EU plans to create a new ‘European health data space’ (EHDS) will force digital health providers to meet a series of new legal requirements applicable to the systems they use for processing health data.
There is uncertainty, however, over whether digital health providers will be compelled to make the electronic health data their software generates available to others when the EHDS begins to operate.
What is the European health data space?
The European health data space (EHDS) seeks to address health-specific challenges to data access and sharing. In particular, the EHDS:
- empowers patients with new rights to control their electronic health data in the context of healthcare;
- establishes a mandatory cross-border infrastructure enabling the use of electronic health data across EU for the primary use purposes of providing health services;
- introduces obligations on ‘data holders’ to make electronic health data available to third parties, including public sector bodies, for ‘secondary use’, and sets out rules and mechanisms to support this; and
- lays down rules for making electronic health record systems available on the EU market.
The European Commission’s proposal for the EHDS is currently being assessed by the EU’s two law making bodies – the Council of Ministers and the European Parliament. There is significant overlap between the proposal and other legal regimes – it has, for example, already been subject to commentary by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS).
How does the EHDS apply in the digital health context?
According to the Commission’s proposal, manufacturers and suppliers of electronic health record systems and wellness applications placed on the market and into service in the EU will be required to comply with the EHDS regulation. There are several provisions that would have implications for digital health businesses if they were enacted as drafted currently.
Applicability and interoperability
For the purpose of the draft EHDS regulation, electronic health records (EHRs) are a collection of electronic health data related to a natural person, gathered in the health system and processed for healthcare purposes. Any appliance or software produced by a manufacturer with the intention of being used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records will be considered an electronic health record system (EHR system). As such, any manufacturer that develops a software product for managing health data will be subject to the EHDS.
Manufacturers of ‘wellness applications’, i.e., appliances or software intended by the manufacturer to be used for processing electronic health data for purposes other than healthcare, such as manufacturers of apps that seek to provide individuals with wellness or nutrition information, or wearables that collect exercise data, will be within scope of the EHDS regulation.
Interoperability and data portability between EHR systems is a core feature of the EHDS. Manufacturers of EHR systems will be required to ensure that those systems conform to the essential requirements set out in Annex II of the EHDS regulation before placing them on the EU market.
As well as stipulating requirements relating to patient safety, Annex II sets out requirements for security and in relation to interoperability and compatibility with other EHR systems and the European infrastructures that will be established under the EHDS. Reflecting the General Data Protection Regulation’s (GDPR) principle of data protection by design and by default, manufacturers will be required to ensure that EHR systems are designed and developed in a way that ensures the safe and secure processing of electronic health data.
Under the proposed EHDS regulation, the Commission will also adopt common specifications in respect of the essential requirements set out in Annex II, via implementing acts, including time limits for implementation of those specifications. The common specifications may include elements related to datasets containing electronic health data and defining structures, for example data fields and data groups, technical specifications, standards and profiles for the exchange of electronic health data, and other requirements related to data quality.
Where manufacturers of medical devices and high-risk artificial intelligence (AI) systems declare interoperability with EHR systems, those medical devices or AI systems will also need to comply with the essential requirements on interoperability under the EHDS.
Manufacturers of wellness applications claiming interoperability with an EHR system and therefore the essential requirements may volunteer to have their applications accompanied by a label indicating compliance with these requirements. In that circumstance, market surveillance authorities designated by member states will be required to check their compliance.
Although there will be a high burden in the short term of ensuring EHR systems and other interoperable products conform with the essential requirements and common specifications, in the longer term it is hoped that interoperability will reduce the barriers and costs that manufacturers face when seeking to enter another member state market.
Safety reporting obligations
Where a serious incident involving an EHR system occurs, manufacturers will be required to report this to the market surveillance authorities of the member state in which the serious incident occurred and provide details of the corrective actions taken or envisaged by the manufacturer.
Serious incidents that might lead to death or serious damage to a person’s health or a serious disruption of the management and operation of critical infrastructure in the health sector will need to be notified immediately after a causal link between the EHR system and the serious incident, or reasonable likelihood of such a link, has been established, and in any event no later than 15 days after the manufacturer becomes aware of the serious incident.
Individual data rights
The draft EHDS regulation makes provision for a suite of complementary rights to exist alongside the access and data portability rights that already exist under the GDPR. Under the proposal, these rights would apply only where an individual’s personal electronic health data is being processed for the so-called primary use purposes. Individuals would, for example, have the rights to:
- access their personal electronic health data processed in the context of primary use, immediately, free of charge and in an easily readable, consolidated and accessible form;
- insert electronic health data in their own EHR through electronic health data access services or apps linked to these services;
- receive an electronic copy of their personal electronic health data in a format prescribed by the Commission referred to in the draft regulation as the ‘European Electronic Health Record Exchange Format’, regardless of whether the individual has themselves shared their health information with the data holder; and
- have a data holder give access to or transmit their personal electronic health data to another natural or legal person from the health or social security sector. Currently, a controller is only required to do this where such a transfer is ‘technically feasible’ under the GDPR – no such qualification exists under the EHDS proposal.
Access and data portability rights are particularly likely to impact EHR systems and how they are developed and structured. Interoperability established under the EHDS will support these aims, but secure access rights will be vital to the protection of personal data held within these systems.
Secondary use of electronic health data
One feature of the EHDS that is likely to have a far-reaching impact on the digital health sector is the proposal to expand the availability of electronic health data for secondary use.
The EHDS sets out a regime that would allow electronic health data to be further processed for a specific set of ‘secondary use’ purposes, such as development and innovation activities for products or services contributing to public health or social security, or for the purposes of training, testing and evaluating algorithms.
EHRs and person-generated electronic health data, including from medical devices, wellness applications and other digital health applications, all fall within the scope of the minimum categories of data that need to be made available by data holders for secondary use. The definition of ‘data holder’ is wide and includes an entity in the health or care sector, or performing research in relation to these sectors, with the right, obligation or ability to make available certain data. The EHDS proposal is clear that private entities are included in the scope of ‘data holders’, so the term could apply to digital health companies if they are considered to be in the health and care sectors.
However, the EDPB and EDPS are of the opinion that electronic health data from wellness applications and other digital applications should be excluded from the scope of the secondary use obligations under the EHDS.
The watchdogs consider, among other things, that health data generated by these applications does not have the same data quality requirements as that generated by medical devices. They are also concerned that applications and wearable technology generate huge amounts of data which can be invasive and allow conclusions to be made about other aspects of an individual’s private life. For example, it might be possible to infer an individual’s religious orientation based on data collected through a nutrition app.
The EDPB and EDPS have recommended that, if this data remains within the scope of the secondary use obligations, individuals should have the freedom to decide whether their personal data collected through wellness applications and other digital applications may be used for secondary use purposes, and that data subjects are properly informed about their choices in this regard. Calls to implement a scheme of dynamic consent from individuals for the re-use of their health data, put forward by the Guild of European Research-Intensive Universities, also support this recommendation.
Looking to the future
The high-level requirements that manufacturers of EHR systems and wellness applications must meet under the draft EHDS regulation are clear, but the practical implications of what this will mean and the specific standards that will need to be met remain to be seen. It is expected that these details will not be provided until a much later stage once the legislation has come into force.
Written by Anita Basi of Pinsent Masons.