EU Commission presents plans to make health data available for R&D purposes

Under the EHDS, the health data of EU citizens, such as doctors' letters, medical reports and prescriptions, will be saved electronically. Citizens shall be able to access their personal data. At the same time, the Commission also wants the data to be available for research and development of new medicines, medical technology and treatment methods.

According to the Commission, there is not sufficient data available in the EU for development and research in the health sector. This is due to the fragmentation of standards and specifications for storing and sharing health data in the different member states, and it strongly hinders innovation in digital health, such as the development of new products and services for public health, the Commission said. To solve this, it has proposed a new regulation to grant access rights to health data under specific circumstances.

The Commission stressed the importance of the EHDS being in line with the data protection rules in the EU. It said that researchers, industry and public institutions will only have access to the health data collected in the EHDS for purposes that benefit individuals and society. Also, they will only be able to access data that does not reveal the identity of the data owner.

Under the legislative proposal, so-called "data users" can access and process health data for different permitted purposes set out in the legislation. Anyone who pursues activities for reasons of public interest - including industry - can be considered a "data user". The purposes of particular interest for the processing of health data in the healthcare sector are development and innovation activities for products or services contributing to public health and also the training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health. "Either of these purposes will put health care providers in a position to better exploit the potential coming from health data that could help them develop new medicinal products or new devices involving AI," said Daniel Widmann, expert on digitisation projects and data protection law at Pinsent Masons.

According to the proposed legislation, data users would only be able to access and process health data if they obtain a data permit from the national health data access bodies - which would have to be established by the member states. The data permit sets out how the data may be used and for what purpose. In order to get access to the data for the permitted purposes, a data applicant would have to submit a data access application, which must meet certain requirements. Among other things, a detailed explanation of the intended use of the electronic health data, a description of the requested electronic health data and a description of the safeguards planned to prevent any other use of the electronic health data must be provided.

"It is a positive sign that the Commission has identified that increased access to health data is necessary to promote innovation in digital health in the EU," Widmann said. "However, it has to be seen whether the planned national health data access bodies can actually promote access to health data or will become a bottleneck. An alternative approach to creating government bodies regulating access to health data would have been to pick up the GDPR’s risk-based approach and rely on self-certification by the data users."

Widmann said such self-certification would have to consider the sensitivity of health data and require specific requirements, in particular regarding the security of the processing. "This approach may have the added benefit of less bureaucracy and may lead to an increased availability of health data," he said.

According to the Commission, the EHDS complements the GDPR and other EU legislation on data governance and information security by providing tailor-made rules for the health sector. Lidia Vidal, expert for information technology and data law at Pinsent Masons, said: "The legislative proposal aligns with the GDPR’s ‘data protection by design’ principle, setting out that the use of anonymised electronic health data should be available when possible and if the data user requests it, unless the purpose of the data user’s processing cannot be achieved with anonymised data. In this case the data shall be provided in a pseudonymised format." She also said it is not recommended for data users to attempt to re-identify individuals from the dataset provided, since they could be penalised for it.

Vidal emphasised that the processing of health data can only take place in secure processing environments, with the appropriate technical and organisational measures and security and interoperability requirements in place and in accordance with article 50 of the proposed EHDS-legislation. "Organisations obtaining access to EHDS data would have to make sure that only individuals authorised by the data permit can access the data. These individuals would have to comply with very high privacy and cyber-security standards," Vidal said.