On 15 March 2024, the European Parliament and the Council of the European Union (EU legislators) reached a provisional agreement on the text of the Regulation creating a European Health Data Space (EHDS).

Please note that the text of the agreement has not yet been officially published. This blog is solely based on the press releases that have been published by each of the institutions on their websites (available here, here and here) and has been updated considering some additional indications as to the content of the agreed text.

Background

The agreement reached among the EU legislators is based on the European Commission proposal for a Regulation creating a European Health Data Space, which was published on May 2022. See our previous blog for details on the Commission proposal.

The text included in the Commission proposal has been subject to negotiations within each of the EU legislators, and has undergone changes following the introduction of various amendments to the text.

Key elements of the agreement

There are several key elements of the agreement that are worth highlighting. These include:

  • Broad definition of health data: Health data is referred to as including data from health records, clinical trials, health claims and reimbursements, and public health registry information; pathogen genetic data and other human molecular; data automatically generated through medical devices and other health data from medical devices; wellness data; and aggregated data on healthcare resources, expenditure and financing;
  • Limits to access to electronic health data:
    • Data permit: Access to data is allowed upon obtaining a data permit from a health data access body, who will evaluate based on cumulative criteria (e.g. purpose and necessity of the processing, the expertise of the applicant, and the adequacy of technical and organizational measures);
    • Patients have the right to object to the use of their data:
      • For primary use (i.e. use of the data by a healthcare professional (HCP)): Patients may object to the primary use of their data, except when the data processing is necessary to protect the data subject's or another natural person, in which case the HCP may access it ; and
      • For secondary use: Patients may object to the secondary use of their data subject to certain conditions (i.e. opt-out mechanism), except when requested by a public body for public interest purposes. Member States may introduce further measures for certain data categories (e.g. genomic data). However, it is likely that the Regulation will not refer to opt-in mechanisms;
    • Health data access bodies may take measures in the case of non-compliance (i.e. revoking data permits, excluding access to the EHDS for up to 5 years, or imposing periodic penalty payments);
    • Patients will be informed every time their data is accessed; and information about the data applicant will be made public (e.g. identity, professional functions and operations, purposes for accessing the data and expected benefit, safeguards, and justified estimated period of the processing);
  • Limits to sharing electronic health data:
    • Permitted: Data may be shared to third parties mentioned in the data permit only; and for public interest purposes (i.e. research and innovation). Note that health data must be anonymized or pseudonymized when shared;
    • Prohibited: For advertising or assessing insurance requests;
  • Possible stricter national measures: Member States may introduce stricter measures regarding access to specific types of sensitive data (e.g. genetic, epigenomic and genomic data and human molecular data (i.e. proteomic transcriptomic, metabolomic, lipidomic and other similar data)).
  • Protecting Intellectual property (IP) and regulatory data protection (DP) rights; and trade secrets: The secondary use of electronical health data covered by IP and regulatory data protection rights, as well as trade secrets, is possible, provided that it follows the principles outlined in the Regulation (i.e. informing the health data access body and justifying what exactly needs protection; implementing specific and appropriate proportionate measures; conditioning on legal, organizational and technical measures; and refusing access if necessary);
  • International health data transfers and data localisation: The condition set for health data transfers to third countries is to comply with the requirements introduced in the General Data Protection Regulation (GDPR) and with additional measures that will be specified in a future Delegated Act. Data must be stored in the EU or in a country subject to an data protection adequacy decision by the European Commission;
  • Stakeholder forum: A stakeholder forum will be establish to provide input on the EHDS and facilitate cooperation to ensure its correct implementation. The forum will consist of representatives from various sectors including industry, researchers, patient advocates, HCPs, consumers, and academia, and will meet regularly.

Next steps

The provisional agreement reached by EU legislators on the Regulation creating a EHDS is positive news, as it shows progress towards improving access to health data electronically across the European Union. Additionally, the agreed text is expected to provide more clarity on certain aspects that were potentially problematic in the Commission's initial proposal, particularly regarding IP rights and trade secrets, international health data transfers, as well as the scope of opt-out mechanisms and whether opt-in mechanisms will be used.

A thorough review of the official agreed text, once published, is necessary to fully assess the real implications for industry, both positive and negative.

The agreement still requires formal adoption by the European Parliament and Council before it can become law, which is expected to happen before the European Parliament elections scheduled for June 2024. It is also expected that the Regulation will come into effect two years after its entry into force, with certain exceptions where the application will be delayed (e.g. provisions concerning the secondary use of electronic health data will take effect four years after the entry into force, with some exceptions where it will occur at an even later date).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.