European Health Data Space (EHDS) | Updates
What is the European Health Data Space (EHDS)?
The European Health Data Space (EHDS), established under Regulation (EU) 2025/327, introduces a sector-specific data space for health, and creates an EU-wide legal, technical, and governance architecture for electronic health data. It enables access, sharing, and reuse of electronic health data. It was adopted on 11 February 2025, and published in the Official Journal of the EU on 5 March 2025.
In legal terms, the Regulation defines the European Health Data Space as a harmonized framework governing the processing, access, exchange, and secondary use of electronic health data in the Union. Electronic health data is an umbrella concept covering personal and, in specified cases, non-personal information generated in health care ecosystems, including medical imaging, laboratory results, electronic prescriptions and dispensations, discharge summaries, and other records stored in electronic health record systems.
The term also covers certain data produced by medical devices and wellness applications in clinical workflows, or otherwise designated under the Regulation’s scope. These definitional boundaries matter because they trigger distinct rights, duties, and interoperability obligations across the EHDS’s two functional pillars: primary use for care, and secondary use for non-care purposes.
The EHDS introduces a patient-centric model that ensures individuals can access their health data promptly, obtain it in portable digital formats, control professional access, and benefit from cross-border exchange via a common EU infrastructure. Member States must align their national electronic health record systems to an EU-level exchange format and common specifications so that patient summaries, ePrescriptions, eDispensations, imaging and reports, laboratory and other diagnostic reports, and discharge letters are interoperable across borders. The EHDS establishes enforceable duties on health providers and system vendors, with the Commission empowered to adopt detailed common specifications to ensure technical convergence.
Secondary use of health dada is the processing of electronic health data for purposes other than the direct provision of care, such as public health, statistics, regulatory oversight, education, research, innovation, health technology assessment, and the training, testing, and evaluation of algorithms. Access for secondary use is mediated by newly designated national Health Data Access Bodies. Data users obtain access through a data-permit regime that imposes strict purpose limitation, secure-environment processing, and a prohibition on attempts at re-identification. Secondary use is permitted only inside a ring-fenced legal and technical environment, with the Health Data Access Bodies instructed to balance societal benefits with strong procedural and technical safeguards.
Not all non-care processing is allowed. The final text prohibits access and processing for advertising or marketing, for decisions that are detrimental to a natural person or that exclude individuals or groups from insurance or credit, and for other discriminatory or harmful downstream uses. In practice, this means that even if a requester could frame an activity as research or innovation, access will be refused where the foreseeable application crosses these red lines.
Governance under the EHDS is layered. At the national level, Health Data Access Bodies are responsible for receiving and evaluating access applications for secondary use, issuing data permits, supervising secure processing environments, and enforcing the sector-specific obligations that sit alongside the GDPR. At the Union level, the Commission ensures interoperability through common specifications and coordinates the cross-border infrastructures. This split requires organizations to map their multi-regulator engagement model carefully. Data protection authorities remain competent to supervise GDPR compliance, whereas Health Data Access Bodies oversee the sectoral access regime, fees, and permit conditions.
Security, confidentiality, and integrity controls are preconditions for access. Health Data Access Bodies require processing to occur only within accredited secure processing environments, with controls that address identity management, access management, audit logging, output vetting to minimize disclosure risks, and tested anonymization, or privacy-enhancing techniques where appropriate. Access bodies can impose purpose-specific technical limitations, such as disabling export of raw microdata.
The EHDS is part of a broader EU data strategy. It must be read alongside the Data Governance Act and the Data Act, both of which influence data-sharing mechanics, access to non-personal and co-generated data, and interoperability obligations.
European Health Data Space (EHDS) vs. General Data Protection Regulation (GDPR). Who wins?
The General Data Protection Regulation (GDPR) a horizontal fundamental-rights regulation, designed to govern all processing of personal data. It establishes principles, legal bases, rights, and supervisory machinery for any controller or processor, irrespective of sector.
The GDPR is lex generalis. This means general law, the broader, background norm that applies across a field unless and until a lex specialis (special law) regulates a subset of that field.
The European Health Data Space (EHDS) is a sectoral regulation for health data. It establishes a governance, access, and interoperability framework to organize how electronic health data must be exchanged and, under controlled conditions, reused for specified purposes.
The EHDS is lex specialis. This means special law, that governs the conditions under which electronic health data are to be accessed, processed, and exchanged.
Lex specialis derogat legi generali means “the more specific law takes precedence over the more general law.” In legal reasoning, it is a canon for resolving collisions between two valid norms of the same rank that regulate the same factual situation.
