.png)
%20(100%20x%20250%20mm).jpg)
%20(100%20x%20250%20mm).jpg)
%20(100%20x%20250%20mm).jpg)
​The article discusses the European Health Data Space (EHDS) regulation. As a transformative framework for health data sharing across the EU, it will bring significant changes for businesses operating in the healthcare and digital sectors. This topic is closely related to our work, not only because Anubhuti Sinha, one of the authors of the article, is a crucial member of RES-Q+, but also because the development of our virtual assistant relies on the EHDS.
​The European Health Data Space (EHDS) regulation is in its final stretch, moving closer to adoption after extensive negotiations. As a transformative framework for health data sharing across the EU, it will bring significant changes for businesses operating in the healthcare and digital sectors. This article explores some of the key impacts of EHDS, highlighting both challenges and opportunities for companies navigating the new regulatory landscape.
The EHDS aims to accelerate research and innovation by providing businesses and innovators with easier access to high-quality, cross-border health data. In order to compile comprehensive national and EU-wide data catalogues, EHDS requires health data holders, such as healthcare providers, healthcare research institutions or developers of products intended for healthcare, to inform health data access bodies about the electronic health data (EHD) they possess.
The EHDS regulation creates a clear system for accessing EHD for primary use (in healthcare) and secondary use - for research and innovation. The standardized rules on accessing EHD for secondary use paves a way for companies to request different types of health-related data, including disease registries, genomic data, and other factors affecting health, such as substance use, socio-economic status, behavior, and environmental data like pollution. Researchers can use this data to develop new healthcare products and services, such as advanced treatments and personalized medicine.
​
Each EU Member State will designate one or more health data access bodies (HDAB). These HDABs will act as intermediaries between a holder of EHD and the possible users of such EHD. Once the HDABs are set up, researchers and businesses can approach them to request access to certain EHD available with one or more health data holders. HDABs are tasked with, among others, maintaining data catalogues, assisting in the anonymization/pseudonymization of the requested EHD and carrying out various administrative functions.
For example, a pharmaceutical company may apply to a HDAB for a data permit to access EHD from one or more hospitals. The HDAB will evaluate the application based on different factors such as the purposes described in the application and will either grant a data permit, or reject the health data access application within three months. Once the data permit is issued, the HDAB will coordinate with the health data holder to collect the EHD, anonymize and pseudonymize it, and provide this pharmaceutical company with access to this EHD in a secure processing environment. The pharmaceutical company will be allowed to use the EHD for the purposes and within limits specified in the permit.
The process for accessing data for secondary use relies significantly on HDABs. However, to streamline the process, the EHDS regulation has also introduced the concept of a ‘trusted health data holders’. These ‘trusted health data holders’ will be able to review the health data access application or health data request and provide recommendations to HDAB(s), which will make the final decision of data permit. This designation allows heath data holders to have some control over who accesses their EHD.
The EHDS regulation also provides a mechanism for cross-border participation in the exchange of EHD for secondary use. Additionally, it lays down the requirements for a third-country or an international organization to participate in data sharing for secondary use as long as they are in compliance with the GDPR and the EHDS Regulation.
​
The standardized rules of EHDS offer businesses and researchers clearer and more reliable access to health data, helping to drive innovation. The implementation of the administrative process by the EU countries should, however, ensure that data access remains efficient, timely, and balanced with necessary safeguards to protect privacy and security.
In addition to the standardized rules on data access for secondary use, the EHDS will provide natural persons (patients) with additional rights in relation to their health data, building on the right to access personal data and right to interoperability of personal data enumerated in the GDPR. Going forward, healthcare providers that process health data using EHR systems are required to incorporate technical and organizational conditions laid down in the EHDS regulation.
While the EHDS regulation lays down the rules for secondary use of EHD, it highlights the process required for EHD protected by intellectual property (IP) rights, trade secrets or regulatory data protection rights[1]. A health data holder which has EHD protected by such rights has to inform the HDAB, specifying the datasets that will fall within such protection and also providing a justification.
