The European Health Data Space: Strengthening patients’ rights

Blog

and Marina Koci
read part two here

 

I. Introduction

Constant technological developments and the COVID-19 pandemic showed the importance of having up-to-date health data in order to make informed decisions on public health policies and crisis management. Currently, individuals can rely on the GDPR for questions relating to processing personal health data and their rights. Nonetheless, individuals can encounter difficulties in exercising their rights over electronic health data, which indicates the need for more specific regulation to enable better access and a more secure environment for sharing.

In March 2022, the European Health Data Space (EHDS) regulation was proposed. The EHDS will allow competent bodies to link health data sets and make them more accessible within the European Union (EU). The proposal expands the primary use of health data (e.g. delivery of care) and is expected to strengthen patients’ control over their data. One of the biggest novelties is the secondary use of health data for innovation, scientific, and policy-making purposes. Additionally, the Commission has listed key benefits to relevant stakeholders here.

 

european health data space

Benefits for users of the European Health Data Space
Source: European Commission, 2022

 

This is the first blog of a two-part series on the EHDS. The first blog will provide a detailed insight into the EHDS provisions by discussing the main parts of the proposal, the primary use and the secondary use of health data across the EU, the legal basis, and the proposal’s current progress.

 

PRIMARY VERSUS SECONDARY USE

II. What is primary use?

Chapter II (Articles 3 – 13) concerns primary use, which is the processing of personal electronic health data aiming to provide direct healthcare to the data subject. It is connected to the rights to access and receive information; rectification; and data portability under the GDPR, building on these rights and developing some of them (Recital 6). We will explore whether these provisions build upon the GDPR, or simply reinforce its concepts. As data portability appears to be a notable challenge within the proposal, we will deal with it separately in the next instalment of this blog series.

Right of access is provided for by Article 15 GDPR. Whilst some Member States provide online portals and applications allowing people to retrieve health data instantaneously, in others right of access consists of providing data in an analogue format, which can be time-consuming. Article 3 EHDS builds upon the GDPR by guaranteeing immediate and free electronic access to health data for individuals, whereas Article 15 only requires the controller to provide access without undue delay and within one month, but not immediately. Individuals can also get free electronic copies (at least for priority categories of data in Article 5), unlike Article 15 GDPR, which holds that an administrative fee may be charged for further copies. Whilst immediate access can be limited based on ethical considerations and the protection of the individual, the EHDS nevertheless develops the GDPR by removing any possible delays regarding data access and the option to charge fees.

The Commission recognised that some States don’t have structures in place to connect EHR (electronic health record) systems and they are fragmented across those who have them; Article 3(5) requires Member States to establish electronic health data access services – online services like an application – to facilitate these rights and enable access, arguably harmonising the systems.

The EHDS aims to make it easier for Europeans to access and share their health data as they travel across borders within the EU. The proposal outlines priority categories of data in Article 5 that must be accessible and exchangeable in a standardised format. Patients will have the ability to:

  • add to their EHR,
  • control access, and,
  • see who has viewed their data

In terms of right to rectification as provided for by Article 16 GDPR, Article 3(7) enables rectification online via health data access services, compounding this right.

To support these enhanced rights, each Member State must appoint a digital health authority responsible for implementation and a national contact point to ensure cooperation with other national contact points and with MyHealth@EU, the key intermediary for supporting and enabling the exchange of data between Member States. This will make it easier for healthcare providers across the EU to access an individual’s health data. For example, if a Spanish citizen falls ill while on holiday in Italy, an Italian healthcare provider should be able to access the Spaniard’s complete medical record.

 

european health data space infograph

Figure showing primary and secondary use
Source: European Commission, 2022

III. What is secondary use?

The secondary use of health data involves processing for innovation, scientific research, policy-making and other similar purposes. The minimum categories of data for secondary use are found in Article 33. This includes:

  • data impacting health,
  • human genetic data,
  • health data registries, and
  • clinical trials data.

The proposal also defines permitted purposes, which includes development and innovation activities (Article 34) and prohibited purposes, which includes using data detrimentally against persons, advertising or marketing, or providing data access to third parties outside of the permit, and developing products harmful to individuals (Article 35).

The proposal creates new regulatory pathways for the secondary use of data from data holders to data users.

Who is a data user?
A “data user” includes any person with lawful access to electronic health data for secondary use.

Who is a data holder?
A “data holder” includes any entity in the field of healthcare and research or any EU institution, body or agency that has the right to make data available according to EU law. For example, pharmaceutical companies can request access to data from the data holder e.g. a hospital – even if they have a commercial purpose – as long as it aligns with one of the legitimate interests, like scientific research and innovation.

The steps for secondary use involve the data user submitting a request for access to health data, the modalities of which depend on the data sought (Articles 45, 47). These requests are assessed by the health data access body, who facilitates secondary use and is responsible for giving access permission and deciding compatibility with the purposes listed in Article 34(1).

Considering that electronic health data are particularly sensitive, it’s necessary to reduce risks on the right to privacy, and anonymised health data should be used where possible. However, if personal data is required and the rationale justified, it should be provided in pseudonymised format with the encryption key held only by a health data access body (Recital 49).

 

IV. Legal basis

The proposal refers to the GDPR for lawful processing, which focuses on Articles 6 and 9, with the legal basis for secondary use based on Article 9(2)(g)-(j). Data users must demonstrate compliance with Article 6(1)(e) or (f), i.e. that access to data is necessary for performing a task carried out in the public or legitimate interest. Data holders – processing data pursuant to Article 6(1)(c) GDPR – must disclose this information to health data access bodies, which will ensure that access is provided based on the grounds indicated in the access application.

 

The lawfulness of the processing relates to the purpose limitation principle (Article 5(1b)) requiring personal data to be collected for “specified, explicit and legitimate purposes” and not further processed in an incompatible manner. Compatible further processing is to be assessed by the data controllers considering the factors in Article 6(4) GDPR, unless the new purpose:

  • Is necessary for the performance of a task carried out in the public interest;
  • Is subject for archival purposes in the public interest, scientific or historical purposes (Article 89(1) GDPR);
  • Has the consent of the data subject.

 

V. Progress of Proposal: what are the next steps?

The proposal remains in its early stages, with the Commission aiming to finalise the legislative process by 2024 for 2025 adoption. The Council has reached a common position on the first two chapters of the proposal, with Article 8 on telemedicine to be removed entirely. Challenges remain regarding preparing Member States for implementation, including consolidating patient information systems and data portability. Our second and final instalment in this blog post series will deal with the challenges posed by the proposal and concerns raised by the EDPB/EDPS, in particular that of data portability.

 

Want to discover more?

If you’re interested in following more on this topic, have a look at our upcoming Artificial Intelligence and Data Protection courses by clicking the button below:

Full course overview

 

 

The views expressed in this blog are those of the authors and not necessarily those of EIPA.

Tags Cyber security