Health Data: European Commission Proposes New Rules on Access and Use

The European Commission's proposal to establish a European Health Data Space ("EHDS") aims to improve access by individuals to their health data (primary use) and facilitate the re-use of health data for societal good across the European Union (secondary use).

While the draft EHDS regulation might easily get lost in an alphabet of data-related legislative proposals coming from the European Commission, businesses operating in the health and pharma sectors should carefully consider how the EHDS might affect them.

In particular, the EHDS would introduce a new regime for the compulsory licensing of health data to third parties. Taken together with the broad definition of health data under the proposal, businesses will be required to understand what health data they possess and consider what measures they need to implement to protect the intellectual property rights in the data.

The EHDS proposal covers three main areas:

1. Giving individuals more control over their health data
2. New self-certification requirements
3. A new framework for secondary use of health data

Giving individuals more control over their health data:

• The proposal would give patients additional access and control rights over their electronic health records free of charge in addition, and complementary, to the data subject rights under the EU General Data Protection Regulation (the "GDPR").
• The regulation would also require organisations handling electronic health data to comply with mandatory interoperability requirements and implement measures to ensure security for electronic health records.
• Finally, the European Commission would be asked to establish MyHealth@EU, a platform to facilitate the cross-border exchange of electronic health data across the European Union.

New self-certification requirements:

• The regulation would require economic operators (including manufacturers, importers and distributors) of electronic health record ("EHR") systems to ensure that the EHR system complies with the requirements in the regulation and bears CE marking. The European Commission explained that this is required to ensure that EHRs are compatible and to allow easy transmission of electronic health data between different systems.
• The regulation would also introduce voluntary labelling of wellness applications interoperable with EHR systems.
• Finally, the European Commission would establish a publicly available database of EHR systems and wellness applications.

New framework for secondary use of health data:

• The EHDS proposal would establish a framework for academic institutions, businesses, policy makers and regulators (i.e., "data users") to get access to anonymised or pseudonymised electronic health data for secondary use directly from the organisation that holds the health data (i.e. the "data holder") or from a health data access body (a new body to be established in each EU member state). Under the proposal, health data re-use would be subject to both an authorisation and a compensation scheme.
• Below we answer some of the most frequently asked questions about the EHDS proposal:

1. What health data will have to be made available for secondary use?
   
   Under the framework, data holders (other than micro-enterprises) would be required to make wide categories of health data (including patient registries, electronic health data from clinical trials, medical devices, questionnaires and surveys related to health) available for secondary use for one of the permitted purposes (see below).
   
   Crucially, the EHDS proposal makes clear that electronic health data which includes intellectual property and trade secrets from businesses should also be made available for secondary use provided that "all measures necessary to preserve the confidentiality of IP rights and trade secrets shall be taken". It is currently unclear how this obligation would operate in practice.
   
   
2. What could data users use the health data for?
   
   Article 34 sets out eight permitted purposes, which include:
   
   
   • scientific research related to health or care sectors,
   • development and innovation activities,
   • training, testing and evaluating algorithms, and
   • providing personalised healthcare.
     
     The specific inclusion of use of health data for training algorithms is good news for businesses creating AI models used in healthcare.
     
     However, Article 35 expressly prohibits five secondary uses of electronic health data:
     
     
   • to take decisions that may be detrimental to a natural person,
   • to take decisions that may exclude individuals or groups from the benefit of an insurance contract,
   • for advertising or marketing,
   • to make the health data available to third parties not covered by the data product, and
   • to develop products or services that may harm individuals or societies, including, but not limited to, drugs, alcoholic beverages or tobacco products.
     
     
3. How could organisations access health data for secondary use?
   
   Any natural or legal person would be able to submit a data access application to a health data access body. If the natural or legal person requires an answer only in an anonymised statistical format, they can submit a data request to the health data access body instead. If the data user requires electronic health data from more than one EU member state, the health data access body to whom the data user submitted the application will coordinate with other health data access bodies concerned using the newly established HealthData@EU platform.
   
   The health data access body will have to issue a data permit within two months (subject to an extension of additional two months for complex requests) of receiving the application if:
   
   
   • the application fulfils one of the permitted purposes under the regulation,
   • the requested data is necessary for the purposes listed in the application, and
   • the other requirements of the regulation are fulfilled.
     
     The health data access body will then be required to give the data user access to the requested health data in a secure processing environment. The regulation specifies that the health data access bodies and the data users will be considered joint controllers of electronic health data processed in accordance with the data permit. The European Commission is expected to publish a template joint controllers' agreement for this purpose.
     
     Data users will be required to make public the results or output of the secondary use of electronic health data within 18 months of completing the processing and acknowledge the fact that the electronic heath data has been obtained in the context of the EHDS.
     
     If the applicant requires access to electronic health data only from a single data holder in one EU member state, the applicant may file a data access application or a data request directly to the data holder. The data holder will then be required to assess the application and, if it meets the requirements under the regulation, to provide access to the electronic health data in a secure processing environment.
     
     
4. What will the fees be for organisations that want to use health data for secondary use?
   
   Health data access bodies and single data holders may charge fees for making electronic health data available for secondary use. However, any fees "shall be transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition".

Timeframe

The European Commission published the EHDS proposal on 3 May 2022 with the aim to adopt the EHDS by the end of its current mandate on 31 October 2024. The European Commission expressed its hope that the provisions of the regulation will enter into force across all EU member states in 2025.

Comment

If approved by the European Parliament and the Council of the European Union in the form proposed by the European Commission, the EHDS proposal could transform data sharing in the healthcare sector.
In particular, the regulation would address some of the gaps in the GDPR relating to sharing health data for research and development purposes, which were caused by the inconsistent approaches adopted by different EU member states in relation to legal bases and special conditions for processing special categories of personal data and the overreliance on consent.

While access to health data for secondary use may bring new opportunities for many businesses, organisations that hold valuable health data might become a target of data access applications and/or data requests from data users and will need to have the legal and technical expertise and resources required to respond to the requests in accordance with the regulation. The wide definition of health data, which might include trade secrets and other data protected by intellectual property rights , will require businesses to understand what health data they possess and consider what measures to implement to protect the intellectual property rights and trade secrets vested in the data.