Explanatory Memorandum to COM(2022)197 - European Health Data Space - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)197 - European Health Data Space. |
|---|---|
| source | COM(2022)197  |
| date | 03-05-2022 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
The European strategy for data 1 proposed the establishment of domain-specific common European data spaces. The European Health Data Space (‘EHDS’) is the first proposal of such domain-specific common European data spaces. It will address health-specific challenges to electronic health data access and sharing, is one of the priorities of the European Commission in the area of health 2 and will be an integral part of building a European Health Union. EHDS will create a common space where natural persons can easily control their electronic health data. It will also make it possible for researchers, innovators and policy makers to use this electronic health data in a trusted and secure way that preserves privacy.
Today, natural persons have difficulties in exercising their rights over their electronic health data, including accessing and transmitting their electronic health data nationally and cross-borders. This is despite the provisions of Regulation (EU) 2016/679 (here after ‘GDPR’) 3 , where rights of natural persons over their data, including health data, are safeguarded. As shown by the study assessing EU Member States’ rules on health data in light of the GDPR 4 , the uneven implementation and interpretation of the GDPR by Member States creates considerable legal uncertainties, resulting in barriers to secondary use of electronic health data. Thus, it creates certain situations where natural persons cannot benefit from innovative treatments and policy-makers cannot react effectively to a health crisis, due to barriers impeding access for researchers, innovators, regulators and policy makers to necessary electronic health data. Moreover, due to different standards and limited interoperability, manufacturers of digital health products and providers of digital health services operating in one Member State face barriers and additional costs when entering another one.
In addition, the COVID-19 pandemic has shown even further the importance of electronic health data for the development of policy in response to health emergencies. It has also highlighted the imperative of ensuring timely access to personal electronic health data for health threats preparedness and response, as well as for treatment, but also for research, innovation, patient safety, regulatory purposes, policy-making, statistical purposes or personalised medicine. The European Council has recognised the urgency to make progress towards and to give priority to the EHDS.
The general objective is to ensure that natural persons in the EU have increased control in practise over their electronic health data. It also aims to ensure a legal framework consisting of trusted EU and Member State governance mechanisms and a secure processing environment. This would allow researchers, innovators, policy-makers and regulators at EU and Member State level to access relevant electronic health data to promote better diagnosis, treatment and well-being of natural persons, and lead to better and well- informed policies. It also aims to contribute to a genuine single market for digital health products and services, by harmonising rules, and so boost healthcare system efficiencies.
Article 14 of the Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare (here after ‘CBHC Directive’) 5 was the first reference to eHealth in EU legislation. However, as stated in the impact assessment accompanying this EHDS Regulation, the relevant provisions of CBHC Directive are voluntary in nature. This partly explains why this aspect of the Directive has shown limited effectiveness in supporting natural persons’ control over their personal electronic health data at national and cross-border level and very low effectiveness on secondary uses of electronic health data. The COVID-19 pandemic has revealed the urgent need and the high potential for interoperability and harmonisation, building upon existing technical expertise at national level. At the same time, digital health products and services, including telemedicine, have become an intrinsic part of the delivery of healthcare.
The evaluation of the digital aspects of the CBHC Directive addressed the COVID-19 pandemic and Regulation (EU) 2021/953 on the EU Digital COVID Certificate 6 . This time-limited Regulation addresses free movement restrictions imposed due to COVID-19. The evaluation shows that legal provisions supporting harmonisation and a common EU approach to use of electronic health data for specific purposes (as opposed to voluntary actions only), and EU efforts to ensure legal, semantic and technical interoperability 7 , can deliver benefits. In particular, they can significantly support the free movement of natural persons and can promote the EU as a global standard setter in the field of digital health.
The EHDS will also promote better exchange and access to different types of electronic health data, including electronic health records, genomics data, patient registries etc. Not only will this support healthcare delivery (services and personnel involved in providing health care or primary use of electronic health data), it will also support health research, innovation, policy-making, regulatory purposes and personalised medicine purposes (secondary use of electronic health data). It will also establish mechanisms for data altruism in the health sector. The EHDS will help to attain the Commission’s vision for EU’s digital transformation by 2030, the Digital Compass 8 aim of providing 100% of natural persons with access to their medical records and Declaration of Digital Principles 9 .
• Consistency with existing policy provisions in the policy area
Cross-border exchange of electronic health data is to a certain extent addressed in the CBHC Directive in particular in its Article 14 on the eHealth Network. Established in 2011, it is a voluntary body at European level composed of digital health experts of all Member States with Iceland and Norway. They are working to promote EU-wide interoperability of electronic health data and to develop guidelines, such as semantic and technical standards, datasets and descriptions of infrastructures. The evaluation of the digital aspects of CBHC Directive noted the voluntary nature of this work and the guidelines. This explains why they have had a rather limited impact on supporting natural persons’ access to and control over their electronic health data. The EHDS aims to address these issues.
The EHDS builds upon legislation such as the GDPR, the Regulation (EU) 2017/745 on medical devices (Medical Devices Regulation) 10 and the Regulation (EU) 2017/746 on in vitro diagnostic medical devices (In Vitro Diagnostics Regulation) 11 , the proposed Artificial Intelligence Act 12 , the proposed Data Governance Act 13 and the proposed Data Act 14 , the Directive 2016/1148 on security of network and information systems (NIS Directive) 15 and the CBHC Directive.
