On the 3rd of May 2022, the European Commission proposed a Regulation on the European Health Data Space (“EHDS”).
Building upon EU legislation currently in force, such as the General Data Protection Regulation (“GDPR”) and the Medical Devices Regulation, as well as other pieces of legislation recently proposed, including the Artificial Intelligence Act, the Data Governance Act and the Data Act, the EHDS constitutes the first sector-specific legislation proposed by the Commission in the context of its wider Data Strategy. As lex specialis for the health sector, the law supplements and, where conflictive, prevails over the legi generali laid down by the mentioned legislation.
With the introduction of the EHDS, the Commission seeks unleash the full potential of health data across the block by addressing challenges relating to electronic health data access and sharing. With three main focal points, the Regulation aims to concurrently foster access to and transmission of personal electronic health data for primary use; regulate electronic health record (“EHR“) systems and ensure their interoperability; and create a robust set-up for the secondary use of electronic health data, including research.
In this Article, we will look at some of the proposed measures with respect specifically to secondary use of electronic health data and assess whether the EHDS is capable of effectively addressing some of the challenges associated with the use of health data for this purpose.
2. SECONDARY USE OF ELECTRONIC HEALTH DATA AND THE EHDS
Definition and current challenges of “secondary use of health data”
In the sector, health data can be processed and used not only for the primary purpose of supporting the provision of direct health and care services to patients but also for a myriad of secondary purposes that can benefit society as a whole, including research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities.
Despite the immense potential that the processing of health data can have as a means of effectively making changes at societal level, it is widely recognised that the access to health data for secondary purposes is currently subject to such cumbersome and bureaucratic processes at the local level of each healthcare data controller that the actual exploration of this potential is substantially hindered. The COVID-19 pandemic is a clear example of how the timely access to health data for the purposes of preparing for and responding to health threats in the EU could have contributed to a more effective management of the pandemic and, as a consequence, to the reduction of its tragic human cost.
Seeking to address these obstacles, the EHDS dedicates its Chapter IV to establishing rules and governance mechanisms to bolster the effective secondary use of electronic health data.
EHDS’ new rules on availability of data for secondary purposes
Unveiling its ambitious plan, the Regulation commences by regulating the availability of health data for secondary purposes.
The EHDS introduces the role of “data holder”, which, save from micro-enterprises, includes public and private organisations or bodies in the health or care sectors, public or private organisations or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies processing health and health-related data for policy making, official statistics, patient safety or regulatory purposes.
The legislation then goes on to list a variety of electronic health data which data holders must make available for secondary use, including:
- health data typically processed for primary purposes, such as health data contained in EHR systems; patient-generated data obtained via medical devices, wellness applications or other digital health applications; human genetic, genomic and proteomic data;
- data impacting on health, including social, environmental behavioural determinants of health as well as relevant pathogen genomic data;
- health-related data, including administrative data related to claims and reimbursement, and as well as electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data;
- identification data related to health professionals involved in the treatment of patients;
- data contained in registries, including population wide health data registries (public health registries), medical registries for specific diseases, and registries for medicinal products and medical devices;
- data from biobanks and dedicated databases;
- data from clinical trials and from research cohorts, questionnaires and surveys;
In order to ensure that the availability of data is “broad and flexible” enough to “accommodate the evolving needs of data users” (Recital 39), the Regulation made it clear that even data with inherent commercial value held by private organisations will also need to be made available, with the added caveat all measures necessary to preserve the confidentiality of Intellectual Property (“IP”) rights and trade secrets shall be taken.
EHDS’ governance mechanisms for the access of health data for secondary purposes
The EHDS establishes a comprehensive and detailed governance mechanism for central management of data access requests for secondary purposes. The process includes the following stages:
a) Completion of a data access application: whilst opening the submission of applications to any natural or legal, the Regulation requires satisfaction of one of the secondary purposes expressly listed in Article 34 and the provision of project-specific information supporting the request, including a detailed explanation of the intended use of the electronic health data; a description of the requested electronic health data; as applicable, a confirmation that anonymised data suffices for the purpose of the project or an explanation of the reasons for seeking access to pseudonymised data (in the latter case, the applicant will need to describe how the processing complies with the GDPR and evidence that any ethical approval required by national law was obtained); and a description of the safeguards planned to prevent any other use of the electronic health data, to protect the rights and interests of the data holder and of the data subjects concerned.
b) Submission of the application to the deciding body: the Regulation creates a dual-pathway for the approval of data access requests, depending on their scope:
- Requests involving data held by a single data holder: the Regulation allows applicants to submit their applications directly to the data holder for the purpose of obtaining access to electronic health data for secondary use.