Where a concrete overlap exists, the specific rule governs within the boundaries of its subject-matter, while the general rule continues to apply outside that perimeter. This is precedence to the extent of the conflict.
The GDPR is the horizontal baseline for all personal-data processing in the Union. The EHDS is the sector-specific system for electronic health data. When the facts trigger the EHDS, processing must satisfy the GDPR’s legality and safeguards and, in addition, the EHDS’s sectoral conditions, like processing inside accredited secure environments. Where EHDS scope is not triggered, the GDPR operates alone as the lex generalis. Where it is triggered, the EHDS governs with qualified precedence inside its field, and the GDPR continues to apply cumulatively.
On the negative side: The 3 main vulnerabilities introduced by EHDS.
EHDS introduces massive cross-border data flows of one of the most sensitive data categories under GDPR, health data. To do this, it forces interoperability, connectivity, and standardisation of APIs and cross border exchange.
Many hospitals and health providers are suddenly moving from closed, local systems to open, interoperable, API exposed platforms. This is where cybersecurity lags behind.
1. EHDS increased the attack surface. Until recently, many hospitals and healthcare providers operated largely in isolation. Patient records were stored on local servers, often inside closed networks designed to support clinical workflows, not remote connectivity. Many of these systems are outdated, but their lack of exposure acted as a protective layer. Attackers needed physical proximity or insider knowledge to breach them.
EHDS changes this completely. By design, it forces healthcare providers, electronic health record vendors, research bodies, and national authorities to interconnect. The regulation introduces cross border data exchange through national gateways and requires EHR systems to expose standardized APIs that allow external systems to retrieve, transmit, or process patient data. In simple words, systems that were never meant to communicate with the outside world must now become fully accessible and interoperable.
The transition from closed, proprietary systems to open, standardized, and externally reachable interfaces creates new entry points for attackers. Once a hospital connects to the EHDS ecosystem, its digital perimeter is no longer limited to the hospital network. It now includes national exchange nodes, authentication and access services, research data access bodies, and the external entities entitled to request or process the data. Every additional connection increases exposure, and every partner in the ecosystem becomes a potential weak link.
Because the standards are harmonized across Europe, attackers no longer face a fragmented landscape of highly customized hospital networks. Standardization means predictability. If an attacker learns how to exploit an API implementation in one Member State, the same knowledge can be reused against institutions across the EU. What previously required a local intrusion becomes a remote, repeatable attack.
EHDS encourages more entities to access data, including researchers, hospitals, pharmaceutical companies, national digital health authorities. More users mean more credentials to manage, more authentication transactions, and more opportunities for phishing, misconfiguration, or credential theft. The result is a larger technical attack surface, and a larger organizational attack surface.
EHDS accelerates connectivity much faster than it improves governance and resilience. Hospitals are being required to operate as cross-border data hubs, but they are not equipped with the level of cybersecurity governance, monitoring, or operational continuity systems that exist in more mature sectors such as finance. Banks have cyber fusion centers and incident response playbooks. Many hospitals struggle to patch their servers without interrupting critical medical services.
Once interoperability is established, a compromise of a national gateway or a widely used EHR vendor could cascade across multiple countries. EHDS transforms what used to be isolated cyber incidents into the possibility of systemic healthcare disruption.
2. Legacy IT infrastructure.
Hospitals did not evolve like banks or telecom providers. They acquire technology slowly, through decades of procurement cycles, mergers, equipment donations, and incremental upgrades. The result is an environment where critical systems (including life critical) run on outdated hardware and unsupported operating systems.
Medical technology vendors traditionally prioritize safety and stability over cybersecurity. If a device is certified to perform a clinical function, any modification to its operating system, firmware, or configuration could require a new regulatory approval process. For this reason, it is not unusual to find radiology equipment, laboratory systems, or ventilator management platforms running on versions of Windows that are long past end of support. These systems cannot be patched like typical IT equipment. The vendor may forbid changes, the device may lack the computing power to run modern security software, or the hospital cannot afford downtime because patients depend on the system every day. In some cases, the manufacturer has ceased to exist.
Hospitals often do not have a complete inventory of their digital environment. They may not know which devices run outdated components, or which applications depend on vulnerable libraries. When a vulnerability emerges, the first challenge is not remediation but basic discovery. In many entities in the scope of EHDS, nobody can answer the simple question: Where exactly are we using this?
This lack of transparency is aggravated by the absence of a software bill of materials (SBOM) tradition in the medical technology industry. Hospitals become dependent on vendors to evaluate and correct vulnerabilities, and some vendors in this industry take months, if not years, to issue a fix. EHDS, with its focus on interoperability, does not address this foundational dependency problem.