Considering that a substantial amount of electronic data to be accessed in the EHDS are personal health data relating to natural persons in the EU, the proposal is designed in full compliance not only with the GDPR but also with Regulation (EU) 2018/1725 (EU Data Protection Regulation) 16 . The GDPR provides the rights to access, to portability and to accessibility/transmission to a new controller of data. It also designates data related to health as a “special category of data”, affording it special protection through the establishment of additional safeguards for its processing. The EHDS supports the implementation of the rights enshrined in the GDPR as applied to electronic health data. This is regardless of the Member State, the type of healthcare provider, the sources of electronic health data or the affiliation of the natural person. The EHDS builds upon the possibilities offered by the GDPR for an EU legislation on the use of personal electronic health data for medical diagnosis, the provision of health care or treatment or the management of health care systems and services. It also permits the use of electronic health data for scientific or historical research, official statistical purposes, and public interest in the area of public health, such as protecting against serious cross-border health threats or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. The EHDS envisages further provisions to promote interoperability and enhances the right of the natural persons to data portability in the health sector.
In the context of the European Health Union, the EHDS will support the work of the European Health Emergency Preparedness and Response Authority (HERA) 17 , in the Europe’s Beating Cancer Plan 18 the EU Mission on Cancer 19 , and in the Pharmaceutical Strategy for Europe 20 . The EHDS will create a legal and technical environment that will support the development of innovative medicinal products and vaccines, and of medical devices and in vitro diagnostics. This will help to prevent, detect, and rapidly respond to health emergencies. In addition, the EHDS will help to improve understanding, prevention, early detection, diagnosis, treatment and monitoring of cancer, through the EU cross-border secure access and sharing between healthcare providers of health, including cancer related data of natural persons. Therefore, by providing secure access to a wide range of electronic health data, the EHDS will open new opportunities for diseases prevention and treatment of natural persons.
The EHDS proposal also builds on the requirements that have been imposed on software through the Medical Devices Regulation and the proposed Artificial Intelligence Act. Medical device software already needs to be certified under the Medical Devices Regulation and AI-based medical devices and other AI systems would also need to comply with the requirements of the Artificial Intelligence Act once in force. However, a regulatory gap has been identified when it comes to information systems used in the health domain, also called electronic health record systems (‘EHR systems’). The focus is therefore on these EHR systems that are intended to be used to store and share electronic health data of natural persons. Therefore, the EHDS sets essential requirements specifically for EHR systems in order to promote interoperability and data portability of such system, which would allow natural persons to control their electronic health data more effectively. In addition, where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS Regulation.
When providing a framework for the secondary use of electronic health data, the EHDS builds upon the proposed Data Governance Act and the proposed Data Act. As horizontal framework, the Data Governance Act only lays down generic conditions for secondary use of public sector data without creating a genuine right to secondary use of such data. The proposed Data Act enhances portability of certain user-generated data, which can include health data, but does not provide rules for all health data. Therefore, the EHDS complements these proposed legislative acts and provides more specific rules for the health sector. These specific rules cover the exchange of electronic health data and may impact on provider of data sharing services, formats that ensure the portability of health data, cooperation rules for data altruism in health and complementarity on access to private data for secondary use.
The NIS Directive set the first EU-wide rules on cybersecurity. This Directive is being revised (the ‘NIS2 proposal 21 ), currently undergoing negotiations with the co-legislators. It aims to raise the EU common level of ambition of the cybersecurity regulatory framework, through a wider scope, clearer rules and stronger supervision tools. The Commission proposal addresses these issues across three pillars: (1) Member State capabilities; (2) risk management; (3) cooperation and information exchange. Operators in the healthcare system remain under the scope. The EHDS is enhancing security and trust in the technical framework designed to facilitate the exchange of electronic health data for both primary and secondary use.
A proposal for a Cyber Resilience Act is also planned for adoption by the Commission in 2022, with the aim to set out horizontal cybersecurity requirements for digital products and ancillary services. The envisaged set of essential cybersecurity requirements to be laid down by the Cyber Resilience Act will be applied to all sectors and categories of digital products whose producers and vendors shall comply with, before placing the products on the market or, as applicable, when putting them into service and also through the entire product lifecycle. These requirements will be of general nature and technology neutral. The security requirements set out in the EHDS, notably as regards the EHR systems, provide more specific requirements in certain areas, such as access control.
The EHDS builds upon the new proposal on the European Digital Identity 22 with the improvements in the domain of electronic identification, including the Digital Identity Wallet. This would allow better mechanisms for the online and offline identification of natural persons and health professionals.
• Consistency with other Union policies
This proposal is in line with the EU's overarching objectives. These include building a stronger European Health Union, implementing the European Pillar of Social Rights, improving the functioning of the internal market, promoting synergies with the EU digital internal market agenda, and delivering an ambitious research and innovation agenda. In addition, it will provide an important set of elements contributing to the formation of the European Health Union, by encouraging innovation and research and dealing better with future health crises.
The proposal is consistent with the Commission’s priorities to make Europe fit for the digital age and to build a future-proof economy that works for people. It also allows exploring the potential of cross-border regions as pilot tests for innovative solutions to European integration, as suggested in in the Commission report EU Border Regions: Living labs of European integration 23 . It supports the Commission’s Recovery Plan, learning lessons from the COVID-19 pandemic and delivers benefits of more easily accessible electronic health data where necessary.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
The proposal is based on Articles 16 and 114 of the Treaty on the Functioning of the European Union (TFEU). Such a dual legal basis is possible, if it is established that the measure simultaneously pursues several objectives that are inseparably linked without one being secondary or only indirectly related to the other. That is the case of the present proposal, as explained below. The procedures laid down for each legal basis are compatible with each other.
Firstly, Article 114 TFEU aims at improving the functioning of the internal market through measures for the approximation of national rules. Some Member States have taken legislative action to address the problems described above, by establishing national certification systems for EHR systems, whereas others have not. This can lead to legislative fragmentation in the internal market and different rules and practices across the EU. It could also lead to costs for companies that would have to comply with different regimes.