- Multi-country requests and requests requiring a combination of datasets from several data holders: the Regulation requires applicants to submit their applications to what it refers to as “health data access bodies”. These consist in bodies which Member States are mandated to designate , from existing or newly created public bodies, for the purpose of granting access to electronic health data for secondary use in instances where the application requires a combination of datasets from several data holders. Where data users seek access to electronic health data from more than one Member State, the Regulation requires them to submit a single application to one of the concerned health data access bodies of their choice which shall be responsible for sharing the request with others in a specified time frame.
c) Approval of the application: with the exception of public sector bodies and Union institutions, bodies, offices and agencies carrying out tasks laid down under national or Union law, all other applicants will need to obtain approval of their application prior to obtaining access to the data. Within 2 months of receiving the data access application, the health data access body shall either issue a “data permit”, when convinced that the application fulfils one of the listed purposes and the mandatory requirements and that the requested data is necessary for the purpose listed in the application, or refuse the request by providing adequate justification.
d) Making the data available to the applicant: once the data permit is issued, the health data access body shall immediately request the electronic health data from the data holder. In such case, the EHDS requires data holders to make the data available to the health data access body within 2 months from receiving the request (in exceptional cases, that period may be extended for an additional period of 2 months), granting the health data access body with an additional 2 months (or longer, if specified by the body) to make the data available to the applicant. Importantly, the data will only be made available with the strict application of two safeguards:
- Requiring prior anonymisation or pseudonymisation of the data: the law requires health data access bodies to provide the electronic health data in an anonymised format or, where the purpose sought by the applicant cannot be achieved in such way, in a pseudonymised format. In the latter case, however, the Regulation not only requires that the “additional information” necessary to reverse the pseudonymisation remains strictly with the health data access body, but also expressly prohibits data users from attempting to re-identify the data.
- Restricting access through the use of a “secure processing environment”: the EHDS requires health data access bodies to provide access to electronic health data only through a secure processing environment, with technical and organisational measures and security and interoperability requirements. Among other measures, the environment should effectively ensure that access to the data is restricted to those holding data permits, prevent data from being copied or removed without authorisation, and keep identifiable logs of access to the secure processing environment for the period of time necessary to verify and audit all processing operations in that environment.
In order to at least partly fund this complex governance mechanism, the Regulation allows health data access bodies and single data holders to charge fees for making electronic health data available for secondary use, so long as the fees include and are derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit. In cases where the data is not held by the health data access body, the fees may additionally include compensation for part of the costs for collecting the electronic health data in accordance with the process explained above.
3. CHALLENGES OF THE HEALTH CARE SECTOR AND THE POTENTIAL EFFECTIVENESS OF THE EHDS
As we can see from the previous section, the EHDS constitutes a bold move by the European Commission in its attempt to regulate the secondary use of electronic health data across the EU.
Researchers and other users desiring to access data for secondary purposes will undoubtedly celebrate the vast availability of data. The potentially attainable data will no longer be circumscribed to that contained in databases held by public organisations, such as healthcare providers, but will extend to information assets which, until now, have been secretly kept in the hands of private companies and used in the advancement of their commercial interests. Whilst the Regulation strives to preserve the confidentiality of IP rights and trade secrets, it remains to be seen whether EU-based private companies will experience (and perhaps even act upon) any potential loss of competitive edge with their third-country counterparts by having to extensively share these assets.
Furthermore, the centralised process of obtaining access to the available data will surely be appealing to researchers and other users in comparison to the existing fragmentated model. Rather than having to go through a range of different local processes, each of which with its own specificities, requirements and rules, users will not be able to make use of a single application and, upon complying with a set of clearly defined rules at Union level, obtain access to data held by different data holders based in one or even multiple Member States. Whilst the research community in the United Kingdom has witnessed and benefited from the substantial increase in the number of regional initiatives in the past decade whereby data shared by different health and care organisations is made available for research and other secondary purposes, the new EU model courageously proposes a similar initiative but at a national and even cross-border dimension.
It is obvious, however, that such data access model will not be implemented without challenges. Member States will need to create new public bodies and ensure not only that they have the means to effective performance of their tasks and the exercise of their powers, but also that they do so with a satisfactory level of consistency across the block. The soon to be created health data access bodies, in turn, will need to ensure that all the data relationships necessary for the model to be implemented adequately comply with data protection legislation. In addition putting in place data processing agreements with organisations that process data on their behalf for the purpose of ensure that secure and compliant platforms and services are provided, these bodies will need to implement a proper framework and specific data sharing agreements with each individual data holders/controllers. Whilst the vertical relationship between health data access bodies and data holders may arguably reduce the inherent complexity of the negotiations that normally precede the drafting of documents of this nature, the inevitable number of arrangements that are necessary will not be easy to manage.
Finally, even though the process laid down by the EHDS appears capable of leading to the achievement of the objectives envisaged by the Commission, questions could be raised as to whether the overall process is sufficiently expeditious to address the needs of researchers and other users desiring access to data for secondary purposes. From the moment a data access application is submitted to the point when data is made available, a minimum of 6 months will lapse if all the parties involved decide to use the deadline given by the EHDS in its entirety. And this timeframe could be substantially larger in many concrete cases, in light of the level of flexibility given by the law to some of the parties.
Overall, the new model proposed by the European Commission constitutes a step in the right direction. It remains to be seen whether the bold plan to make data available and accessible to such an extent will be matched by the necessary resources and efforts to ensure that health data can indeed be leveraged as envisaged and that those requiring access to this data for secondary purposes can effectively and expeditiously carry out their projects.