Update: On May 3, 2022, the European Commission published the official version of the proposal for a European Health Data Space Regulation.  It’s open for feedback until July 14, 2022.


Original blog post: On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published.  The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data).  The European Commission has not yet released an official version of the proposal.  It is expected to do so on May 3.

The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules.  Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:

  • create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
  • establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
  • sets out rules that apply to digital health services and wellness apps; and
  • introduces a harmonized scheme for providing access to electronic health data for secondary use.

New patient rights and use of electronic health data for primary care

The draft regulation provides patients new rights over their personal electronic health data (e.g., patient summaries, electronic prescriptions and dispensation, medical image and image reports, laboratory results and discharge reports).  These rights include:

  • the right to access and rectify their personal electronic health data immediately, free of charge and in an easily readable and accessible form, such as in a unified electronic health record, using a personal electronic health data access service;
  • the right to grant or restrict third parties access to their personal electronic health data, as well as the right to object to the processing of their personal electronic health data in electronic form; and
  • the right to have the registration of new personal electronic health data be linked to a recognized electronic identification mechanism.

Health professionals will be required to inform their patients about these abovementioned rights.  The draft regulation also grants health professionals the right to access the personal electronic health data of individuals under their treatment (irrespective of which Member State the individual is based in), unless that access is restricted by the individual.  Health professionals will be required to keep the personal electronic health data of their patients up-to-date.  When a healthcare provider or pharmacy is using an EHR system, that EHR system is required to have passed a pre-market conformity assessment (described below).

Pre-market conformity assessment requirement for EHR systems

The draft regulation defines EHR system as “solution or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing and/or viewing electronic health records” (Art. 4(6)).  Under the draft regulation, EHR systems marketed in the EU must undergo a pre-market conformity assessment.  In order to pass the conformity assessment, manufacturers of EHR systems must meet certain requirements relating to the quality, security, and interoperability of such systems, and draw up the required technical documentation to demonstrate that the EHR system complies with the requirements set out in the draft regulation.  Once a notified body designated by Member States issues a certificate of conformity for an EHR system, the manufacturer must affix a CE marking on the system.  The Commission is required to keep and maintain a publicly available database with information on EHR systems that have received a declaration of conformity.  The draft regulation also imposes certain post-marketing requirements, including rules on reporting serious incidents (i.e., incidents that directly or indirectly lead or might lead to (a) the death of a person or serious damage to a person’s health or (b) a serious disruption of the management and operation of critical infrastructure in the health sector).

Rules that apply to digital health services and wellness apps

The draft regulation proposes to prohibit Member States from imposing restriction on the provision and receipt of digital health services (e.g., dispensation of medicinal products or reimbursement of telehealth services) unless these restrictions are necessary and proportionate to safeguard legitimate interests under EU law.  The draft regulation also sets out a voluntary labelling scheme for wellness applications (e.g., mobile applications) that are interoperable with EHR systems.

Rules on secondary use of electronic health data

The draft regulation requires providers of electronic health data to ensure that certain categories of electronic health data are made available to competent bodies, to be designated by Member States.  Those competent bodies are, in turn, required to review applications from data users who wish to re-use health data for secondary purposes — e.g., for research, innovation, policy-making, statistics, and ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, among others.  Data users are allowed to re-use health data only after receiving a data permit from a competent authority.

The proposed data permit framework addresses the issue that there isn’t yet harmonization across the Member States on the appropriate legal basis for processing health data (and genetic data) for secondary use under GDPR Arts. 6 and 9.  The proposed regulation would provide that processing of personal electronic health data on the basis of the permit issued pursuant to the Regulation “shall be considered to allow lawful processing pursuant to Arts. 6(3), 6(4) and, as appropriate, Art. 9(2) (h), (i) or (j) of the Regulation (EU) 2016/679” (Art. 76(6)).

Supervision and Enforcement

Under the draft regulation, each Member State is required to designate competent, independent public authorities responsible for the implementation of the regulation (including, so-called Digital Health Authorities).  These authorities shall cooperate with the data protection authorities.  In addition, the European Commission shall establish a “European Digital and Health Data Board”, consisting of representatives of competent authorities of all Member States and the Commission.  The Board will have mainly an advisory function, as well as support the implementation of the regulation and the cooperation between the competent authorities.  Each Member State is required to stipulate “effective, proportionate and dissuasive” penalties for infringements of the regulation.

Interaction with other laws

The draft Regulation is without prejudice to existing legislation, such as the GDPR, the draft Data Act, the proposed Data Governance Act, the AI Act, and is instead intended to build on those laws — but unlike those laws, is focused solely on the health sector and health data.

*          *          *

The team at Covington will continue to monitor developments and will report on the official version of the European Health Data Space Regulation once the Commission releases it.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.