EHDS introduces a new dependency model. Hospitals must now trust that their own legacy systems, the systems of other hospitals, third-party vendors, and national data access bodies all apply security consistently. The weakest among them becomes the doorway for attackers. A cybercriminal does not need to breach the best-protected node in a data exchange chain; they only need to find the least protected.
Digital transformation normally requires modernization first and connectivity second. EHDS reverses the sequence. It mandates connectivity first and leaves modernization to happen later, if at all.
EHDS assumes that outdated infrastructure can participate in a highly integrated European data space. The reality is different, and we are deeply concerned.
3. Vulnerabilities at the API layer.
To make patient information portable across borders and usable for secondary purposes such as research and innovation, EHDS requires healthcare systems, EHR vendors, and national authorities to expose standardized APIs, through which information flows. They are involved in how an external system requests health data, how identities are authenticated, how exchanges are logged, and how permissions are granted or revoked. APIs become a frontline of cyberattacks.
In a closed hospital environment, the internal electronic health record system is accessed only by physicians and staff. Once APIs are introduced, that same system becomes reachable by multiple external entities, like national gateways, certified apps, researchers, and foreign healthcare providers. What was previously an internal function is now a remotely callable service. Every API endpoint becomes a potential doorway. Attackers only need to exploit weaknesses in the API layer from the outside.
Hybrid threats, and the vulnerabilities introduced by the European Health Data Space.
Hybrid threats are not cyber threats. They target resilience, not infrastructure. Adversaries aim to destabilize societies, erode trust in institutions, and weaken strategic autonomy. Health data is uniquely powerful in this regard. It is personal, politically sensitive, and economically valuable.
By connecting healthcare providers, public authorities, researchers, and private companies into a unified data ecosystem, EHDS brings speed and efficiency into a sector historically built on compartmentalization. But this transition introduces vulnerabilities that can be exploited in a hybrid conflict.
Before EHDS, health data typically resided in national or even local systems, fragmented and technologically inconsistent. Fragmentation was not efficient, but it provided a natural barrier against systemic failure. EHDS eliminates fragmentation. It introduces a single digital entry point and a standardized framework. A breach in one location, can propagate through the system and reach datasets that were never intended to be exposed to external threats. Attackers no longer need to compromise thousands of separate systems. A strategic breach at a single weak point can unlock highly sensitive personal and genetic data, clinical histories, and population level research datasets.
The hybrid threat dimension introduces weaponization of information, perception, and influence. In a crisis, adversaries could leak or manipulate EHDS data to fuel panic, distrust, or fear. Hybrid operations exploit social vulnerabilities. By targeting the credibility of EHDS, attackers can undermine public confidence.
The health sector is becoming a battlefield in hybrid warfare, where perception is as important as infrastructure. The EU can mitigate these risks by ensuring that cybersecurity, oversight, and governance in hospitals evolve at the same speed as data flows.
The European Health Data Space represents a leap forward for public health and research. But in a world defined by hybrid conflict, the question is not whether EHDS will be attacked, but whether Europe will be ready when it happens.
Hybrid risks and EHDS. A (very) simple example.
An adversarial state wants to weaken public trust in the European Union and influence political decisions. Instead of a direct cyberattack on EU institutions, they choose a softer target, a regional hospital in an EU Member State participating in the EHDS.
The hospital runs outdated network equipment and has no mature governance system. But it has been connected via EHDS APIs to the national health data hub and, through it, to the EHDS cross border infrastructure.
The hybrid operation begins with a compromised medical device vendor that sends a legitimate but altered software update. An administrator installs the update and the malware designed to silently harvest authentication credentials used for API access.
With those credentials, the attackers gain controlled access to the hospital’s local patient data system. But their real objective is not just patient data theft.
They begin modifying selected data points inside the clinical datasets that feed research projects, adjusting medication histories, altering lab results by small percentages, and introducing anomalies into anonymized research datasets related to new treatment studies. The changes are subtle enough to pass most automated consistency checks.
In parallel, the attackers exfiltrate a small amount of genuine patient data containing sensitive diagnoses, including public figures.
Then, when the dataset has already propagated through EHDS to multiple research centers in other EU countries, phase two begins.
Note: Adversaries target scientific processes. By injecting small, targeted distortions into lab results or patient histories, an attacker can delay research by introducing conflicting findings across research centres. Delays and contradictions slow innovation and raise costs for developers, which is an effective non kinetic way to weaken an adversary’s medical or pharmaceutical competitiveness without overt attack.