Article 114 TFEU is the appropriate legal basis since the majority of provisions of this Regulation aim to improve the functioning of the internal market and the free movement of goods and services. In this respect, Article 114(3) TFEU explicitly requires that, in achieving harmonisation, a high level of protection of human health is to be guaranteed taking account in particular of any new development based on scientific facts. This legal basis is therefore also appropriate where an action is related to the domain of public health protection. This is also in full respect of Article 168 which provides that a high level of human protection is to be achieved in all Union policies, while respecting Member State responsibility for the definition of their health policy and for the organisation and delivery of health services and medical care.
The legislative proposal will allow the EU to benefit from the scale of the internal market, since health data-driven products and services are often developed using electronic health data from different Member States and later commercialised across the EU.
The second legal basis for this proposal is Article 16 TFEU. The GDPR provides important safeguards in relation to rights of natural persons over their health data. However, as outlined in Section 1, these rights cannot be implemented in practice because of interoperability reasons and limited harmonisation of requirements and technical standards implemented at national and EU level. Additionally, the scope of the right to portability under the GDPR renders it less effective in the health sector 24 . Therefore, there is a need to put in place additional legally binding provisions and safeguards. It is also necessary to design specific requirements and standards that build on safeguards provided in the field of electronic health data processing to take advantage of the value of health data for the society. Moreover, the proposal aims to expand the use of electronic health data while strengthening the rights arising from Article 16 TFEU. Overall, the EHDS brings to reality the possibility offered by GDPR for an EU law for several purposes. These include medical diagnosis, the provision of health care or treatment or the management of health care systems and services. It also allows the use of electronic health data for public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health and care and of medicinal products or medical devices. It also serves scientific or historical research and statistical purposes.
• Subsidiarity
The current proposal aims to harmonise data flows to support natural persons in benefiting from protection and free movement of electronic health data, especially personal data. The proposal does not aim to regulate how healthcare is provided by Member States.
The evaluation of the digital aspects of the CBHC Directive reviewed the current situation of fragmentation, differences and barriers to access and use of electronic health data. It showed that action by Member States alone is not sufficient and may hamper the rapid development and deployment of digital health products and services including based on artificial intelligence.
The above-mentioned study on the GDPR’s implementation in the health sector, notes that the Regulationprovides extensive rights on natural persons’ access to and transmission of their data, including health data. Nevertheless, their practical implementation is hampered by low interoperability in the healthcare sector, which has been addressed so far mainly through soft law instruments. Such differences in local, regional and national standards and specifications can also prevent manufacturers of digital health products and providers of digital health service from entering new markets, where they need to adapt to new standards. This legislative proposal is thus designed to complement the rights and safeguards provided in the GDPR, so that its goals can indeed be achieved.
The same study reviewed that the extensive use of facultative specification provisions under the GDPR at national level. This created fragmentation and difficulties for accessing electronic health data, both at national level and between Member States. It had an impact on the possibility of researchers, innovators, policy makers and regulators to carry out their tasks or to carry out research or innovation. Ultimately, it was detrimental to the European economy.
In the impact assessment, the evaluation of Article 14 of the CBHC Directive shows that the approaches taken so far, consisting of low intensity/soft instruments, such as guidelines and recommendations aimed to support interoperability, have not produced the desired results. Natural persons’ access to and control of their personal electronic health data is still limited, and there are significant deficiencies in the interoperability of information systems used in the health domain. Moreover, national approaches in addressing the problems have only limited scope and do not fully address the EU-wide issue. Currently, the cross-border exchange of electronic health data is still very limited, which is partly explained by the significant diversity in standards applied to electronic health data in different Member States. In many Member States, there are substantial national, regional and local challenges to interoperability and data portability, hampering continuity of care and efficient healthcare systems. Even if health data are available in electronic format, it does not usually follow the natural person when they use services of a different healthcare provider. The EHDS proposal will address these challenges at EU level, providing mechanisms for improving interoperability solutions used at national, regional and local levels and reinforcing the rights of natural persons.
Therefore, EU-wide action in the content and form indicated is required to promote cross-border flow of electronic health data and to foster a genuine internal market for electronic health data, digital health products and services.
• Proportionality
The initiative seeks to put in place measures that are necessary to achieve the main objectives. The proposal creates an enabling framework that does not go beyond what is necessary to achieve the objectives. It addresses existing barriers to foster the realisation of the potential value of electronic health data. It sets a framework that reduces fragmentation and legal uncertainty. The initiative involves and relies on the work of the national authorities and seeks a strong involvement of relevant stakeholders.
The proposed Regulation will give rise to financial and administrative costs, which are to be borne through the allocation of resources at both Member States and EU level. The impact assessment demonstrates that the preferred policy option brings the best benefits at the least cost. The preferred policy option does not exceed what is necessary to achieve the objectives of the Treaties.
• Choice of the instrument
The proposal takes the form of a new Regulation. This is considered the most suitable instrument, given the need for a regulatory framework that directly addresses the rights of natural persons and reduces fragmentation in the digital single market. To prevent the fragmentation that resulted from inconsistent use of the relevant clauses in the GDPR (e.g. Article 9(4)), the EHDS uses the options for an EU law offered by the GDPR Regulation concerning the use of health data, for various purposes. In the preparing the proposal, different national legal contexts that built upon the GDPR by providing national legislation were carefully analysed. In order to prevent major disruption, but also inconsistent future developments, the EHDS aims to put forward an initiative that takes into account the main common elements of different frameworks. A Directive was not selected, as it would allow a divergent implementation and a fragmented market that could affect the protection and free movement of personal data in the health sector. The proposal will strengthen the EU’s health data economy by increasing legal certainty and guaranteeing a fully uniform and consistent sectoral legal framework. The proposed Regulation also calls for stakeholder involvement to ensure that requirements meet the needs of health professionals, natural persons, academia, industry and other relevant stakeholders.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluations/fitness checks of existing legislation
The CBHC Directive was adopted in 2011 and was transposed in all Member States by 2015. Article 14 of the Directive, establishing the eHealth Network, has been evaluated to better understand the impact it has had on digital health in the EU. The evaluation, which is an Annex to the EHDS impact assessment staff working document, finds that its impact has been rather limited. The evaluation of the eHealth provisions under the Directive concluded that its effectiveness and efficiency has been rather limited and that this was due to the voluntary nature of the eHealth Network actions.
