The draft European Health Data Space Regulation (EHDS) is flying under the radar for some industry players. It’s just one part of a tidal wave of EU data legislation coming down the track (including the Data Act, Data Governance Act and AI Act). This means it can easily get lost in the noise.
But if you take a deeper look, the EHDS has some complex repercussions for a range of players; from pharma and medtech, to hospitals, public health bodies and even big tech. And not all of it is good news. It’s true that innovators may have a new regulatory pathway for accessing datasets, and there are new and expanded data subject rights when it comes to health data. But there is a flipside. Organisations face being compelled to hand over potentially valuable datasets to competitors, and there is a lack of clarity on key issues like preservation of IPR, and how the EHDS interacts with existing Member State laws on patient confidentiality.
We’ve distilled the headline points below on 3 key topics:
- New regulatory pathways to access health datasets for research and innovation
- A new product safety regime for EHR systems
- Enhanced data subject rights
If you’d like to know more, please get in touch.
1. New regulatory pathways to access health datasets
The EHDS introduces a new regulatory pathway through which “data holders” (defined widely to include most hospitals, public health bodies, pharma and medtech) must make a wide range of “electronic health data” available to “data users” for a defined list of permitted secondary uses. These permitted uses include scientific research, certain development and innovation activities, and training algorithms. This will be great news for AI developers, who need vast amounts of data to train and validate their models.
In order to obtain these datasets, data users must either:
- submit a successful application to a newly established health data access body (to be set up in every Member State). They’ll then receive a data permit to access multiple datasets from multiple data holders; or
- if the data user only names a single data holder in a single Member State in its application, request this data directly from the data holder (i.e. there’s no need to go through a health data access body). If successful, the data holder should be able to issue a data permit directly to the data user.
Addressing the failures of the GDPR: This new pathway for accessing datasets could be highly utilised by the research sector, as it is likely to be perceived as a more permissive framework for data access. These proposals are (in part) a legislative reaction to the failures of the GDPR in enabling access to health-related personal data for research purposes to the private and public sector:
- To the extent electronic health data comprises personal data for GDPR purposes, Member States have inconsistently applied the GDPR when it comes to legal bases for processing; with some Member States mandating that data subjects provide GDPR consent to processing of their personal data for research purposes, whereas others require / encourage industry to rely on alternative bases for processing. This has created significant confusion and delays for researchers across the EU in accessing datasets comprising personal data.
- Recitals 37 addresses this failure by clarifying that both the data user and data holder may process personal data on bases other than GDPR consent (under both Articles 6 and 9) across the EU. This facilitates more “friction-free” access for researchers.
- The EHDS Regulation facilitates streamlined GDPR compliance by establishing bases for processing, safeguards for processing, and trusted governance for providing access to health data (through health data access bodies).
But if you dig a little deeper, some cracks start to appear in this new pathway:
- Electronic health data is much wider than you’d first assume: The categories of electronic health data that data holders may have to make available go far beyond the concept of “health data” under the GDPR. Just to take a few examples, they include: clinical trial data; data from medical devices; patient registries; identification data relating to health professionals; as well as electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health. Both personal and non-personal data are caught. It will be no mean feat for data holders just to map out where these datasets could be located within a large organisation, let alone action data access requests.
- The elephant(s) in the room: IPR, confidentiality and local restrictions on sharing patient information: It’s not clear the extent to which these data sharing obligations require a data holder to disclose trade secrets, or how the EHDS Regulation intends to preserve IPR in practice once they are disclosed to third parties (a fundamental issue for the life sciences industry). The EHDS Regulation also fails to adequately address the limitations imposed on data sharing by Member State laws on medical secrecy, ethics approval requirements, and patient confidentiality. If a data holder is restricted in what it can share under Member State laws, how does this sit alongside this EU-wide data sharing framework?
- More churn for legal teams? Where organisations hold greater quantities of electronic health data, they are more likely to be the target of direct requests to access datasets by data users. Data holders will need to build up the infrastructure and expertise necessary to assess and action data applications / requests. This will not just be an issue for the private sector, but also embattled public sector hospitals and public health bodies acting as data holders (which are still facing the fall-out from the pandemic and unprecedented demands on an already-stretched system).
2. A new product safety regime for manufacturers of EHR systems
The EHDS imposes a new product safety regime for EHR systems, which is effectively a “light” version of the EU Medical Device Regulation (EU MDR). This new regime applies to organisations acting as manufacturer, importer or distributor of an EHR system.
This new regime plugs a “regulatory gap”, where EHR systems tend not to be regulated as medical devices under the EU MDR, and do not fall clearly within the scope of other targeted EU product safety regimes either.
The good news is that manufacturers will be able to self-certify against the CE marking (Notified Body involvement is not required). However, economic operators throughout the EHR system supply chain will need to put in place the architecture needed to ensure compliance. Manufacturers will need to ensure technical documentation is in place, conformity assessments are conducted, and that they comply with post-market surveillance obligations.
3. Enhanced data subject rights
One of the core tenets of the EHDS Regulation is to empower patients to exercise various rights in respect of their electronic health data. It achieves this by building on the GDPR rights of data access and data portability.
Under the EHDS, individuals benefit from enhanced rights to access and receive a copy of their personal electronic health data for primary use, to rectify their electronic health data, and enhanced rights of data portability. The EHDS builds out the infrastructure for patients to exercise these rights in practice, including through its proposals for EHR system manufacturers.