Latest Posts:
Search for:
In Health Data Privacy & Security

European Health Data Space Regulation Published – What’s Next?

by , and 8 Mins Read

On 5th March 2025, the European Health Data Space (EHDS) Regulation was officially published in the Official Journal of the European Union. The EHDS enters into force on 26 March 2025 – this is the beginning of the transition phase towards application. At its core, the EHDS is about three things: (1) empowering patients with new health data rights (primary use); (2) a new pathway to access electronic health data for research and innovation (secondary use); and (3) a new product regime for certain software processing health data.

What are the key timelines?

The EHDS Regulation won’t apply immediately – instead, organisations will need to start working towards March 2029, which is when key obligations on secondary use will come into effect:

  • March 2025: The EHDS Regulation enters into force, marking the beginning of the transition period.
  • March 2027: Deadline for the Commission to adopt key implementing acts, providing detailed rules for the regulation’s operationalisation.
  • March 2029: Key parts of the EHDS Regulation will enter into application, including on the new health data rights. Rules on secondary use will also start to apply for most data categories (e.g. data from electronic health records).
  • March 2031: For primary use, the exchange of the second group of priority categories of health data (medical images, lab results, and hospital discharge reports) should be operational in all EU Member States. Rules on secondary use will also start to apply for the remaining data categories (e.g. genomic data).

What is the new pathway to access data for research and innovation?

The EHDS introduces a new regulatory pathway through which “data holders” must make a wide range of “electronic health data” available to “data users” for a defined list of permitted secondary uses. These permitted uses include scientific research, certain development and innovation activities, and training algorithms. If your organisation operates in the healthcare and life sciences space, your organisation is likely to be a data holder. And that means that your organisation may face requests from third parties (potentially even from your competitors) to access your organisation’s electronic health data.

What’s more, electronic health data is far wider than you may expect, encompassing both personal and non-personal data, and seems to include data generated both pre- and post-EHDS. Holders will need to provide a catalogue of in-scope data to a health data access body on an annual basis, and it will be no mean feat for data holders to map out where these datasets may be located within a large organisation. In an industry where intellectual property rights represent the crown jewels, organisations must start strategizing now about how they intend to protect IPR in their in-scope data. But where there are concerns, there is also opportunity – the EHDS sets out a new streamlined procedure for researchers and developers to access datasets from multiple organisations for research and innovation purposes.

What are the new rights for patients?

One of the core aims of the EHDS is to empower patients with new rights over their health data. These rights supplement existing GDPR rights for data subjects, and legislators hope that these represent an improvement to GDPR rights, which can be cumbersome to exercise (for example, the right of access may involve an admin fee, or may result in a paper response or a delay of up to a month before receipt of a response). Crucially, many of these rights are not exercised directly against data controllers, but against new health data access services that will be set up in each Member State. These include an enhanced right of access, rectification, data portability and restriction (amongst others).

In order to facilitate these new rights, the EU has ambitious plans to build a new digital infrastructure from the ground-up. This includes ensuring that the underlying health records of EU citizens are digitised and recorded in a commonly used, machine-readable format called the European electronic health record exchange format. This format will be fleshed out in implementing acts that will set out more detail on coding systems and values, technical interoperability specifications, etc. As a further layer of infrastructure, each Member State will be setting up its own health data access services to facilitate exercise of these rights. At the EU-level, MyHealth@EU will be a central platform that facilitates exchange of personal data from one Member State to another.

New regime for certain software processing health data

There is a new product regime for electronic health record (EHR) systems. An EHR system is wider than you may first assume, and encompasses any system whereby software (or a combination of the hardware or software of that system):

  • performs various actions (including to store, view, convert, edit, import, export, or intermediate) in respect of personal electronic health data in the priority categories of data (these include patient summaries, e-prescriptions and test results); and
  • is intended by the manufacturer to be used by healthcare providers when providing patient care or by a patient to access their health data.

This definition is wide enough to cover medical devices, but expressly excludes general purpose software used in the healthcare environment.

There are two core mandatory requirements for EHR systems:

  • the interoperability component: the software must be capable of providing and receiving the priority categories of personal electronic health data in the European electronic health record exchange format; and
  • the logging component: the software must log information on who accesses the data e.g. health professionals or other individuals.

The focus of this new regime is creating the new digital infrastructure that the wider EHDS needs to work. It’s also about imposing product safety requirements on manufacturers of EHR systems, as well as the wider supply chain (including authorised representatives, importers and distributors). The new regime is not intended to affect procurement, reimbursement and financing of EHR systems.

Manufacturers of wellness apps, manufacturers of medical devices (including in vitro diagnostics) and providers of high-risk AI systems under the AI Act may claim interoperability with the two harmonised components, provided that they can prove compliance.

What should you do next?

It’s not too early to start preparing. Key actions for legal teams are:

  • Data mapping exercise: As a data holder, organisations will need to provide a catalogue of in-scope datasets to their health data access body on an annual basis. This means a data mapping exercise is essential – we are strategizing now with organisations on how to deal with unclear jurisdictional scope for certain in-scope data, and how to map out both personal and non-personal data that may not be restricted by time of generation or collection.
  • Build governance and teams for compliance: Once a data holder receives a request to access data by a data user, it must be capable of making datasets available to a health data access body within short timelines (e.g. within 3 months of a request). This means organisations need the teams and technical capabilities to action requests from access bodies. In addition, data users should build governance structures and technical capabilities to ensure compliance with EHDS restrictions on use and access to requested data.
  • Update data governance processes: Organisations should update their GDPR compliance framework to take any new processing activities under the EHDS into account. This includes updating  privacy notices, conducting data protection impact assessments and records of processing.
  • Consider strategy for preserving sensitive information. Given the sensitivity of in-scope data, organisations need to consider in advance which protections apply to electronic health data, and the arguments they will run in order to advocate for an access body either rejecting an application or applying rigorous protections. We are already working with organisations to start implementing protections for certain data so there are strong arguments in place that certain data should not be shared under the EHDS umbrella.
  • Contract remediation: Contracts may need updating to facilitate mandatory disclosure under the EHDS, or to enhance arguments that certain data should not be disclosed without rigorous protections.
  • Legislative monitoring will be key: There seems already to be a considerable gap between some of the (vague) requirements in the EHDS and the steps that will need to be taken by technical specialists in reality. A great example of this is the technical standards for data interoperability, which will be set out in implementing acts. Monitoring updates and announcements will be essential.
  • Explore opportunities / risks with the business: There are strategic discussions to be had with commercial teams around: (a) the data organisations may want to access for their own use cases; and (b) the datasets which may be most at risk of requests for disclosure, and the implications for the organisation.

We are working with organisations on these issues now – please reach out if you’d like to discuss this.

Categories:
Tags:
Author

Jaspreet Takhar is a senior associate in Baker McKenzie' London office and advises market-leading tech and healthcare companies on issues at the cutting-edge of digital health.

Author

Julia Gillert is Of Counsel at Baker McKenzie's London office, and has shaped her practice to focus exclusively on regulatory matters affecting the Healthcare & Life Sciences industry.

Author

Elina Angeloudi is an associate at Baker McKenzie's London office and specialises in regulatory advice to pharmaceutical and medical devices companies.

Related Posts