Progress was slow on the use of personal electronic health data for primary purpose in the context of cross-border healthcare. The MyHealth@EU platform was implemented in only 10 Member States and it is currently supporting only two services (electronic prescription and patient summary). The low and slow uptake is partly related to the fact that the Directive, while establishing the right of natural persons to receive a written record of the treatment carried out, does not require this medical record to be provided in electronic form. Natural persons’ access to their personal electronic health data remains burdensome, and natural persons have limited control over their own health data and the use of these health data for medical diagnosis and treatment. The eHealth Network recommended that Member States use the Electronic Health Record Exchange Format standards and specifications in their procurements, in order to build interoperability. However, their real uptake of the format was limited, resulting in a fragmented landscape and uneven access to, and portability of, electronic health data.
Most Member States are expected to implement the MyHealth@EU platform by 2025. Only when more Member States will have implemented the MyHealth@EU platform and developed the necessary tools, will their use, development and maintenance become more efficient across the EU. However, advancements in eHealth in recent years call for a more coordinated action at EU level.
Nevertheless, following the outbreak of the COVID-19 pandemic in Europe, the eHealth Network proved to be very effective and efficient in times of a public health crisis and this promoted political convergence.
On secondary use of electronic health data, the eHealth Network activities were very limited and not very effective. The few non-binding documents on big data were not followed up by further specific actions and their implementation in practice remains very limited. At national level, other actors emerged on secondary use of electronic health data than the ones represented in the eHealth Network. Some Member States set up different bodies to deal with the subject and participated in the joint action Towards a European Health Data Space (TEHDaS). However, neither this joint action, nor the numerous funds provided by the Commission, for example under Horizon Europe, to support the secondary use of electronic health data have been sufficiently implemented in coherence with eHealth Network activities.
It was therefore concluded that the current structure of the eHealth Network is no longer appropriate. It only allows soft cooperation on primary use of electronic health data and interoperability, which did not solve in a systematic manner data access and portability problems at national and cross-border level. Moreover, the eHealth Network is not able to address the needs related to secondary use of electronic health data in an effective and efficient manner. The CBHC Directive provides empowerments for implementing acts on the use of electronic health data for primary and secondary use; these empowerments are limited.
The COVID-19 pandemic has highlighted and emphasised the importance of secure and safe access to and availability of public health and healthcare data across Member States borders, and the wide availability of electronic health data for public health in the context of the free movement of people within the EU during the pandemic. Building on a strong regulatory framework, the EU has been very effective in establishing EU-level standards and services to facilitate the free movement of people, such as the EU Digital COVID Certificate. However, overall progress seems to be hindered by the absence of binding or compulsory standards across the EU and consequently limited interoperability. Addressing this issue would not just benefit natural persons, it would also contribute to achieving the digital internal market and lowering barriers to the free movement of digital healthcare products and services.
• Stakeholder consultations
In preparing this EHDS proposal, stakeholders were consulted in various ways. The public consultation collected views from stakeholders on options for establishing the EHDS 25 . Feedback was received from various stakeholder groups. Their views can be found in detail in the annex to the impact assessment staff working document.
A public consultation was conducted from May to July 2021. In total, 382 valid responses were received. Respondents expressed support for action at EU level for accelerating research in health (89%), promoting natural persons’ control over their own health data (88%) and facilitating the delivery of healthcare across borders (83%). There was great support for promoting access and sharing of health data through a digital infrastructure (72%) or an EU infrastructure (69%). Most respondents are also of the view that natural persons should be able to transmit data collected from mHealth and telemedicine into EHR systems (77%). An EU level certification scheme to promote interoperability attracted 52% support.
In the area of secondary use of health data, most respondents said an EU body could facilitate access to health data for secondary purposes (87%). Mandatory use of technical requirements and standards is supported by 67%.
Stakeholder views were also collected through the study on the ‘Assessment of the EU Member States’ rules on health data in the light of the GDPR’. During the study, five workshops took place with ministries of health representatives, experts, stakeholder representatives and experts from national data protection offices 26 . A stakeholder survey was also carried out to cross validate and supplement the topics addressed and identified. In total, the online survey received 543 responds. From an online survey, 73% of respondents consider that having health data in a personal data space or patient portal facilitates data transmission between healthcare providers. Furthermore, 87% consider a lack of data portability drives up costs in healthcare, while 84% consider a lack of data portability delays diagnosis and treatment. Some 84% are of the view that additional measures should be taken at EU level to strengthen natural persons’ control over their health data. Some 81% consider the use of different GDPR legal basis makes it difficult to share health data. Some 81% of respondents suggest the EU should support secondary use of health data under the same legal base.