​
Once a HDAB approaches the holder for the protected EHD, the HDAB will be responsible for determining the appropriate and proportionate measures necessary to protect the IP rights, trade secrets and regulatory data protection rights of the health data holder. Among the legal, technical and organizational measures that a HDAB can recommend are contractual arrangements between the data holder and the data user. The Commission is expected to develop and recommend non-binding models of the contractual terms and such arrangements. Other measures include specific obligations stipulated in the data permit in relation to such rights, configuration of the secure processing environment so that the protected information is not available to the health data user, or pre-processing the EHD to generate derived data (such as synthetic data) that protect a trade secret but have the utility for a health data user.
​
If there is serious risk that the IP rights, trade secrets or regulatory data protection rights of the data holder can be infringed, and this risk cannot be addressed by implementation of the protection measures, HDAB can refuse access to the EHD.
​
Therefore, all data holders—particularly commercial research centers and life science companies—must review and label their EHD datasets. This process is crucial to ensuring that highly confidential EHD, protected by IP rights, trade secrets, or regulatory data protection, is not improperly disclosed. However, these provisions of the EHDS regulation cannot be used to circumvent existing transparency requirements under other EU laws, including those governing clinical trials and clinical investigations.
​
[1] These rights are laid down laid down in Article 10(1) of Directive 2001/83/EC of the European Parliament and of the Council or Article 14(11) of Regulation (EC) No 726/2004 of the European Parliament and of the Council.
An Electronic Health Record (EHR) system allows healthcare providers to store, manage, and access priority categories of personal electronic health data (e.g., patient summaries, electronic prescriptions, test results and medical images). Healthcare institutions can use this data when providing patient care. Standardizing EHR systems is essential for seamless data exchange between medical centers, avoiding vendor lock-in, improving patient care, and supporting secondary use of EHD. It is crucial for interoperability and cross-border exchange of patient’s data.
​
Hence, manufacturers, importers or distributors of EHR systems will need to comply with a number of obligations. The most extensive requirements, shown below, apply to manufacturers of EHR systems intended for the EU market.
EHDS regulation also places obligations on importers, such as an obligation to verify, before placing an EHR system on the market, that the manufacturer has fulfilled its obligations (e.g., existence of technical documentation, EU declaration of conformity, and CE marking of conformity). Moreover, they shall ensure that when under their responsibility the EHR system complies with the essential requirements. If not, they are obliged to recall or withdraw the EHR system and inform the manufacturer, the market surveillance authorities and users. Distributors’ obligations mirror those of importers.
The EHDS establishes rules for wellness app developers, marking the first EU law to specifically regulate these popular applications. Wellness apps are software—or a mix of hardware and software—designed for individuals to process EHD. These apps provide health-related information or support care, but not as part of formal healthcare services. Examples of such apps are Fitbit, Sleep Cycle, and MyFitnessPal.
​
However, EHDS regulation applies only to apps for which their manufacturer claims to be interoperable with an EHR system. Those are apps which can be connected to and supply data about users' health directly into an EHR system.
​
Overview of obligations applicable to such wellness applications:
Suppliers and distributors of wellness applications bear subsequent obligations. In particular, suppliers are obliged to verify that each app is accompanied by the label, free of charge, while distributors shall ensure that the label is electronically available to their customers.
With the final version of the EHDS on its way, significant implications are expected not just for the healthcare providers and research facilities but also for sectors like and life sciences industries, pharmaceuticals, AI and tech, insurance, and research organizations. While the full implementation of EHDS will take several years, businesses must start preparing now, as the drafts of implementing acts will be shaped by ongoing initiatives, such as public consultations launched by TEHDAS2. These projects are already laying the groundwork for secondary use of health data, interoperability, and governance structures. Companies handling EHD should stay engaged in regulatory developments, assess compliance needs, and anticipate how EHDS may reshape data-sharing practices in their sector. Different businesses in the healthcare and the care sectors that are affected by the EHDS can gain an advantage to navigate this transformation effectively by taking certain initial steps. These steps include the following depending on the nature of the business:
Authors
Source: www.timelex.eu
The authors of this article are participating in the following EU-funded projects:
RES-Q+, Flute, Trumpet - Magdalena Kogut-Czarkowska,
Eleni Moraiti, GLIOMATCH - Anubhuti Sinha
​
%20(100%20x%20250%20mm).jpg)
%20(100%20x%20250%20mm).jpg)
%20(100%20x%20250%20mm).jpg)