Considerations on COM(2022)197 - European Health Data Space - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)197 - European Health Data Space. |
|---|---|
| document | COM(2022)197  |
| date | May 3, 2022 |
(2) The COVID-19 pandemic has highlighted the imperative of having timely access to electronic health data for health threats preparedness and response, as well as for diagnosis and treatment and secondary use of health data. Such timely access would have contributed, through efficient public health surveillance and monitoring, to a more effective management of the pandemic, and ultimately would have helped to save lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 41 , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and Union level.
(3) The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that electronic health data are as open as possible and as closed as necessary. Synergies between the EHDS, the European Open Science Cloud 42 and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.
(4) The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council 43 and, for Union institutions and bodies, Regulation (EU) 2018/1725 of the European Parliament and of the Council 44 . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
(5) More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.
(6) Chapter III of Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. EHDS builds upon these rights and further develops some of them. The EHDS should support the coherent implementation of those rights as applied to electronic health data, regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under Chapter II and III of this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided hem, of the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation of the legal ground for their processing.
(7) In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved acess to their own personal electronic health data and are empowered to share it.
(8) The right of access to data by a natural person, established by Article 15 of Regulation (EU) 2016/679, should be further developed in the health sector. Under Regulation (EU) 2016/679, controllers do not have to provide access immediately. While patient portals, mobile applications and other personal health data access services exist in many places, including national solutions in some Member States, the right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming. This may severely impair timely access to health data by natural persons, and may have a negative impact on natural persons who need such access immediately due to urgent circumstances pertaining to their health condition.
(9) At the same time, it should be considered that immediate access to certain types of personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period. Where health data is only available on paper, if the effort to make data available electronically is disproportionate, there should be no obligation that such health data is converted into electronic format by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.
(10) Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be clearly marked to indicate the source of such additional data. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals.
(11) Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679. This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.
(12) Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.
(13) Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
(14) In the context of the EHDS, natural persons should be able to exercise their rights as they are enshrined in Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.
(15) Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of senstitive data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data, including the legislation establishing categories of health professionals that can process different categories of electronic health data.
(16) Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care and avoiding duplications and errors. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as health professional portals, to use personal electronic health data for the exercise of their duties. Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format.
(17) The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded. The Commission should be empowered to extend the list of priority categories, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.
(18) Access and sharing of electronic health data should be enabled for all the data that exist in the EHR of a natural person, when technically feasible. However, some electronic health data may not be structured or coded, and the transmission between healthcare providers may be limited or only possible in formats that do not allow for translation (when data is shared cross-borders). In order to provide enough time to prepare for implementation, dates of deferred application should be determined to allow for achieving legal, organisational, semantic and technical readiness for the transmission of different categories of electronic health data. When need for the exchange of new categories of electronic health data is identified, related dates of application should be determined in order to allow for the implementation of this exchange.
(19) The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format. This would also contribute to the achievement of the target of 100% of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data accesible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/243 45 provides the foundations for such a common European electronic health record exchange format. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council 46 recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.
(20) While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt implementing acts for determining additional aspects related to the registration of electronic health data, such as categories of healthcare providers that are to register health data electronically, categories of data to be registered electronically, or data quality requirements.
(21) Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services (including telemedicine) that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.
(22) Regulation (EU) No 910/2014 of the European Parliament and of the Council 47 lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level. Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities.
(23) Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
(24) Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data.
(25) In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities among the Member States, as joint controllers, and prescribe its own obligations, as processor.
(26) In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases. Connection of national contact points for digital health of third countries or interoperability with digital systems established at international level should be subject to a check ensuring the compliance of the national contact point with the technical specifications, data protection rules and other requirements of MyHealth@EU. A decision to connect a national contact point of a third country should be taken by data controllers in the joint controllership group for MyHealth@EU.
(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory self-certification scheme for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through this self-certification, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council 48 .
