ARTICLE
31 March 2025

European Health Data Space Regulation Sets Requirements For Electronic Health Record Systems

AO
A&O Shearman

Contributor

A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
On 5 March 2025, Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive...
European Union Food, Drugs, Healthcare, Life Sciences

On 5 March 2025, Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847 (the Regulation) was published in the Official Journal of the European Union.

As we have previously reported, the Regulation is intended to enhance the accessibility, interoperability and security of electronic health data in the EU. It aims to give individuals access to their health records and allow healthcare professionals across the EU to access a patient's personal health data to facilitate treatment. Others, such as public health authorities, researchers and industry (known as 'health data users') will also be able to use health data made available by so-called data holders in anonymised or pseudonymised forms for certain secondary uses.

The Regulation lists both permitted and prohibited secondary use purposes for electronic health data. Permitted purposes include:

  • activities in the public interest in public or occupational health;
  • policy making and regulatory activities;
  • official statistics;
  • education at vocational and higher education levels;
  • scientific research (which covers the development of new products and medicines), training, testing and evaluating algorithms (including in medical devices), AI systems and digital applications; and
  • the improvement of delivery of care.

Prohibited purposes include using electronic health data to:

  • take decisions detrimental to a person or group of people;
  • take discriminatory decisions, for example relating to an insurance premium or conditions or to a job offer;
  • conduct marketing or advertising activities;
  • develop harmful products; or
  • conduct activities which conflict with ethical provisions in national laws.

Health data users will be able to apply for a permit from a health data access body to obtain access to health data, which must be granted if the health data access body concludes that relevant requirements are satisfied. These include that the data will be used for a permitted purpose, the requested data is necessary, adequate and proportionate for the intended purpose, the applicant has a legal basis and satisfactory qualifications and expertise for the intended purpose, among others. However, the application can be denied if there are risks for national defence, security, public security, and public order, or confidentiality of governmental databases which are not sufficiently mitigated.

Fines for breaches of the Regulation can reach up to 20 million Euro or 4% of annual worldwide turnover.

The Regulation entered into force on 26 March 2025. It will apply from 26 March 2027, with different commencement dates applicable to certain obligations. For example, Chapter III, which sets out the provisions on secondary use of electronic health data, will apply only from 26 March 2029. For certain data (including medical imaging studies and related imaging reports, medical test results and discharge reports), data holders' sharing obligations will only apply from 26 March 2031.

The European Commission has also published a document of frequently asked questions (FAQs) on the Regulation.

The Regulation is available here and the FAQs here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More