After months in the pipeline, it looks like the European Health Data Space (EHDS) is finally entering into force later this year. But what does this mean for you?

This is the first post in our series on the EHDS. This post focuses on new health data rights, and we examine the latest publicly available draft, dated 24 April 2024.

So what’s the impact on the pharmaceutical and medtech industry? In one way, it’s limited – these new rights are primarily exercised against new access services, rather than data controllers. But watch out for a big move towards digitised health records in a common format in the coming years, which is likely to impact the entire healthcare ecosystem (including industry). Paper records may finally become a thing of the past.

Will these rights actually make things easier for patients? In a matter of years, access to your medical records may be just a few clicks away. And there has been a shift in the latest draft towards ensuring that the new rights don’t simply duplicate or confuse existing GDPR rights. But it is going to take a monumental lift in order to get the EHDS off the ground. No wonder the transition periods are so generous…

New health data rights for patients

One of the core aims of the EHDS is to empower patients. The idea is that you should have instant access your health records, and if (for example) you are a French national visiting Germany, you are able to easily share your health records with a German doctor.

These rights supplement existing GDPR rights for data subjects, and legislators hope that these represent an improvement to these rights, which can be cumbersome to exercise (for example, the right of access may involve an admin fee, or may result in a paper response or a delay of up to a month before receipt of a response). Crucially, many of these rights are not exercised directly against data controllers, but against new health data access services that will be set up in each Member State.

EHDS RightExercised through access service?Data captured by rightPoints to noteGDPR right that is supplemented
AccessYesAt least priority categories of personal electronic health dataImmediate, free-of-charge access in electronic format Includes right to download copyArticle 15 right of access
Insert information into EHRYesRight to insert ‘information’ into EHRInformation should be clearly distinguishable as inserted by patientN/A
RectificationYesPersonal dataN/AArticle 16 right of rectification
Data portabilityNoElectronic health dataImmediate and free-of-charge Can request transfer from healthcare provider to another healthcare provider, or social security / reimbursement services recipientArticle 20 right of data portability
Obtain information on any access by HCPs (transparency)  YesAccess to personal electronic health data through health professional access serviceWithout delay and free-of-chargeN/A
Restrict access of HCPs and providers  Unclear, but presumably yesPersonal electronic health dataPatients to be made aware that this may impact their care and involves risksN/A
Opt-out of access through the access servicesUnclear, but presumably yesPersonal electronic health dataReversible rightN/A

A new infrastructure facilitating these rights

In order to facilitate these new rights, the EU has ambitious plans to build a new digital infrastructure from the ground-up.

Digitised health records: The first goal is ensuring that the underlying health records of EU citizens are digitised and in a common format. To this end, Member States will need to ensure that:

  • certain “priority categories” of health data are being recorded in EHR systems, and that health professionals keep these up-to-date. These priority categories include patient summaries, e-prescriptions and test results.
  • this data is recorded in a commonly used, machine-readable format called the European EHR exchange format – this is so that data can be easily transferred between apps, devices and providers across the EU. This format will be fleshed out in implementing acts that will set out more detail on coding systems and values, technical interoperability specifications and ensuring harmonised datasets.

Member State access services: As a further layer of infrastructure, each Member State will be setting up its own health data access services to facilitate exercise of these rights. These access services will be for both: (a) patients (such as through an app or an online patient portal); and (b) health professionals. In addition, each Member State will set up a digital health authority that is responsible for the implementation and enforcement of these rights.

MyHealth@EU: At the EU-level, MyHealth@EU will be a central platform that facilitates exchange of personal data from one Member State to another. This will all make it easier for healthcare providers across the EU to access an individual’s health data. For example, if a Spanish citizen falls ill while on holiday in Italy, an Italian healthcare provider should be able to access the Spaniard’s medical records.

So what do these rights mean for you?

This is going to require a monumental lift across the EU healthcare ecosystem over the coming years towards recording EHRs in a commonly used, machine-readable exchange format. If your organisation processes patient health data, you may need to ensure that your systems reflect this common format in order to plug into this new infrastructure.

The majority of the new and enhanced rights are exercised directly against health data access services, rather than data controllers. However, the right of data portability can be exercised directly against healthcare provider controllers. These healthcare providers will need to build an infrastructure to ensure they can facilitate this right in a way that is immediate and free of charge for data subjects.

What’s next?

The draft text is undergoing lawyer-linguist revision. Once this has been completed, the European Parliament will need to (re-)confirm the final text. The Council is then be expected to formally adopt the finalised text and the EHDS will be published in the EU’s Official Journal before it enters into force (likely to be in the coming months).

The health data rights then have a transition period of four to six years before they apply (with four years applying to certain data categories, and six years to others). This generous grace period reflects the intensity of effort that will be required in order to set up the necessary digital infrastructure at both the Member State and EU level.

Author

Jaspreet Takhar is a senior associate in Baker McKenzie' London office and advises market-leading tech and healthcare companies on issues at the cutting-edge of digital health.

Author

Julia Gillert is Of Counsel at Baker McKenzie's London office, and has shaped her practice to focus exclusively on regulatory matters affecting the Healthcare & Life Sciences industry.

Author

Elina Angeloudi is an associate at Baker McKenzie's London office and specialises in regulatory advice to pharmaceutical and medical devices companies.