After months in the pipeline, it looks like the European Health Data Space (EHDS) is finally entering into force later this year. But what does this mean for your organisation? In this post, we focus on the change that has been generating all the headlines: a new pathway to access health data for secondary uses like research and innovation.
So what can you expect?
- The EHDS introduces a new regulatory pathway through which âdata holdersâ must make a wide range of âelectronic health dataâ available to âdata usersâ for a defined list of permitted secondary uses. These permitted uses include scientific research, certain development and innovation activities, and training algorithms.
- If your organisation operates in the healthcare and life sciences space, you are likely to be a data holder. And that means that your organisation may face requests from third parties (potentially even from your competitors) to access your organisation’s electronic health data.
- What’s more, electronic health data is far wider than you may expect, encompassing both personal and non-personal data, and seems to include data generated both pre- and post-EHDS. Holders will need to provide a catalogue of in-scope data to a health data access body on an annual basis, and it will be no mean feat for data holders to just map out where these datasets may be located within a large organisation. In an industry where intellectual property rights represent the crown jewels, organisations need to start strategizing now about how they intend to protect IP in their in-scope data.
- But where there are concerns, there is also opportunity â the EHDS sets out a new streamlined procedure for your researchers and developers to access datasets from multiple organisations for research and innovation purposes.
This is the second post in our EHDS series, and we examine the latest publicly available draft, dated 24 April 2024. In our next post, we examine wider issues under this pathway, including the impact on intellectual property rights and GDPR compliance (spoiler alert: it’s complicated).
The basics of the new pathway
At a high-level, if you are a data user and wish to access electronic health data from a data holder (such as a hospital or sponsor) for research activities, your organisation would simply need to submit an application to a newly established health data access body (to be set up in every Member State). This application would need to jump through a number of hurdles and should be accompanied by a fee. If successful, your organisation would receive a data permit to access the dataset in question. The relevant data are then made available to you in a secure processing environment.
Scope of electronic health data
The scope of âelectronic health dataâ caught by this pathway is far wider than you may first assume. âElectronic health dataâ goes beyond concept of âhealth dataâ under the GDPR, and includes both personal and non-personal data, such as: electronic health records (EHRs); data from medical devices; data from wellness applications; healthcare-related administrative data; genetic data; public health registries; and data from clinical trials (once the trial has ended). Member States may add further categories at the local level.
What are the issues with the definition of “electronic health data”?
- For device and wellness app manufacturers, âelectronic health dataâ may even capture low-quality raw data that that may be manufacturer-specific and of no use to a third party, as it may be based on measurements or values that are not common between manufacturers. This means there is a risk that data holders may be required to share incomprehensible raw data, or worse, input and output data that facilitates reverse engineering or presents security risks. There are now some provisions in the EHDS on preservation of IPR in these situations that may assist (see next weekâs post for more on how organisations may protect IPR under this pathway), but this is not a silver bullet. Organisations should start considering their strategies for IPR preservation now.
- The in-scope data is not limited to data collected after the EHDS enters into force, suggesting this applies to electronic health data collected or generated prior to the EHDS coming into force. This will be challenging for organisations to map out.
- The EHDS also makes clear that Member States should continue to respect âthe principle of health professional-patient confidentiality in the application of this Regulationâ. Despite the EUâs best efforts, this will inevitably lead to fragmentation across the EU in terms of the datasets that holders may make available under this framework: Member States have differing laws and guidance on medical secrecy / patient confidentiality. This will pose obstacles to healthcare professionals and hospitals sharing patient data under this framework, that will vary from Member State to Member State.
The main takeaway here is that a wealth of data are captured, and it will be no mean feat for data holders to just map out where these datasets may be located within a large organisation. Even once an organisation has comprehensive data maps, it will then need to consider which data may be protected by IPR and which data may be subject to patient confidentiality restrictions on sharing.
Who is a data holder?
A âhealth data holderâ is any natural or legal person in the healthcare or the care sector, who has either:
- the right or obligation to process personal electronic health data as a controller or joint controller for certain purposes, including for the provision of healthcare or care, research, innovation, or regulatory purposes; or
- the ability to make available non-personal electronic health data, through control of the technical design of a product and related services.
This definition is wide enough to cover an array of actors in the healthcare ecosystem, including app developers, sponsors of clinical trials, medical device companies, and hospitals.
What are the issues with this definition of “data holder”?
