Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The European Health Data Space (EHDS) Regulation seeks to overcome significant obstacles in digital health by creating a comprehensive framework for sharing electronic health data. It aims to establish clear rules, common standards, digital infrastructures, and a robust governance structure. The EHDS includes benefits for patients, healthcare providers, researchers, policymakers, and industry stakeholders, including improved data access, enhanced interoperability, and stronger data protection. The regulation will build on existing European regulations and aims to standardize digital health practices across the EU by 2028.
Every day, healthcare operators in the EU generate and use vast amounts of electronic health data. This data is a crucial resource, as demonstrated by the Covid-19 pandemic, which highlighted the need for constantly updated information to adopt effective public health policies and measures. Despite the accelerated implementation of digital tools during the pandemic, significant obstacles remain that limit the full potential of digital health.
The EHDS aims to overcome these obstacles by creating a framework for sharing electronic health data and establishing clear rules, common standards, digital infrastructures, and a governance structure for their use. This includes patient care, research, policy development, patient safety, and statistical collection.
To further strengthen individuals' rights concerning the primary use of their health data, the EHDS proposal aims, among other things, to ensure immediate, free, and easily readable access to their personal electronic health data processed during care and to request the exchange of this data with a healthcare data controller. The proposal also identifies "priority" categories of personal electronic health data to be guaranteed minimum protection for patients, such as patient summaries, electronic prescriptions, medical imaging studies and related imaging reports and discharge reports.
The EHDS promises to offer benefits to multiple stakeholders, including patients, healthcare providers, researchers, medical regulatory authorities, policymakers, and the industry.
According to the European Commission's estimates, the EHDS could save approximately 11 billion euros over ten years, with 5.5 billion euros from better access and exchange of health data in healthcare and 5.4 billion euros from optimizing the use of health data for research, innovation, and digital health policies.
The EHDS will establish a central digital health platform to facilitate the exchange of electronic health data between national contact points of Member States and introduce a framework for the secondary use of health data. This secondary use includes processing data initially collected for patient care for activities such as scientific research, policy formulation, innovation, and industrial applications, as well as training, testing, and evaluating algorithms, including for medical devices.
The EHDS prohibits the secondary use of data for activities like marketing to users, developing harmful products or services, and making adverse decisions about individuals (or a group of individuals), which produce legal, social or economic, effects or similarly significantly those natural persons. A new European Health Data Space Board will oversee the consistent application of rules across the EU, supported by a stakeholder forum involving patient organizations, researchers, and industry representatives.
The EHDS builds on European regulation such as the General Data Protection Regulation (GDPR), the Medical Device Regulation, the Data Governance Act, the Data Act, the NIS2 Directive, and the AI Act Regulation, providing additional specific rules for the healthcare sector.
From a privacy perspective, the EHDS regulation leverages the opportunities provided by the GDPR to develop an EU regulation on the use of personal electronic health data for diagnosis, healthcare, and management of healthcare systems and services. It also allows the use of electronic health data for scientific or historical research, official statistical purposes, and public interest reasons in public health, such as protecting against serious cross-border health threats and ensuring high standards of quality and safety in healthcare, medicinal products, and medical devices.
For the availability of data, including personal data, for secondary use, Member States are tasked with designating one or more entities responsible for data access (i.e. health data access body) to those who require (and can obtain with a specific permit) their access (also called “health data users”). These entities will grant access to electronic health data for secondary use, acting as data controllers under the GDPR when fulfilling their task pursuant to the EDHS Regulation. In addition, the proposal include a specific right for data subjects to opt out of the processing of their personal electronic health data for secondary use at any time, without stating the reasons, and mandates that Member States provide an accessible opt-out mechanism.
Member States show varying levels of digital maturity in the healthcare space. The EHDS aims to standardize digital health practices across the EU by 2028, with additional data categories to be achieved by 2030. This timeframe allows adequate preparation for Member States and healthcare providers.
In Italy, the regulation of digital health tools, research, and secondary use of data has become a priority for national legislators and authorities, such as the Italian Data Protection Authority (ITDPA). This commitment is reflected in various national initiatives, such as the recent amendment to Article 110 of the Italian Privacy Code by means of Article 44, paragraph 1-bis of Law No. 56 of April 29, 2024, which now provides that – in those cases where it is not possible to obtain the consent of the data subjects, or the obligation entails a disproportionate effort, or may seriously jeopardizes the study results - it is no longer necessary to submit the research project and the related impact assessment to the prior consultation of the ITDPA, as it is now sufficient to adhere to the specific safeguards set out by the ITDPA. While this amendment represents a small step towards making the access to data for medical research (including for secondary use) easier, it is not sufficient as Article 110 of the Italian Privacy Code still leverages on consent as main legal basis for the processing of health data for medical research.
In addition to the above, other initiatives at the Italian level seem to limit the secondary use of data, creating internal friction. One example is the draft law on Artificial Intelligence, which appears to allow the secondary use of data for the development of artificial intelligence systems in the healthcare sector only for public entities or no-profit private entities (excluding private ones) and includes the obligation to report to the ITDPA all information, also in relation to the processing of personal data, as well as to wait 30 days prior to start the activity.
As to the next steps, the EHDS Regulation will:
The Regulation will apply two years later after its entry into force, with some exceptions, including the primary and secondary use of data, which will apply four to six years later, depending on the type of category.
Authored by Massimiliano Masnada, Giulia Mariuz, Giacomo Bertelli, and Alessandro Bacchilega.