(28) While EHR systems specifically intended by the manufacturer to be used for processing one or more specific categories of electronic health data should be subject to mandatory self-certification, software for general purposes should not be considered as EHR systems, even when used in a healthcare setting, and should therefore not be required to comply with the provisions of Chapter III.
(29) Software or module(s) of software which falls within the definition of a medical device or high-risk artificial intelligence (AI) system should be certified in accordance with Regulation (EU) 2017/745 of the European Parliament and of the Council 49 and Regulation […] of the European Parliament and of the Council [AI Act COM/2021/206 final], as applicable. The essential requirements on interoperability of this Regulation should only apply to the extent that the manufacturer of a medical device or high-risk AI system, which is providing electronic health data to be processed as part of the EHR system, claims interoperability with such EHR system. In such case, the provisions on common specifications for EHR systems should be applicable to those medical devices and high-risk AI systems.
(30) To further support interoperability and security, Member States may maintain or define specific rules for the procurement, reimbursement, financing or use of EHR systems at national level in the context of the organisation, delivery or financing of health services. Such specific rules should not impede the free movement of EHR systems in the Union. Some Member States have introduced mandatory certification of EHR systems or mandatory interoperability testing for their connection to national digital health services. Such requirements are commonly reflected in procurements organised by healthcare providers, national or regional authorities. Mandatory certification of EHR systems at Union level should establish a baseline that can be used in procurements at national level.
(31) In order to guarantee effective exercise by patients of their rights under this Regulation, where healthcare providers develop and use an EHR system ‘in house’ to carry out internal activities without placing it on the market in return of payment or remuneration, they should also comply with this Regulation. In that context, such healthcare providers should comply with all requirements applicable to the manufacturers.
(32) It is necessary to provide for a clear and proportionate division of obligations corresponding to the role of each operator in the supply and distribution process of EHR systems. Economic operators should be responsible for compliance in relation to their respective roles in such process and should ensure that they make available on the market only EHR systems which comply with relevant requirements.
(33) Compliance with essential requirements on interoperability and security should be demonstrated by the manufacturers of EHR systems through the implementation of common specifications. To that end, implementing powers should be conferred on the Commission to determine such common specifications regarding datasets, coding systems, technical specifications, including standards, specifications and profiles for data exchange, as well as requirements and principles related to security, confidentiality, integrity, patient safety and protection of personal data as well as specifications and requirements related to identification management and the use of electronic identification. Digital health authorities should contribute to the development of such common specifications.
(34) In order to ensure an appropriate and effective enforcement of the requirements and obligations laid down in Chapter III of this Regulation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply. Depending on the organisation defined at national level, such market surveillance activities could be carried out by the digital health authorities ensuring the proper implementation of Chapter II or a separate market surveillance authority responsible for EHR systems. While designating digital health authorities as market surveillance authorities could have important practical advantages for the implementation of health and care, any conflicts of interest should be avoided, for instance by separating different tasks.
(35) Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A voluntary labelling scheme should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission may set out in implementing acts the details regarding the format and content of such label.
(36) The distribution of information on certified EHR systems and labelled wellness applications is necessary to enable procurers and users of such products to find interoperable solutions for their specific needs. A database of interoperable EHR systems and wellness applications, which are not falling within the scope of Regulations (EU) 2017/745 and […] [AI act COM/2021/206 final] should therefore be established at Union level, similar to the European database on medical devices (Eudamed) established by Regulation (EU) 2017/745. The objectives of the EU database of interoperable EHR systems and wellness applications should be to enhance overall transparency, to avoid multiple reporting requirements and to streamline and facilitate the flow of information. For medical devices and AI systems, the registration should be maintained under the existing databases established respectively under Regulations (EU) 2017/745 and […] [AI act COM/2021/206 final], but the compliance with interoperability requirements should be indicated when claimed by manufacturers, to provide information to procurers.
