While the final text is under finalisation, the infrastructure according to the EP’s press release of Friday 15 March would work as follows :`
SUMMARY
The Space purports to ease access to personal health data and to boost secure sharing for the public & private interest :
-Patients will be able to access their personal health data electronically across the EU’s different healthcare systems (Article 12).
-Patients will be able to download their health record free of charge.
-Health professionals like dental practitioners will have access to their patients’ data, based strictly on what is necessary for a given treatment (this is the ‘primary use’ of these data). Member States will have to “develop and implement or provide access to training programs for health professionals” in that regard (Article 59a) as well as devices or services allowing a direct access to the health data (Recital 15).
-Industry & Research will have access to an unprecedented amount of health datasets (450 million citizens are potentially concerned) thanks to the possibility –heavily negotiated– of a “second use” of these data (see below). It will not take place before mid-2028 to the minimum (Article 72). It will limited opened to third-countries (Article 47b).
CONDITIONS FOR 2sd USE OF DATA
This topic was the most difficult part of the negociation between the Parliament and the member States.
Agreement for a second use would be assumed, unless the patient states othwervise (this is the ‘opt-out’ condition): “Natural persons shall have the right to opt-out at any time and without stating reasons from the processing of personal electronic health data relating to them for secondary use under this Regulation.”(Article 35f).
MEPs, no-one else, « secured the right for patients to opt out of secondary use, with certain exceptions for public-interest, policy-making or statistics purposes, and protections for intellectual property rights and trade secrets when relevant data is shared for secondary use ».
The EHDS would allow the sharing of the following data for public interest purposes : anonymised or pseudonymised health data, including health records, clinical trials, pathogens, health claims and reimbursements, genetic data, public health registry information, wellness data and information on healthcare resources, expenditure and financing (Article 33(1)). The list is minimum. It can be extended by Member States (Article 33(3)).
These legitimate purposes would include research, innovation (e.g. training of algorithms for medical devices), policy-making, education and patient safety purposes (Article 34(1)). A “detailed explanation of the intended use of the electronic health data” is presented for each health data request (Article 47(2)(b)) in order to be granted with an access permit (Article 46) by the national access body (Article 45). Infringements are punished with heavy fines (Article 43a(4) and (5)).
Banned purposes : the sharing of data for advertising or assessing insurance requests will be prohibited (Article 35(b), (c), (e)). During negotiations, MEPs ensured that secondary use would not be allowed concerning decisions on labour markets (including job offers), lending conditions and other types of discrimination or profiling.
For the record : in its original text, the Commission offered no option for patients to opt out of the system. By contrast, the European Parliament was convinced anyone should be able to duck out of the system. While the Council said it should be up to each country to decide under which circumstances opt-outs should be allowed (many countries already have in place a national version of the health data system. Some of them allow patients to have full control of who can see and use that data, while others do not).
Regrets from consumers? However, BEUC, one of the organisation representing consumers’ interests at the European level, “regrets that the concerns consumers express in sharing their health data, which is clear from a survey published last year, are not reflected sufficiently in the legislation. People should be given more direct choice over with whom and for what purpose their data gets shared“.
PARTICIPATION OF DENTAL PRACTITIONERS TO THE COLLECTION OF DATA FOR A SECONDARY USE
A dental practitioner working alone in a dental clinic should be exempted from that collection.
The Regulation lays down (Article 32a) that “legal persons that qualify as micro-enterprises“, i.e. “as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million” are exempted.
A Member State can decide otherwise.
In that case the collection of the data is organized by the State, which can even create a “health data intermediation entity”(Article 32a, 5th paragraph) in order to reduce the health professional’s workload.
PATIENT’S RIGHT TO INFORMATION ON THE DATA USES
The law ensures patients will have a say in how their data is used and accessed. They can be informed each time their data is accessed (Article 8f). And they will have the right to request (Article 8a), transmit (Article 8d), correct incorrect data (Article 8c), and insert data in their own European Health Record (Article 8b). Patients will also be able to object to healthcare professionals accessing their data for primary use (Article 8e), except where this is necessary for protecting the vital interests of the data subject or another person.
NATIONAL MONITORING OF THE COMPLIANCE
National data protection authorities will monitor the enforcement of health data access rights and will be empowered to issue fines in the event of shortcomings.
EUROPEAN MONITORING OF THE COMPLIANCE
A European Health Data Space Board (EHDS Board) is established to “facilitate cooperation and the exchange of information among Member States and the Commission” (Article 64(1)).
It is joined by a “Stakeholder Forum” established for the purpose of facilitating the exchange of information with stakeholders; it is composed of representatives of patients’ organisations, health professionals, industry (Article 64a) appointed by the Commission following a public call for interest.
A COMMON DATA-SHARING INFRASTRUCTURE IN EUROPE
Aside of the national architectures of a digital health record, the Electronic Health Records (EHR) is a common standard (organized in chapter III) put forward by the new Regulation that includes (Article 5(1) & Annex I):
-patient’s summary of the medical history (composed of clinical facts detailed in Annex I and structured in 18 items),
-electronic prescriptions and dispensations,
-medical imagery,
-laboratory results
-discharge report.
The regulation sets up too a common format for :
-the data access (the format already exists and is called MyHealth@EU platform).
-the European electronic health record exchange
-the quality, security and interoperability of data (including data collected by labelled wellness applications which are i) listed on a public database by the Commission ii) after the demonstration of a series of tests (Article 32)).
NEXT & HARD STEP
Given the heterogeneous and uneven situation of health digital services among the 27 countries (see Recital 5b), implementing the EHDS will require, to say the least, significant development work across Member States. To track the progress, the Commission will until the full application of this Regulation report annually on the progress made.
***