After months in the pipeline, it looks like the European Health Data Space (EHDS) is finally entering into force later this year. But what does this mean for you?
This is the first post in our series on the EHDS. This post focuses on new health data rights, and we examine the latest publicly available draft, dated 24 April 2024.
So whatâs the impact on the pharmaceutical and medtech industry? In one way, itâs limited – these new rights are primarily exercised against new access services, rather than data controllers. But watch out for a big move towards digitised health records in a common format in the coming years, which is likely to impact the entire healthcare ecosystem (including industry). Paper records may finally become a thing of the past.
Will these rights actually make things easier for patients? In a matter of years, access to your medical records may be just a few clicks away. And there has been a shift in the latest draft towards ensuring that the new rights donât simply duplicate or confuse existing GDPR rights. But it is going to take a monumental lift in order to get the EHDS off the ground. No wonder the transition periods are so generousâŚ
New health data rights for patients
One of the core aims of the EHDS is to empower patients. The idea is that you should have instant access your health records, and if (for example) you are a French national visiting Germany, you are able to easily share your health records with a German doctor.
These rights supplement existing GDPR rights for data subjects, and legislators hope that these represent an improvement to these rights, which can be cumbersome to exercise (for example, the right of access may involve an admin fee, or may result in a paper response or a delay of up to a month before receipt of a response). Crucially, many of these rights are not exercised directly against data controllers, but against new health data access services that will be set up in each Member State.
EHDS Right | Exercised through access service? | Data captured by right | Points to note | GDPR right that is supplemented |
Access | Yes | At least priority categories of personal electronic health data | Immediate, free-of-charge access in electronic format Includes right to download copy | Article 15 right of access |
Insert information into EHR | Yes | Right to insert âinformationâ into EHR | Information should be clearly distinguishable as inserted by patient | N/A |
Rectification | Yes | Personal data | N/A | Article 16 right of rectification |
Data portability | No | Electronic health data | Immediate and free-of-charge Can request transfer from healthcare provider to another healthcare provider, or social security / reimbursement services recipient | Article 20 right of data portability |
Obtain information on any access by HCPs (transparency) | Yes | Access to personal electronic health data through health professional access service | Without delay and free-of-charge | N/A |
Restrict access of HCPs and providers | Unclear, but presumably yes | Personal electronic health data | Patients to be made aware that this may impact their care and involves risks | N/A |
Opt-out of access through the access services | Unclear, but presumably yes | Personal electronic health data | Reversible right | N/A |
A new infrastructure facilitating these rights
In order to facilitate these new rights, the EU has ambitious plans to build a new digital infrastructure from the ground-up.
Digitised health records: The first goal is ensuring that the underlying health records of EU citizens are digitised and in a common format. To this end, Member States will need to ensure that:
- certain âpriority categoriesâ of health data are being recorded in EHR systems, and that health professionals keep these up-to-date. These priority categories include patient summaries, e-prescriptions and test results.
- this data is recorded in a commonly used, machine-readable format called the European EHR exchange format â this is so that data can be easily transferred between apps, devices and providers across the EU. This format will be fleshed out in implementing acts that will set out more detail on coding systems and values, technical interoperability specifications and ensuring harmonised datasets.
Member State access services: As a further layer of infrastructure, each Member State will be setting up its own health data access services to facilitate exercise of these rights. These access services will be for both: (a) patients (such as through an app or an online patient portal); and (b) health professionals. In addition, each Member State will set up a digital health authority that is responsible for the implementation and enforcement of these rights.
MyHealth@EU: At the EU-level, MyHealth@EU will be a central platform that facilitates exchange of personal data from one Member State to another. This will all make it easier for healthcare providers across the EU to access an individualâs health data. For example, if a Spanish citizen falls ill while on holiday in Italy, an Italian healthcare provider should be able to access the Spaniardâs medical records.
So what do these rights mean for you?
This is going to require a monumental lift across the EU healthcare ecosystem over the coming years towards recording EHRs in a commonly used, machine-readable exchange format. If your organisation processes patient health data, you may need to ensure that your systems reflect this common format in order to plug into this new infrastructure.
The majority of the new and enhanced rights are exercised directly against health data access services, rather than data controllers. However, the right of data portability can be exercised directly against healthcare provider controllers. These healthcare providers will need to build an infrastructure to ensure they can facilitate this right in a way that is immediate and free of charge for data subjects.
Whatâs next?
The draft text is undergoing lawyer-linguist revision. Once this has been completed, the European Parliament will need to (re-)confirm the final text. The Council is then be expected to formally adopt the finalised text and the EHDS will be published in the EUâs Official Journal before it enters into force (likely to be in the coming months).
The health data rights then have a transition period of four to six years before they apply (with four years applying to certain data categories, and six years to others). This generous grace period reflects the intensity of effort that will be required in order to set up the necessary digital infrastructure at both the Member State and EU level.