A study on the regulatory gaps to cross-border provision of digital health services and products, including artificial intelligence, and the evaluation of the existing framework for cross-border exchange of health data. A study on Health Data, Digital Health and Artificial Intelligence in Healthcare, was carried out between September 2020 and August 2021. This study provides evidence needed to enable informed policy making in the areas of digital health products and services, artificial intelligence, governance on the use of health data and the evaluation of Article 14 of the CBHC Directive. The consultation activities included interviews, focus groups and online surveys. Stakeholders support measures in a number of areas, ranging from guidance on digital health services and products quality, interoperability, reimbursement, identification and authentication, and digital literacy and skills. On primary use, stakeholders support mandating national digital health authorities with tasks to support cross-border provision of digital health and access to electronic health data. In addition, they also support expansion of the MyHealth@EU services. There is also support for giving natural persons the right to portability of their electronic health records in an interoperable format. On secondary use, there is support for putting in place a legal and governance framework and structure, building on the establishment of health data access bodies in a number of Member States, with cooperation at EU level through a network or an advisory group. To reduce barriers, there would be support for specifications and standards.
A study on infrastructures and data ecosystem supporting the impact assessment of the EHDS 27 , was carried out between April 2021 and December 2021. This study aims to present evidence-based insights that will support the impact assessment of options for a European digital health infrastructure. The study identifies, characterises and assesses options for a digital infrastructure, outlines the cost-effectiveness and provides data on the expected impacts, both for primary and secondary use of electronic health data. Interactive workshops were conducted covering 65 stakeholders who actively engage with health data usage. Their background varies across ministries of health, digital health authorities, national contact points for eHealth, health data research infrastructures, regulatory agencies, health data access bodies, healthcare providers, patients and advocacy groups. In addition, a survey focusing on costs was developed, including questions related to the value, benefits, impact and cost of different options.
Finally, the impact assessment study was carried out between June 2021 and December 2021. It aimed to present evidence-based insights that supported the impact assessment of options for the EHDS. The study sets out and assessed the overall policy options for the EHDS, building upon the evidence gathered in the previous studies. The ‘public consultation on overcoming cross-border obstacles 28 ’ also illustrates that natural persons face related obstacles in the context of cross-border regions. More details of these studies are provided in the Annex in the staff working document.
• Collection and use of expertise
Contents
●A study on the “Assessment of the EU Member States’ rules on health data in the light of the GDPR” 29 ,
●A study on the regulatory gaps to cross-border provision of digital health services and products, including artificial intelligence, and the evaluation of the existing framework for cross-border exchange of health data (forthcoming);
●A study on an infrastructure and data ecosystem supporting the impact assessment of the EHDS (forthcoming);
●Study supporting the Impact assessment of policy options for an EU initiative on a EHDS (forthcoming);
●A study on the electronic health record interoperability in the European Union (MonitorEHR) 30 ;
●A study on the use of real-world data (RWD) for research, clinical care, regulatory decision making, health technology assessment, and policy making and its executive summary 31 ;
●A market study on telemedicine 32 ;
●The European Data Protection Supervisor (EDPS) preliminary opinion on the EHDS 33 .
• Impact assessment
An impact assessment was carried out for this proposal. On 26 November 2021, the Regulatory Scrutiny Board issued a negative opinion on the first submission. After substantial revision of the impact assessment to address the comments and a resubmission of the impact assessment, on 26 January 2022 the Board delivered a positive opinion without reservations. The opinions of the Board, the recommendations and an explanation of how they have been taken into account are presented in Annex 1 of the staff working document.
The Commission examined different policy options to achieve the general objectives of the proposal. These are to ensure that natural persons have control over their own electronic health data, that they can benefit from a range of health-related products and services and that researchers, innovators, policy-makers and regulators can make the most of available electronic health data.
Three policy options of varying degrees of regulatory intervention and two additional variations of these options were assessed:
–Option 1: Intervention with low intensity: It relies on an increased cooperation mechanism and voluntary instruments that would cover digital health products and services and the secondary use of electronic health data. It would be supported by improved governance and digital infrastructure.
–Option 2 and 2+: Intervention with medium intensity: It would strengthen the rights of natural persons to control digitally their health data and provide an EU framework for the secondary use of electronic health data. The governance would rely on national bodies for primary and secondary use of electronic health data that would implement the policies nationally and, at EU level, support the development of appropriate requirements. Two digital infrastructures would support cross border sharing and secondary use of electronic health data. Implementation would be supported by a mandatory certification for EHR systems and a voluntary label for wellness applications, thus ensuring transparency for authorities, procurers and users.
–Option 3 and 3+: Intervention with high intensity: It would go beyond Option 2 by assigning to an existing or new EU body the definition of EU level requirements and access to cross border electronic health data. It would also extend the coverage of certification.
The preferred option is Option 2+, which builds upon Option 2. This would ensure a certification of EHR systems, a voluntary label for wellness application and a cascading effect in medical devices that aim to be interoperable with EHR systems. This would ensure the best balance between effectiveness and efficiency in reaching the objectives. Option 1 would improve the baseline marginally, as it remains voluntary. Option 3 would also be effective, but would have higher costs, may have a greater impact on SMEs and may be less feasible politically.
The preferred option would ensure that natural persons are able to digitally access and transmit their electronic health data, and enable access to it, irrespective of healthcare provider and data source. MyHealth@EU would become mandatory and natural persons could exchange their personal electronic health data cross-border in a foreign language. Mandatory requirements and certification (for EHR systems and medical devices claiming interoperability with EHR systems) and a voluntary label for wellness applications would ensure transparency for users and procurers and reduce cross-border market barriers for manufacturers.
The mandatory requirements have been maintained, but third-party certification was modified into self-certification coupled with an earlier review clause, allowing for a possible later transition to third-party certification. Given the novelty of the certification, it was decided to opt for a stepwise approach, that would allow less prepared Member States and manufacturers more time to put in place the certification system and build capacity. At the same time, more advanced Member States may require specific checks at national level in the context of procurement, financing and reimbursement of EHR systems. Such a change would reduce the estimated costs for certification for an individual manufacturer of an EHR system from EUR 20,000-50,000 to EUR 12,000-38,000, which could yield a reduction of approximately 30% in overall costs for manufacturers (from EUR 0.3-1.7 billion to EUR 0.2-1.2 billion).