- The definition is based on the Data Actâs definition of a data holder, but without the benefit of some of the refinements under the Data Act. For example, the Data Act expressly accounts for where a data holder includes a party with rights or obligations over data through contractual agreement (which is missing here).
- Under (b), the entity that produces the dataset (often a healthcare provider) is unlikely to control the technical design of a product. Instead, a manufacturer is likely to have this control. This creates the awkward position that a manufacturer may have no legal right to generated data (for example, due to contractual provisions), but may nevertheless be required to make that data available under this pathway.
Who is a data user?
A âhealth data userâ is any natural or legal person granted lawful access to electronic health data under the pathway. This will be exciting news for researchers and innovators across industry, who will be able to access data for research and product development purposes from a whole host of organisations e.g. sponsors, hospitals, public health bodies, and drug manufacturers.
Further, this pathway facilitates cross-border access. In theory, if a researcher wants access to health data from hospitals in Spain, Italy and France, these researchers do not need to reach out to every health data access body in the relevant Member States. Instead, they may simply apply to the health data access body in their home Member State, and that body will facilitate access across multiple Member States. In this example, there would be no need to negotiate individual bilateral agreements with multiple hospitals for datasets. Instead, we could see more friction-free access through a more centralised procedure.
Permitted and prohibited purposes
Data users may only access in-scope data for a defined list of permitted purposes, including:
- for public sector bodies only: policymaking and regulatory activities; statistics; and public interest in the area of public health, such as protection against serious cross-border threats and public health surveillance.
- scientific research, which is defined very widely to include product and service development, as well as training and testing algorithms.
- improving delivery of care, treatment optimisation and providing healthcare.
- education or teaching activities in health or care sectors at the level of vocational or higher education.
Data users are prohibited from using the data for marketing and advertising activities, as well as a range of more nefarious activities, such as taking decisions in relation to job offers, or developing products or services that may harm individuals or society such as illicit drugs, alcohol or tobacco.
What are the problems with the permitted and prohibited purposes?
Disappointingly, there are some use cases that are not expressly set out here that would be reassuring for industry, such as prohibiting reverse engineering of products or engaging in unfair commercial practices. Given the breadth of data captured by the EHDS and the weaker IPR protections in recent drafts, this would be a welcome addition.
What do you need to do to prepare for the EHDS?
All organisations in the health and care sectors are effectively health data holders. As holders, organisations will need to begin efforts to:
- map out in-scope electronic health data within their systems and wider infrastructure. This will facilitate compliance with the requirement for holders to provide a catalogue of in-scope data to a health data access body on an annual basis. This catalogue will be publicly available and feature in-depth descriptions of datasets, including the source and scope of data, main characteristics and the conditions for making data available. Whilst organisations should have detailed data maps for personal data under the GDPR, the EHDS also captures non-personal data, which will add a layer of complexity.
- build the capability to make those datasets available to an access body within three months of a request. This will require the right personnel and technical capabilities, including the ability to anonymise electronic health data (more on this in our next blog post).
- consider strategy for preserving IPR. Given the sensitivity of in-scope data, organisations should consider in advance which protections apply to various electronic health data, and the arguments they will run in order to advocate for an access body either rejecting an application or applying rigorous protections. In the life sciences industry, intellectual property rights represent the crown jewels. Although data protection teams should be involved in reviewing requests, intellectual property specialists will be key. Weâll explore this more in our next post.
The flipside is that an organisationâs researchers and product developers may now choose to take advantage of the opportunity to access electronic health data for research and innovation, in their capacity as a data user. Potential data users should ensure there is a governance structure in place to facilitate compliance with a userâs responsibilities under the EHDS, such as access controls, prohibiting any attempt to re-identify individuals in a dataset, and ensuring results or outcomes are made public.
Organisations will already have existing bilateral and multilateral arrangements with various parties on accessing and using electronic health data for secondary purposes. The recitals make clear that these existing arrangements may continue and are not affected.
Whatâs next?
Our next blog post will look into the mechanics of this pathway, as well as the implications for intellectual property rights and the GDPR compliance.
The draft text is undergoing lawyer-linguist revision. Once this has been completed, the European Parliament will need to (re-)confirm the final text. The Council is then expected to formally adopt the finalised text and the EHDS will be published in the EUâs Official Journal before it enters into force (likely to be in the coming months).
These provisions on secondary use of data have a transition period of four to six years before they apply (with four years applying to certain data categories, and six years to others). This generous grace period reflects the intensity of effort that will be required in order to set up the necessary digital infrastructure at both the Member State and EU level.