After months in the pipeline, it looks like the European Health Data Space (EHDS) is finally entering into force later this year. But what does this mean for your organisation?
This is the fourth post in our EHDS series. In this post, we focus on the new product regime for electronic health record (EHR) systems, including the impact on wellness apps, AI systems and medical devices. We examine the latest publicly available draft, dated 24 April 2024.
What will this mean for your organisation? If you are a supply chain actor in respect of EHR systems, your compliance journey is about to become more complicated and you will now face a new product regime. If your wellness app, high risk AI system or medical device claims interoperability with EHRs, you will also need to comply.
This new regime is about plugging a “regulatory gap”, where EHR systems tend not to be regulated as medical devices under EU MDR, and do not fall clearly within scope of other targeted EU product regimes either.
What is an EHR system?
An EHR system is wider than you may first assume, and encompasses “any appliance or software” that:
- performs various actions (including to store, view, convert, edit, import, export, or intermediate) in respect of personal electronic health data in the priority categories of data (these include patient summaries, e-prescriptions and test results); and
- is intended by the manufacturer to be used by healthcare providers in providing patient care or by a patient to access their health data.
This definition is wide enough to cover medical devices, but expressly excludes general purpose software used in the healthcare environment.
Compliance journey for EHR systems
There are two core mandatory requirements for EHR systems:
- the interoperability component: the software must be capable of providing and receiving the priority categories of personal electronic health data in the European electronic health record exchange format; and
- the logging component: the software must log information on who accesses the data e.g. health professionals or other individuals.
The focus of this new regime is creating the new digital infrastructure that the wider EHDS needs to work. It’s also about imposing product safety requirements on manufacturers of EHR systems, as well as the wider supply chain (including authorised representatives, importers and distributors). The new regime is not intended to affect procurement, reimbursement and financing of EHR systems.
In a nutshell, manufacturers will be able to self-certify conformity with the two harmonised components, and Notified Body involvement is not required:
- manufacturers will need to ensure that: technical documentation is in place, there is an information sheet, conformity assessments are conducted, they affix a CE marking, they comply with labelling and registration requirements, and that they comply with post-market monitoring obligations.
- manufacturers will also need to test conformity within a European testing environment. This is an automated means of testing compliance prior to placing the EHR system on the market or putting it into service.
What does this mean for wellness applications, medical devices and high risk AI systems (HRAI)?
Manufacturers of wellness apps, manufacturers of medical devices (including in vitro diagnostics) and providers of HRAI may claim interoperability with the two harmonised components, provided that they can prove compliance.
Wellness applications
Wellness applications are widely defined to include any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on the health of individual persons, or the delivery of care for other purposes than the provision of healthcare.
It is arguable as to whether this definition excludes medical devices, and this should be clarified by legislators. If the intention is that exclusion of the purposes of “the provision of healthcare” should apply to both (i) apps which provide information on health AND (ii) the delivery of care, this needs to be made clear. As drafted, it can be argued that the exclusion is only intended to apply to (i) apps for the delivery of care, and not to (ii) apps providing information on health of individuals. If this is the case, medical devices may be in-scope.
For wellness apps that claim interoperability, the manufacturer must:
- apply a digital label that is valid for up to three years at a time.
- share or transmit health data from the wellness app to the EHR system only with “consent” of natural persons. It is not clear whether this is intended to be a GDPR consent, but presumably this is the case.
- register the app in an EU database.
Medical devices and AI systems
It is possible that an EHR system may qualify as a medical device and / or high risk AI system. For example, it may be that an EHR system also has a medical purpose (thus qualifying as a medical device), and there is an embedded AI system safety component (thus qualifying as high risk AI). In this case, the product will need to fulfil the requirements of the EHDS and all other applicable legislation, whether that is the AI Act and / or the Medical Device Regulation.
This means that conformity assessments may be required under up to three separate pieces of regulation under a joint or coordinated procedure. This is likely to be a minefield in practice.
The EHDS introduces a registration requirement for EHR systems claiming conformity with the EHDS. However, the EHDS contradicts itself as to whether medical devices and HRAI that claim interoperability are also required to be registered in this new EU database. The recitals claim registration is not required under the EHDS, whereas the articles state that registration is required under both the EHDS and under the AI Act or Medical Device Regulations (as applicable).
What’s next?
The draft text is undergoing lawyer-linguist revision. Once this has been completed, the European Parliament will need to (re-)confirm the final text. The Council is then be expected to formally adopt the finalised text and the EHDS will be published in the EU’s Official Journal before it enters into force (likely to be in the coming months).
The Chapter focussing on EHR systems will apply six years after entry into force. This generous grace period reflects the intensity of effort that will be required in order to set up the necessary digital infrastructure at both the Member State and EU level.