This system seems the most proportionate for manufacturers in terms of administrative burden and potential capacity limitations of notified bodies for third-party certification. However, the actual benefits it produces on Member States, patients and procurers will need to be carefully analysed in the evaluation of the legal framework after five years.
On secondary use of electronic health data, researchers, innovators, policy makers and regulators would be able to have access to quality data for their work in a secure way, with a trusted governance and at lower costs than relying on consent. The common framework for secondary use would reduce the fragmentation and barriers for cross-border accesses. The preferred option requires Member States to set up one or more health data access bodies (with a coordination body), that can provide access to electronic health data to third parties, either as a new organisation or part of an existing organisation, building on the Data Governance Act. Parts of the costs will be offset through fees charged by health data access bodies. The setting up of health data access bodies is expected to lower costs to regulators and policy makers for accessing electronic health data, thanks to greater transparency of the effectiveness of medicinal products, resulting in a reduction of costs in the regulatory processes and in public procurement in health. Digitalisation can also reduce unnecessary tests and ensure transparency in spending, allowing savings to the health budget. EU funds will provide support for digitalisation.
The goal is to ensure transparency of information concerning datasets to data users, for which a stepwise approach was also adopted. This would mean that the dataset description would be mandatory for all datasets, excluding those held by micro-enterprises, while the self-declared data quality label, would only be mandatory for data holders with publicly funded datasets and voluntary for others. These nuances introduced after the impact assessment do not substantially alter the calculation of the costs for data holders stemming from the impact assessment.
The total economic benefits of this option are expected, over 10 years, to be above EUR 11 billion, above the baseline. This amount would be split almost evenly between benefits originating from measures on primary (EUR 5.6 billion) and secondary uses (EUR 5.4 billion) of health data.
In the area of primary use of health data, patients and healthcare providers will see benefits of approximately EUR 1.4 billion and EUR 4.0 billion stemming from savings in health services through greater update of telemedicine and more efficient exchanges of health data, including across borders.
In the area of secondary use of health data, researchers and innovators in digital health, medical devices and medicinal products would have benefits of over EUR 3.4 billion thanks to a more efficient secondary use of health data. Patients and healthcare would benefit from EUR 0.3 and EUR 0.9 billion in savings thanks to access to more innovative medical products and better decision-marking. The more intensive use of real-world evidence in health policy-making would yield additional savings, estimated at EUR 0.8 billion, for policy-makers and regulators.
The overall costs for the preferred option are estimated at EUR 0.7-2.0 billion above the baseline, over 10 years. The majority of costs would originate from measures on primary (EUR 0.3-1.3 billion) and secondary uses (EUR 0.4-0.7 billion) of health data.
In the area of primary use of health data, manufacturers of EHR systems and products intended to connect to EHR systems would bear most costs. This would amount to approximately EUR 0.2-1.2 billion due to the stepwise introduction of certification for EHR systems, medical devices and high-risk AI systems and voluntary labelling for wellness applications. The rest (less than EUR 0.1 billion) would be on public authorities, at national and EU level, for the completion of the coverage of MyHealth@EU.
In the area of secondary use of health data, public authorities, including regulators and policy-makers at Member State and EU level, would bear the costs (EUR 0.4-0.7 billion) for the rollout of health data access bodies and the necessary digital infrastructure connecting these bodies, research infrastructures and EU bodies, and the promotion of interoperability and data quality.
The preferred option is limited to aspects that Member States cannot achieve satisfactorily on their own, as shown by the evaluation of Article 14 of the CBHC Directive. The preferred option is proportionate, given the medium intensity of the proposal and the expected benefits for natural persons and industry.
The assessment of environmental impacts, in line with the European Climate Law 34 , shows that this proposal would result in limited impacts on climate and the environment. While new digital infrastructures and increased volumes of data traffic and storage may increase digital pollution, greater interoperability in health would largely offset such negative impacts by reducing travel-related pollution and energy and paper usage.
• Regulatory fitness and simplification
Not applicable.
• Fundamental rights
Since the use of electronic health data involves the processing of sensitive personal data, some elements of the proposed Regulation fall within the scope of the EU data protection legislation. The provisions of this proposal comply with the EU data protection legislation. They are designed to complement the rights provided by the EU data protection legislation by strengthening the control and access of the natural persons to their electronic health data. The proposal is expected to have a significant positive impact on fundamental rights related to the protection of personal data and free movement. This is because under MyHealth@EU, natural persons will be able to effectively share their personal electronic health data in the language of the country of destination when travelling abroad or take their personal electronic health data with them when moving to another country. Natural persons will have additional possibilities to digitally access and transmit their electronic health data, building upon provisions in the GDPR. Market operators in the health sector (either healthcare providers or providers of digital services and products) will be obliged to share electronic health data with user-selected third parties from the health sector. The proposal will provide the means to enforce these rights (through common standards, specifications and labels) without compromising on the required safety measures to protect natural person rights under the GDPR. It would contribute to the increased protection of health-related personal data and the free movement of such data as enshrined in Article 16 TFEU and in the GDPR.
