Update: On May 3, 2022, the European Commission published the official version of the proposal for a European Health Data Space Regulation. It’s open for feedback until July 14, 2022.
Original blog post: On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published. The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data). The European Commission has not yet released an official version of the proposal. It is expected to do so on May 3.
The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules. Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:
- create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
- establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
- sets out rules that apply to digital health services and wellness apps; and
- introduces a harmonized scheme for providing access to electronic health data for secondary use.
New patient rights and use of electronic health data for primary care
The draft regulation provides patients new rights over their personal electronic health data (e.g., patient summaries, electronic prescriptions and dispensation, medical image and image reports, laboratory results and discharge reports). These rights include:
- the right to access and rectify their personal electronic health data immediately, free of charge and in an easily readable and accessible form, such as in a unified electronic health record, using a personal electronic health data access service;
- the right to grant or restrict third parties access to their personal electronic health data, as well as the right to object to the processing of their personal electronic health data in electronic form; and
- the right to have the registration of new personal electronic health data be linked to a recognized electronic identification mechanism.
Health professionals will be required to inform their patients about these abovementioned rights. The draft regulation also grants health professionals the right to access the personal electronic health data of individuals under their treatment (irrespective of which Member State the individual is based in), unless that access is restricted by the individual. Health professionals will be required to keep the personal electronic health data of their patients up-to-date. When a healthcare provider or pharmacy is using an EHR system, that EHR system is required to have passed a pre-market conformity assessment (described below).
Pre-market conformity assessment requirement for EHR systems
The draft regulation defines EHR system as “solution or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing and/or viewing electronic health records” (Art. 4(6)). Under the draft regulation, EHR systems marketed in the EU must undergo a pre-market conformity assessment. In order to pass the conformity assessment, manufacturers of EHR systems must meet certain requirements relating to the quality, security, and interoperability of such systems, and draw up the required technical documentation to demonstrate that the EHR system complies with the requirements set out in the draft regulation. Once a notified body designated by Member States issues a certificate of conformity for an EHR system, the manufacturer must affix a CE marking on the system. The Commission is required to keep and maintain a publicly available database with information on EHR systems that have received a declaration of conformity. The draft regulation also imposes certain post-marketing requirements, including rules on reporting serious incidents (i.e., incidents that directly or indirectly lead or might lead to (a) the death of a person or serious damage to a person’s health or (b) a serious disruption of the management and operation of critical infrastructure in the health sector).
Rules that apply to digital health services and wellness apps
The draft regulation proposes to prohibit Member States from imposing restriction on the provision and receipt of digital health services (e.g., dispensation of medicinal products or reimbursement of telehealth services) unless these restrictions are necessary and proportionate to safeguard legitimate interests under EU law. The draft regulation also sets out a voluntary labelling scheme for wellness applications (e.g., mobile applications) that are interoperable with EHR systems.
Rules on secondary use of electronic health data
The draft regulation requires providers of electronic health data to ensure that certain categories of electronic health data are made available to competent bodies, to be designated by Member States. Those competent bodies are, in turn, required to review applications from data users who wish to re-use health data for secondary purposes — e.g., for research, innovation, policy-making, statistics, and ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, among others. Data users are allowed to re-use health data only after receiving a data permit from a competent authority.
The proposed data permit framework addresses the issue that there isn’t yet harmonization across the Member States on the appropriate legal basis for processing health data (and genetic data) for secondary use under GDPR Arts. 6 and 9. The proposed regulation would provide that processing of personal electronic health data on the basis of the permit issued pursuant to the Regulation “shall be considered to allow lawful processing pursuant to Arts. 6(3), 6(4) and, as appropriate, Art. 9(2) (h), (i) or (j) of the Regulation (EU) 2016/679” (Art. 76(6)).
Supervision and Enforcement
Under the draft regulation, each Member State is required to designate competent, independent public authorities responsible for the implementation of the regulation (including, so-called Digital Health Authorities). These authorities shall cooperate with the data protection authorities. In addition, the European Commission shall establish a “European Digital and Health Data Board”, consisting of representatives of competent authorities of all Member States and the Commission. The Board will have mainly an advisory function, as well as support the implementation of the regulation and the cooperation between the competent authorities. Each Member State is required to stipulate “effective, proportionate and dissuasive” penalties for infringements of the regulation.
Interaction with other laws
The draft Regulation is without prejudice to existing legislation, such as the GDPR, the draft Data Act, the proposed Data Governance Act, the AI Act, and is instead intended to build on those laws — but unlike those laws, is focused solely on the health sector and health data.
* * *
The team at Covington will continue to monitor developments and will report on the official version of the European Health Data Space Regulation once the Commission releases it.