to inform their patients about these abovementioned rights.  The draft regulation also grants health professionals the right to access the personal electronic health data of individuals under their treatment (irrespective of which Member State the individual is based in), unless that access is restricted by the individual.  Health professionals will be required to keep the personal electronic health data of their patients up-to-date.  When a healthcare provider or pharmacy is using an EHR system, that EHR system is required to have passed a pre-market conformity assessment (described below).

Pre-market conformity assessment requirement for EHR systems

The draft regulation defines EHR system as “solution or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing and/or viewing electronic health records” (Art. 4(6)).  Under the draft regulation, EHR systems marketed in the EU must undergo a pre-market conformity assessment.  In order to pass the conformity assessment, manufacturers of EHR systems must meet certain requirements relating to the quality, security, and interoperability of such systems, and draw up the required technical documentation to demonstrate that the EHR system complies with the requirements set out in the draft regulation.  Once a notified body designated by Member States issues a certificate of conformity for an EHR system, the manufacturer must affix a CE marking on the system.  The Commission is required to keep and maintain a publicly available database with information on EHR systems that have received a declaration of conformity.  The draft regulation also imposes certain post-marketing requirements, including rules on reporting serious incidents (i.e., incidents that directly or indirectly lead or might lead to (a) the death of a person or serious damage to a person’s health or (b) a serious disruption of the management and operation of critical infrastructure in the health sector).

Rules that apply to digital health services and wellness apps

The draft regulation proposes to prohibit Member States from imposing restriction on the provision and receipt of digital health services (e.g., dispensation of medicinal products or reimbursement of telehealth services) unless these restrictions are necessary and proportionate to safeguard legitimate interests under EU law.  The draft regulation also sets out a voluntary labelling scheme for wellness applications (e.g., mobile applications) that are interoperable with EHR systems.

Rules on secondary use of electronic health data

The draft regulation requires providers of electronic health data to ensure that certain categories of electronic health data are made available to competent bodies, to be designated by Member States.  Those competent bodies are, in turn, required to review applications from data users who wish to re-use health data for secondary purposes — e.g., for research, innovation, policy-making, statistics, and ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, among others.  Data users are allowed to re-use health data only after receiving a data permit from a competent authority.

The proposed data permit framework addresses the issue that there isn’t yet harmonization across the Member States on the appropriate legal basis for processing health data (and genetic data) for secondary use under GDPR Arts. 6 and 9.  The proposed regulation would provide that processing of personal electronic health data on the basis of the permit issued pursuant to the Regulation “shall be considered to allow lawful processing pursuant to Arts. 6(3), 6(4) and, as appropriate, Art. 9(2) (h), (i) or (j) of the Regulation (EU) 2016/679” (Art. 76(6)).

Supervision and Enforcement

Under the draft regulation, each Member State is required to designate competent, independent public authorities responsible for the implementation of the regulation (including, so-called Digital Health Authorities).  These authorities shall cooperate with the data protection authorities.  In addition, the European Commission shall establish a “European Digital and Health Data Board”, consisting of representatives of competent authorities of all Member States and the Commission.  The Board will have mainly an advisory function, as well as support the implementation of the regulation and the cooperation between the competent authorities.  Each Member State is required to stipulate “effective, proportionate and dissuasive” penalties for infringements of the regulation.

Interaction with other laws

The draft Regulation is without prejudice to existing legislation, such as the GDPR, the draft Data Act, the proposed Data Governance Act, the AI Act, and is instead intended to build on those laws — but unlike those laws, is focused solely on the health sector and health data.

*          *          *

The team at Covington will continue to monitor developments and will report on the official version of the European Health Data Space Regulation once the Commission releases it.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.