Regarding secondary use of electronic health data, e.g. for innovation, research, public policy, patient safety, regulatory purposes or personalised medicine the proposal will follow and comply with the EU data protection legislation on this matter. Strong safeguards and security measures will be implemented to ensure that the fundamental rights of data protection are fully protected, in accordance with Article 8 of the EU Charter of Fundamental Rights. The proposal sets out an EU framework for accessing electronic health data for scientific and historical research purposes and statistical purposes, building upon the possibilities offered in this respect by the GDPR and, for EU institutions and bodies, by the EU Data Protection Regulation. It will include suitable and specific measures required to safeguard fundamental rights and the interests of natural persons in accordance with Articles 9.2 (h), (i) and (j) of the GDPR; and Articles 10.2 (h), (i) and (j) of the EU Data Protection Regulation. Setting up health data access bodies will ensure a predictable and simplified access to electronic health data, and a higher level of transparency, accountability and security in data processing. Coordinating these bodies at EU level and enshrining their activities in a common framework will ensure a level playing field. This will support cross-border analysis of electronic health data for research, innovation, official statistics, policy making and regulatory purposes. The promotion of interoperability of electronic health data and its secondary use will contribute to promoting an EU internal market for electronic health data in line with Article 114 TFEU.
4. BUDGETARY IMPLICATIONS
This proposal sets out a number of obligations for Member State authorities and the Commission and requires specific actions to promote the establishment and functioning of the EHDS. These cover, in particular, the development, deployment and maintenance of infrastructures for primary and secondary uses of electronic health data. The EHDS has strong ties with several other actions of the Union in the areas of health and social care, digitisation, research, innovation and fundamental rights.
In its 2021 and 2022 work programmes, EU4Health already supports the development and establishment of the EHDS with a substantial initial contribution of almost EUR 110 million. This includes the functioning of the existing infrastructure for primary uses of electronic health data (MyHealth@EU) and secondary use of electronic health data (HealthData@EU), the uptake of international standards by Member States, actions on capacity building and other preparatory actions, as well as an infrastructure pilot project for the secondary use of health data, a pilot project for the access of patients to their health data through MyHealth@EU and its scale-up, and the development of the central services for secondary uses of health data.
The fulfilment of the obligations by the Commission and associated support actions under this legal proposal will require EUR 220 million between 2023 and 2027 and will be funded directly from the EU4Health programme (EUR 170 million) and supported further from the Digital Europe Programme (EUR 50 million) 35 . In both cases, the expenditure linked to this proposal will be covered within the programmed amounts of these programmes.
The implementation of actions for natural persons’ control of and access to personal electronic health data for the provision of healthcare (Chapter II) will require EUR 110 million. These actions include the operations of the European digital health platform services for MyHealth@EU, Member States audits for the National Contact Points for Digital Health as part of MyHealth@EU, support for the uptake of international standards and support for patients’ access to health data through MyHealth@EU.
Implementing the self-certification scheme for EHR systems (Chapter III) will require over EUR 14 million to develop and maintain a European database for interoperable EHR systems and wellness applications. Additionally, Member States will have to designate market surveillance authorities in charge of implementing the legislative requirements. Their supervisory function for the self-certification of EHR systems could build on existing arrangements, for example regarding market surveillance, but would require sufficient expertise and human and financial resources. Actions for the secondary use of electronic health data for research, innovation, policy-making, regulatory decisions, patient safety or personalised medicine (Chapter IV) will require EUR 96 million. This funding will cover the European platform and Member States audits for the connection nodes, as part of infrastructure for secondary uses of electronic health data (HealthData@EU).
Beyond this, the costs for the connection of Member States to the European infrastructures within the EHDS will be partially covered by EU funding programmes that will complement EU4Health. Instruments such as Recovery and Resilience Facility (RRF) and the European Regional Development Fund (ERDF) will be able to support the connection of Member States to the European infrastructures.
The implementation of the objectives and provisions of this Regulation will be complemented by other actions under Digital Europe Programme, Connecting Europe Facility and Horizon Europe. These programmes, among others, aim at building up and strengthening quality data resources and corresponding exchange mechanisms 36 (under the Specific Objective Artificial Intelligence) and developing, promoting and advance scientific excellence 37 , respectively, including in health. Instances of such complementarity include horizontal support for the development and large-scale piloting of a smart middleware platform for common data spaces, where EUR 105 million from Digital Europe Programme have already been allocated in 2021-2022; domain-specific investments to facilitate the secure cross-border access to cancer images and genomics, supported by Digital Europe Programme in 2021-2022 with EUR 38 million; and research and innovation projects and coordination and support actions on health data quality and interoperability are already supported by Horizon Europe (Cluster 1) with EUR 108 million in 2021 and 2022, as well as EUR 59 million from the Research Infrastructures programme. Horizon Europe has also provided in 2021 and 2022 additional support for secondary use of health data dedicated to COVID-19 (EUR 42 million) and cancer (EUR 3 million).
Additionally, where physical connectivity is lacking in the health sector, Connecting Europe Facility will also contribute to the development of projects of common interest relating to the deployment of and access to safe and secure very high capacity networks, including 5G systems, and to the increased resilience and capacity of digital backbone networks on Union territories 38 . EUR 130 million are programmed in 2022 and 2023 for the interconnection of cloud infrastructures, including in health.
The Commission’s administrative costs are estimated to be of approximately EUR 17 million, including costs for human resources and other administrative expenditure.
The legislative financial statement attached to this proposal sets out the budgetary, human and administrative resource implications.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
Due to the dynamic nature of the digital tranformation of health, monitoring the trend in impacts arising from the EHDS will constitute a key part of the action in this domain. To ensure that the selected policy measures actually deliver the intended results and to inform possible future revisions, it is necessary to monitor and evaluate the implementation of this proposal.
Monitoring the specific objectives and the regulatory obligations will be achieved firstly through reporting by digital health authorities and health data access bodies. In addition, there will be monitoring of MyHealth@EU indicators and of the infrastructure for secondary uses of electronic health data.
