Preamble 1 to 10, Articles of the European Health Data Space (EHDS), (Proposal_3.5.2022)
(1) The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes that would benefit the society such as research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
(2) The COVID-19 pandemic has highlighted the imperative of having timely access to electronic health data for health threats preparedness and response, as well as for diagnosis and treatment and secondary use of health data. Such timely access would have contributed, through efficient public health surveillance and monitoring, to a more effective management of the pandemic, and ultimately would have helped to save lives.
In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 41 , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and Union level.
(3) The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that electronic health data are as open as possible and as closed as necessary. Synergies between the EHDS, the European Open Science Cloud 42 and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.
(4) The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council 43 and, for Union institutions and bodies, Regulation (EU) 2018/1725 of the European Parliament and of the Council 44 . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
(5) More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors.
Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.
(6) Chapter III of Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. EHDS builds upon these rights and further develops some of them. The EHDS should support the coherent implementation of those rights as applied to electronic health data, regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under Chapter II and III of this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided hem, of the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation of the legal ground for their processing.
(7) In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons.
Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved acess to their own personal electronic health data and are empowered to share it.
(8) The right of access to data by a natural person, established by Article 15 of Regulation (EU) 2016/679, should be further developed in the health sector. Under Regulation (EU) 2016/679, controllers do not have to provide access immediately. While patient portals, mobile applications and other personal health data access services exist in many places, including national solutions in some Member States, the right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming. This may severely impair timely access to health data by natural persons, and may have a negative impact on natural persons who need such access immediately due to urgent circumstances pertaining to their health condition.
(9) At the same time, it should be considered that immediate access to certain types of personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679.
Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period. Where health data is only available on paper, if the effort to make data available electronically is disproportionate, there should be no obligation that such health data is converted into electronic format by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf.
Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.
(10) Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be clearly marked to indicate the source of such additional data.
Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals.