The health sector, like many other sectors, is going through transformative change fuelled by advances; amongst others, in Artificial Intelligence (AI), Machine Learning (ML) and Smart Devices. The aim of the proposed EHDS is the creation of data spaces to facilitate access to data in safe and secure environments and ensure EU data is used responsibly and safely. This proposed legislation is a culmination of many different initiatives at the European level, including the European Union eHealth Action plan 2012 -2020, the report from the EU Task force on eHealth: Redesigning health in Europe Strategy for 2020 as well as the European Commission published European Data Strategy (2020) where the concept of EU data spaces featured heavily. The Regulation is an important step in the journey to the free movement of health data across the EU and an important component of the European Health Union. This article outlines what the EHDS is and advises on the effects on primary and secondary use of health data.
Why is this important?
The first initiative of the European Health Union that the EC understandably focused on was the Crisis Preparedness and Response Measures. This was timely considering the pandemic. However, the Covid 19 pandemic demonstrated the requirement for accurate, up-to-date health datasets and digital health tools. Both high quality health datasets and digital tools were key defences in the EU and national governments armoury when fighting the disease and its spread. However, it also highlighted the obstacles and differences in place across EU territories relating to health data access and the need for sharing health data in accordance with FAIR Principles. The second initiative, the EHDS, is therefore central to the success of the European Health Union, and its place in the overall strategy highlights its importance.
What is the EHDS?
The EHDS is a data sharing framework. It will establish clear rules, standards, common practices as well as infrastructures for the management of health data in Europe. On the other hand, it will allow EU citizens to access their health data in electronic form which is recognised across the EU. Electronic health data will also include inferred, derived, observed data as well as data recorded by automatic means, along with provided health data, regardless of its source, for example from the patient, legal person, or healthcare professional. It builds upon existing EU legislation such as the GDPR, NIS Directive and the proposed Data Governance Act in addition to the draft Data Act. It also will have a common specification for software medical devices and High-Risk AI systems certified, in accordance with the latest EU medical device and AI laws (currently in various stages of development).
Effects of the EHDS on primary use
The EHDS builds upon the rights of individuals in the GDPR and further develops some of these rights. The right of access, for example (Art. 15 GDPR), has been recognised by the European Commission as requiring to be further developed in the health sector. The European Commission acknowledges that the use of paper records for making and responding to access requests is time and resource consuming. Thus, such rights can be impaired where immediate access is required in emergency or urgent scenarios relating to their health conditions. Equally the European Commission recognises that it is inappropriate to deliver certain diagnosis, for example of incurable condition, via electronic channels where the patient has not been advised in a consultation.
Patients are mobile and thus so should their health data be mobile across the EU. This will be achieved via the centralised platform MyHealth@EU. One of the challenges for its implementation are that the majority of EU countries are working with manual paper-based systems or have some form of dependency being paper based, whilst others are using very advanced digital eHealth systems. Moreover, the dangers with centralised data are well known, so we expect its integration with the NIS Directive to be a strong feature of the EHDS implementation to maintain the trust of all EU citizens.
Primary and Secondary Use of health data
As a result of this legislation, health researchers will be able to access larger, higher quality health datasets through an access body that will guarantee the protection of personal data related to patients. Regulators and policy makers will have access to health data to drive decision and policy making as well as better functioning of health care systems. Industry will have access to datasets and develop software and AI health technology. Re-use of health data will be governed by a new European Health Data Board. The EHDS is expected to save the EU 11 billion Euros over a decade, with 5.4 billion expected to be saved from better use of Health data for research, innovation and policy making.
Access to the EHDS will also be available to public and commercial researchers, based upon strict rules and for specific purposes. Moreover, the access will be limited to pseudonymised data, which is processed in a closed secure environment, and it will only be possible to download anonymised health data. This will yield greater innovation benefits; one example may be allowing companies and public researchers to train algorithms on reliable large and health datasets. It should also go some way to eliminating bias, gender bias, and discrimination of marginalised groups in EU developed AI for health applications. This aspect will arise simply from the fact that these relevant stakeholders will have access to datasets which heretofore were unavailable form other EU countries. Where these datasets are used, the manufacturers of products using them will have to certify the security criteria for interoperability and the security of electronic health records. Secondary use of health data will be controlled by the Regulation and limited to specific purposes. It is also based upon the issuance of a permit by the data access body. Moreover, it will be forbidden to use health data in a way that causes detriment to individuals or try to re-identify individuals from the data.
Key to the EHDS’ success will be overcoming the reliance of consent for secondary use. Central to this is that EHDS provides a legal basis for processing GDPR Article 6 personal data and for GDPR Article 9 special categories of personal data.
The next steps are for the EHDS to be approved by the European Parliament and the Member State governments. Where it makes it through these processes, it will mean a lot of change in the health sector in a short timeframe across the whole of the EU. At a local level, it will be very interesting to see how the EHDS will interact with existing legislation. For example, in Ireland, Irish Health Research Regulations 2018 and the HRCDC process has specifications and restrictions that will need to be considered in light of the Regulation.
What do you need to do?
At this early stage, researchers and healthcare organisations need only to monitor the situation. In the first instance they may wish to read the EDPS preliminary opinion 8/2020
This outlines the data protection considerations for the EHDS. In turn it reveals what is likely to emerge as solutions to the issues identified. Examples include code(s) of conduct, publication of the conditions for further processing of personal data, security requirements. Member State national contact points etc. Monitoring the creation and set up of EHDS readiness initiatives in your jurisdiction will allow you to feed into the consultation process and have your input considered.
Suggested news feeds to track the progress of the EHDS.
- News feeds relating to EHDS and the ‘Toward the European Health Data Space’
- European Union Parliament updates on health data.
- National government legislative proposals in relation to health data.
- European Union updates on the development of the EHDS & EHDS2 (secondary use) for cross border services and infrastructure.
- Announcements from the eHDSI for technical health data exchange.
The Trilateral Research Data Protection and Cyber-risk team has extensive experience and expertise in dealing with the data protection and ethical issues around health research, clinical trials and AI and ML. Please contact us to discuss your requirements and we would be happy to help.