Preamble 21 to 30, Articles of the European Health Data Space (EHDS), (Proposal_3.5.2022)
(21) Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services (including telemedicine) that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.
(22) Regulation (EU) No 910/2014 of the European Parliament and of the Council 47 lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals.
The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level.
Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities.
(23) Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS.
To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
(24) Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU.
Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data.
(25) In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities among the Member States, as joint controllers, and prescribe its own obligations, as processor.
(26) In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates.
This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases. Connection of national contact points for digital health of third countries or interoperability with digital systems established at international level should be subject to a check ensuring the compliance of the national contact point with the technical specifications, data protection rules and other requirements of MyHealth@EU. A decision to connect a national contact point of a third country should be taken by data controllers in the joint controllership group for MyHealth@EU.
(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory self-certification scheme for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach.
Through this self-certification, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council 48.
(28) While EHR systems specifically intended by the manufacturer to be used for processing one or more specific categories of electronic health data should be subject to mandatory self-certification, software for general purposes should not be considered as EHR systems, even when used in a healthcare setting, and should therefore not be required to comply with the provisions of Chapter III.
(29) Software or module(s) of software which falls within the definition of a medical device or high-risk artificial intelligence (AI) system should be certified in accordance with Regulation (EU) 2017/745 of the European Parliament and of the Council 49 and Regulation […] of the European Parliament and of the Council [AI Act COM/2021/206 final], as applicable. The essential requirements on interoperability of this Regulation should only apply to the extent that the manufacturer of a medical device or high-risk AI system, which is providing electronic health data to be processed as part of the EHR system, claims interoperability with such EHR system. In such case, the provisions on common specifications for EHR systems should be applicable to those medical devices and high-risk AI systems.
(30) To further support interoperability and security, Member States may maintain or define specific rules for the procurement, reimbursement, financing or use of EHR systems at national level in the context of the organisation, delivery or financing of health services. Such specific rules should not impede the free movement of EHR systems in the Union. Some Member States have introduced mandatory certification of EHR systems or mandatory interoperability testing for their connection to national digital health services. Such requirements are commonly reflected in procurements organised by healthcare providers, national or regional authorities. Mandatory certification of EHR systems at Union level should establish a baseline that can be used in procurements at national level.