Articles of the European Health Data Space (EHDS), Article 29, Handling of risks posed by EHR systems and of serious incidents

Article 29, Handling of risks posed by EHR systems and of serious incidents, Articles of the European Health Data Space (EHDS), (Proposal_3.5.2022)

1. Where a market surveillance authority finds that an EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to take all appropriate measures to ensure that the EHR system concerned no longer presents that risk when placed on the market to withdraw the EHR system from the market or to recall it within a reasonable period.

2. The economic operator referred to in paragraph 1 shall ensure that corrective action is taken in respect of all the EHR systems concerned that it has placed on market throughout the Union.

3. The market surveillance authority shall immediately inform the Commission and the market surveillance authorities of other Member States of the measures ordered pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.

4. Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.

Such notification shall be made, without prejudice to incident notification requirements under Directive (EU) 2016/1148, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the manufacturer becomes aware of the serious incident involving the EHR system.

5. The market surveillance authorities referred to in paragraph 4 shall inform the other market surveillance authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.

6. Where the tasks of the market surveillance authority are not performed by the digital health authority, it shall cooperate with the digital health authority. It shall inform the digital health authority of any serious incidents and of EHR systems presenting a risk, including risks related to interoperability, security and patient safety, and of any corrective action, recall or withdrawal of such EHR systems.