(37) For the secondary use of the clinical data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis and rules and mechanisms and providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. This Regulation provides the legal basis in accordance with Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV. More specifically: for processing of electronic health data held by the data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing the data by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679. This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1)(e) of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2)(h),(i),(j) of the Regulation (EU) 2016/679. Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which electronic health data can be processed. In the case where the user has access to electronic health data (for secondary use of data for one of the purposes defined in this Regulation), the data user should demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f), of Regulation (EU) 2016/679 and explain the specific legal basis on which it relies as part of the application for access to electronic health data pursuant to this Regulation: on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it should make reference to another EU or national law, different from this Regulation, mandating the user to process personal health data for the compliance of its tasks. If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data access bodies are an administrative decision defining the conditions for the access to the data.
(38) In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use.
(39) The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances, homelessness, health insurance, minimum income, professional status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include person-generated data, such as data from medical devices, wellness applications or other wearables and digital health applications. The data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.
(40) The data holders can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding, should be made available by data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.
(41) The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of AI algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.
(42) The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
(43) The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
(44) Considering the administrative burden for health data access bodies to inform the natural persons whose data are used in data projects within a secure processing environment, the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the data subject or his health professional. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
(45) Regulation […] [Data Governance Act COM/2020/767 final] sets out the general rules for the management of data altruism. At the same time, given that the health sector manages sensitive data, additional criteria should be established through the rulebook foreseen in Regulation […] [Data Governance Act COM/2020/767 final]. Where such a rulebook foresees the use of a secure processing environment for this sector, this should comply with the criteria established in this Regulation. The health data access bodies should cooperate with the bodies designated under Regulation […] [Data Governance Act COM/2020/767 final] to supervise the activity of data altruism organisations in the health or care sector.
(46) In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand, Union institutions, bodies, offices and agencies, including EMA, ECDC and the Commission, have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.
(47) Health data access bodies and single data holders should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission may adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.
(48) In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to penalties or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement. The imposition of penalties should be subject to appropriate procedural safeguards in accordance with the general principles of law of the relevant Member State, including effective judicial protection and due process.
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person(s). Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
(50) In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide health data access bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information include: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data access bodies and, where relevant data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data, it should submit a data request application, requiring the health data access body to provide directly the result. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data application, as well as data request.
(51) As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an additonal fee. However, in all the cases, the data permit should reflect theses additionals uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
(52) As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies, especially the Commission, need access to health data for a longer period and on a recurring basis. This is may be the case not only in specific circumstances in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.
(53) For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data access bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi-country requests and requests requiring combination of datasets from several data holders should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or data requests they provide.
(54) Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body or, where relevant, single data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
(55) For the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users, the Commission should, by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter into. In order to achieve an inclusive and sustainable framework for multi-country secondary use of electronic health data, a cross-border infrastructure should be established. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/2009 50 or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council 51 .
(56) In case of cross-border registries or databases, such as the registries of European Reference Networks for Rare Diseases, which receive data from different healthcare providers in several Member States, the health data access body where the coordinator of the registry is located should be responsible for providing access to data.
(57) The authorisation process to gain access to personal health data in different Member States can be repetitive and cumbersome for data users. Whenever possible, synergies should be established to reduce the burden and barriers for data users. One way to achieve this aim is to adhere to the “single application” principle whereby, with one application, the data user obtain authorisation from multiple health data access bodies in different Member States.
(58) The health data access bodies should provide information about the available datasets and their characteristics so that data users can be informed of elementary facts about the dataset and assess their possible relevance to them. For this reason, each dataset should include, at least, information concerning the source, nature of data and conditions for making data available. Therefore, an EU datasets catalogue should be established to facilitate the discoverability of datasets available in the EHDS; to help data holders to publish their datasets; to provide all stakeholders, including the general public, also taking into account people with disabilities, with information about datasets placed on the EHDS (such as quality and utility labels, dataset information sheets); to provide the data users with up-to-date data quality and utility information about datasets.
(59) Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.