The implementation of the infrastructures, particularly the implementation of the European platform of the new infrastructure for secondary uses of electronic health data, will be done in coherence with the overall IT governance framework of the European Commission. Therefore, IT development and procurement choices will be subject to pre-approval by the European Commission Information Technology and Cybersecurity Board.
• Detailed explanation of the specific provisions of the proposal
Chapter I presents the subject matter and the scope of the regulation, sets out the definitions used throughout the instrument and explains its relationship with other EU instruments.
Chapter II develops the additional rights and mechanisms designed to complement the natural person’s rights provided under the GDPR in relation to their electronic health data. In addition, it describes the obligations of various health professionals in relation to electronic health data. Some type of electronic health data are identified as a priority to be integrated in the EHDS in a staged process with a transition period. Member States will have to set up a digital health authority responsible for monitoring these rights and mechanisms and for ensuring that these additional natural person’s rights are properly implemented. This Chapter includes provisions related to the interoperability of certain health related datasets. Member States will also have to designate national contact point tasked with enforcing the obligations and requirement of this Chapter. Finally, a common infrastructure MyHealth@EU is designed to provide the infrastructure to facilitate cross-border exchange of electronic health data.
Chapter III focuses on implementing a mandatory self-certification scheme for EHR systems, where such systems must comply with essential requirements related to interoperability and security. This approach is required to ensure that electronic health records are compatible between each system and allow easy transmission of electronic health data between them. This Chapter defines the obligations of each economic operator of EHR systems, the requirements related to the conformity of such EHR systems, as well as the obligations of market surveillance authorities responsible for EHR systems in the context of their market surveillance activities. This Chapter also includes provisions on the voluntary labelling of wellness applications, interoperable with EHR systems, and establishes an EU database where certified EHR systems and labelled wellness applications will be registered.
Chapter IV facilitates the secondary use of electronic health data, e.g. for research, innovation, policy making, patient safety or regulatory activities. It defines a set of data types that can be used for defined purposes, as well as prohibited purposes (e.g. use of data against persons, commercial advertising, increasing insurance, develop dangerous products). Member States will have to set up a health data access body for secondary use of electronic health data and ensure that electronic data are made available by data holders for data users. This Chapter also contains provisions on the implementation of data altruism in health. The duties and obligations of the health data access body, the data holders and the data users are also set out. In particular, data holders should cooperate with the health data access body to ensure availability of electronic health data for data users. Furthermore, responsabilities are defined for the health data access bodies and data users as joint controllers of the processed electronic health data.
The secondary use of electronic health data may involve costs. This chapter includes general provisions on transparency of fees calculation. On a practical level, requirements are in particular set out on security of the secure processing environment. Such a secure processing environment is required to access and process electronic health data under this Chapter. The conditions and the information needed in the data request form for obtaining access to electronic health data are listed in Section 3. Conditions attached to the issuance of the data permit are also described.
Section 4 of this Chapter mainly contains provisions on setting up and fostering cross-border access to electronic health data, so that a data user in one Member State can have access to electronic health data for secondary use from other Member States, without having to request a data permit from all these Member States. The cross-border infrastructure designed to enable such a process and its operation are also described.
Finally, this Chapter contains provisions related to dataset description and their quality. It would enable data users to ascertain the content and potential quality of the dataset used and allow them to assess wether these datasets were fit for purpose.
Chapter V aims to put forward other measures to promote capacity building by the Member States to accompany the development of the EHDS. These include exchange of information on digital public services, funding, etc. In addition, this Chapter regulates the international access to non-personal data in the EHDS.
Chapter VI creates the ‘European Health Data Space Board’ (‘EHDS Board’) that will facilitate the cooperation between digital health authorities and health data access bodies, in particular the relation between primary and secondary use of electronic health data. Dedicated sub-groups such as on primary use of electronic health data and on secondary use of electronic health data may be formed to focus on specific issues or process. The Board will be tasked with promoting the collaboration between digital health authorities and health data access bodies. This Chapter also provides for the composition of the Board and how its functioning is organised.
In addition, this Chapter contains provisions related to the joint controllership groups for EU infrastructure which will be tasked with taking decisions related to the cross-border digital infrastructure necessary, both for primary and secondary use of electronic health data.
Chapter VII allows the Commission to adopt delegated acts on the EHDS. Following the adoption of the proposal, the Commission intends to create an expert group in line with decision C (2016) 3301, in order to advise and assist it in the preparation of delegated acts, as well as on issues related to implementation of the Regulation as regards:
–delivering sustainable economic and social benefits of European digital health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of care and ensuring access to safe and high-quality healthcare;
–enhancing the interoperability of electronic health data for healthcare, building on existing European, international or national standards and experience of other data spaces;
–harmonised implementation of the access and sharing of electronic health data for primary use, at national and EU level;
–interoperability of EHR systems and of other products transmitting data to electronic health records, including medical devices, AI systems and wellness applications. Where relevant, the expert group shall cooperate with the Medical Devices Coordination Group and European Artificial Intelligence Board;
–minimum categories of electronic health data for secondary use;
–harmonised implementation of the access to electronic health data for secondary use, at national and EU level;
–data altruism activities in health sector;
–harmonised fees policy for secondary use of electronic health data;
–penalties applied by health data access bodies;
–minimal requirements and technical specifications for HealthData@EU and for secure processing environments;
–requirements and technical specifications for the data quality and utility label;
–minimum datasets;
–technical requirements to support data altruism in the health sector;
–other elements related to primary and secondary use of electronic health data.
The expert group may cooperate with and consult the Medical Devices Coordination Group and the European Artificial Intelligence Board, where relevant.
Chapter VIII contains provisions on cooperation and penalties and sets down final provisions.