This Regulation implements the European Commission’s proposal in its 2020 communication ‘A European strategy for data’ and creates the first sector-specific common data space in the form of the European Health Data Space (“EHDS”). It is intended to specify and complement the rights laid down in the General Data Protection Regulation. Read our piece on Common European Data Spaces to find out more.

The Regulation aims to improve individuals’ access to and control over their electronic health data (“EHD”) within their electronic health record (“EHR”). The definition of “primary use” of EHD is broad and includes healthcare provision and assessment, and the provision of medicinal products and devices. The Regulation grants rights to immediate access to one’s personal, priority-category EHD such as patient summaries, electronic prescriptions and medical test results, and to cross-border data portability. The Regulation also establishes a governance framework for the “secondary use” of EHD in areas including research, innovation and policymaking.

Whilst the Regulation will be in effect twenty days from obligation, parts of it will start to apply by March 2027, with some not applying until 2029, 2031 and 2035.  Given that there is a particularly technical element to the preparation phase, we can expect to see further guidance from the European Commission and Member States as to associated practical measures, by way of implementing acts and domestic regulations.

Implications for Industry

Companies in the life sciences sector may face various data-sharing obligations, among other obligations, under the Regulation’s secondary use provisions. These provisions apply to “health data holders”, broadly defined to include companies developing products and services for, and researching aspects of, healthcare or related sectors. These companies have the right or obligation as controllers to process personal EHD or the ability to make non-personal EHD available through control of the technical design of a product/service. Companies may be considered “health data users” where granted access to EHD for secondary use.

Key Points

• Limited Processing: As health data users, companies will only be permitted to access anonymised or pseudonymised EHD for secondary use. The processing of that data must be for specific purposes, including scientific research that contributes to public health, or ensures the high quality and safety levels of healthcare and medicinal products, aiming to benefit end-users. Development and innovation activities for products and services and training algorithms in medical devices and AI systems, are also included. Prohibited processing includes, for instance, advertising or marketing activities.
• EHD Sharing: Companies may face data sharing obligations. The categories can include data from wellness applications, from clinical trials, and health data from medical devices. Member States can add additional categories.
• IP Concerns:  EHD protected by intellectual property rights, trade secrets, or regulatory data protection rights, must be available for secondary use. Health data holders must justify the need for protection to the health data access body (the “HDAB”), established by the Member State, which balances access and protection rights and whose protective measures could include imposing conditions for access or refusing data access, if necessary.
• Interoperability: Manufacturers of EHR systems must meet specific requirements before placing systems on the market, including creating and updating technical documentation, an EU declaration of conformity, and CE marking. Annex II of the Regulation outlines essential requirements for harmonised software components of EHR systems which also extend to medical devices, AI systems, and applications which claim interoperability with EHR systems. Obligations also extend beyond EHR system manufacturers, to system importers and distributors.
• Enforcement: HDABs have enforcement powers against health data users and holders, including revoking data permits and ceasing processing operations. Possible fines range from EUR 10 million or 2% of total worldwide annual turnover to EUR 20 million or 4%. The Commission, closely co-operating with the EHDS Board (composed of representatives of Member States), shall issue guidelines on enforcement measures to be taken by HDABs within seven years of the Regulation coming into force. Notably, in addition to a HDAB, Member States are required to designate both a digital health authority and a market surveillance authority, to act under the EHDS.

Innovators can benefit from the EHDS through, for instance, standardised EHRs which facilitate market entry for EHRs in other Member States and secondary use data which can create efficiencies in the development and creation of innovative medical products. The Regulation creates a stakeholder forum, allowing members of industry, among others, to have their say on the implementation of the Regulation. A balanced composition of large companies, SMEs, and start-ups alike will be represented, enabling their engagement in this seemingly iterative process.

Ireland and the EHDS

Healthcare digital transformation is a policy strand for the new Irish Government (read more on the Programme for Government in our recent piece). In addition, the HSE’s 2024 Digital Health Strategic Implementation Roadmap cited the EHDS as a key driver for developing Ireland’s digital health framework, aligning Ireland internationally to facilitate the joint policy and implementation effort that is required to deliver against the roadmap. The Health Information Bill, 2024, (the “Health Information Bill”) which had previously lapsed with the Dáil’s dissolution for the general election in late 2024 is now progressing once more through the legislative procedure. This aims to establish the grounds for patient data sharing and Digital Health Records. While, unlike the EHDS, its focus is on primary use of health records only and not secondary use, the Health Information Bill will support Ireland’s obligations in relation to the EHDS and represents an initial legislative step in preparing for this regime. HealthData@IE is the national implementing project which is currently collaborating with the Department of Health, Health Information and Quality Authority and Health Research Board, to create the infrastructure needed for the EDHS and the creation of Ireland’s HDAB.

As the new Irish Government takes the mantle, and preparations for application of the EHDS Regulation get underway, it seems as though both Ireland and the European Union look set to usher in a new digital health era.

Thanks to Eva Glynn for her assistance with this piece.

For more information, please contact our Life Sciences Group or Technology and Innovation Group.