(60) The EU datasets catalogue should minimise the administrative burden for the data holders and other database users; be user-friendly, accessible and cost-effective, connect national data catalogues and avoid redundant registration of datasets. The EU datasets catalogue could be aligned with the data.europa.eu initiative and without prejudice to the requirements set out in the Regulation […] [Data Governance Act COM/2020/767 final]. Member states should ensure that national data catalogues are interoperable with existing dataset catalogues from European research infrastructures and other relevant data sharing infrastructures.
(61) Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases, and statistics and shall be taken into account when defining new standards. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare.
(62) The Commission should support Member States in building capacity and effectiveness in the area of digital health systems for primary and secondary use of electronic health data. Member States should be supported to strengthen their capacity. Activities at Union level, such as benchmarking and exchange of best practices are relevant measures in this respect.
(63) The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds.
(64) Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically foreseen in the Data Governance Act. Even in situations of the use of state of the art anonymization techniques, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases (a life-threatening or chronically debilitating condition affecting not more than five in 10 thousand persons in the Union), where the limited numbers of case reduce the possibility to fully aggregate the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. It can affect different types of health data depending on the level of granularity and description of the characteristics of data subjects, the number of people affected or and for instance in cases of data included in electronic health records, disease registries, biobanks, person generated data etc. where the identification characteristics are broader and where, in combination with other information (e.g. in very small geographical areas) or through the technological evolution of methods which had not been available at the moment of anonymisation, can lead to the re-identification of the data subjects using means that are beyond those reasonably likely to be used. The realisation of such risk of re-identification of natural persons would present a major concern and is likely to put the acceptance of the policy and rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as in the reporting on clinical trials, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for these types of health data, there remains a risk for re-identification after the anonymisation or aggregation, which could not be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. These types of health data would thus fall within the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final] for transfer to third countries. The protective measures, proportional to the risk of re-identification, would need to take into account the specificities of different data categories or of different anonymization or aggregation techniques and will be detailed in the context of the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].
(65) In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].
(66) In order to manage the cross-border infrastructures for primary and secondary use of electronic health data, it is necessary to create the Joint controllership group for authorised participants (e.g. to ensure the compliance with data protection rules and this Regulation for the processing operations performed in such infrastructures).
(67) Since the objectives of this Regulation: to empower natural persons through increased control of their personal health data and support their free movement by ensuring that health data follows them; to foster a genuine single market for digital health services and products; to ensure a consistent and efficient framework for the reuse of natural persons’ health data for research, innovation, policy-making and regulatory activities cannot be sufficiently achieved by the Member States, through coordination measures alone, as shown by the evaluation of the digital aspects of the Directive 2011/24/EU but can rather, by reason of harmonising measures for rights of natural persons in relation to their electronic health data, interoperability of electronic health data and a common framework and safeguards for the primary and secondary use of electronic health data, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(68) In order to ensure that EHDS fulfils its objectives, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission in respect of different provisions of primary and secondary use of electronic health data. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making 52 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(69) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council 53 .
(70) Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. For certain specific infringements, Member States should take into account the margins and criteria set out in this Regulation.
(71) In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, on the self-certification of EHR systems, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
(72) For a successful cross-border implementation of EHDS, the European Interoperability Framework 54 to ensure legal, organisational, semantic and technical interoperability should be considered as common reference.
(73) The evaluation of the digital aspects of Directive 2011/24/EU shows limited effectiveness of eHealth Network, but also strong potential for EU work in this area, as shown by the work during pandemic. Therefore, the article 14 of the Directive will be repealed and replaced by the current Regulation and the Directive will be amended accordingly.
(74) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on […].
(75) This Regulation should not affect the application of the rules of competition, and in particular Articles 101 and 102 of the Treaty. The measures provided for in this Regulation should not be used to restrict competition in a manner contrary to the Treaty.
(76) Given the need for technical preparation, this Regulation should apply from [12 months after entry into force].