When manipulated datasets later surface with inconsistent results, the first casualty is credibility. Governments, hospitals, and universities may find themselves compelled to halt projects, launch expensive audits, or retract publications. Those corrective actions, even when successful, leave scars, as funding dries up, partnerships fray, and political opponents weaponize the uncertainty. For an actor pursuing influence or political objectives, eroding trust in health authorities produces strategic dividends that outlast the initial tamper.
The attackers leak the stolen personal records and altered research documents in social media channels and news outlets they control. They accompany the leaked data with a claim that EHDS allows unauthorized political profiling of citizens, including tracking of medical conditions without consent.
Social media accounts, including botnets posing as Europeans, repeat and amplify the narrative, framing EHDS as a surveillance tool and an invasion of privacy.
Researchers then realize that the corrupted datasets are producing inconsistent results. A high-profile research institution publicly questions the integrity of the EHDS data pipeline. Politicians, under pressure, call for suspending participation in EHDS until citizen privacy can be guaranteed. The narrative spreads far beyond the original hospital incident.
By the time investigators trace the source to a single compromised local hospital, the strategic damage is done. Confidence in EHDS governance drops, ongoing research projects are stalled, and Member States begin to question participation in the data space.
The adversary did not need to shut down a single server or destroy infrastructure. They combined cyber intrusion, data manipulation, targeted leaks, and disinformation to achieve a geopolitical goal, to weaken cohesion and trust in a major EU project.
Hospitals must stop thinking about cyber risk as an IT problem and start treating EHDS era threats as multi domain problems that require a hybrid defence culture.
Hybrid stress testing is the practical bridge between culture and governance. It is a deliberately messy, multi-actor exercise that combines realistic cyber intrusions, data-integrity attacks, supply-chain disruptions, targeted leaks, disinformation amplification and physical pressure on staff or facilities. The goal is to gain experience in how failures propagate across people, processes and technology.
Information sharing and external partnerships are essential. Hospitals must be part of national and cross border threat sharing communities. Early warning from another hospital in another Member State can prevent propagation. Establish legal and operational channels for sharing TTPs (tactics, techniques and procedures), and forensic findings that respect patient privacy but enable coordinated defence.
To learn more about hybrid risks:
1. Hybrid Risk
Regulation (EU) 2025/327 was adopted on 11 February 2025, and published in the Official Journal on 5 March 2025
Full name: Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847 (Text with EEA relevance).
The aim of this Regulation is to establish the European Health Data Space (EHDS) in order to improve natural persons’ access to and control over their personal electronic health data in the context of healthcare, as well as to better achieve other purposes involving the use of electronic health data in the healthcare and care sectors that would benefit society, such as research, innovation, policymaking, health threats preparedness and response, including preventing and addressing future pandemics, patient safety, personalised medicine, official statistics or regulatory activities.
In addition, this Regulation’s goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values. The EHDS will be a key element in the creation of a strong and resilient European Health Union.
The official text - Regulation (EU) 2025/327, adopted on 11 February 2025
Deadlines, Milestones - European Health Data Space (EHDS)
March 2027: Deadline for the Commission to adopt several key implementing acts, providing detailed rules for the regulation operationalisation.
March 2029: Key parts of the EHDS Regulation will enter into application, including, for primary use, the exchange of the first group of priority categories of health data (Patient Summaries, ePrescriptions/eDispensations) in all EU Member States. Rules on secondary use will also start to apply for most data categories (e.g. data from electronic health records).
March 2031: For primary use, the exchange of the second group of priority categories of health data (medical images, lab results, and hospital discharge reports) should be operational in all EU Member States. Rules on secondary use will also start to apply for the remaining data categories (e.g. genomic data).
March 2034: Third countries and international organisations will be able to apply to join HealthData@EU, for the secondary use.
21 January 2025 - Council adopts the European Health Data Space (EHDS)
Article 1, Subject matter and scope.
1. This Regulation establishes the European Health Data Space (EHDS) by providing for common rules, standards and infrastructures and a governance framework, with a view to facilitating access to electronic health data for the purposes of primary use of electronic health data and secondary use of those data.
2. This Regulation:
(a) specifies and complements the rights laid down in Regulation (EU) 2016/679 of natural persons in relation to the primary use and secondary use of their personal electronic health data;
(b) lays down common rules for electronic health record systems (‘EHR systems’) in relation to two mandatory harmonised software components, namely the European interoperability software component for EHR systems and the European logging software component for EHR systems, as defined in Article 2(2), points (n) and (o) respectively, and for wellness applications which are claimed to be interoperable with EHR systems in relation to those two harmonised software components, as regards primary use of electronic health data;
(c) lays down common rules and mechanisms for primary use of electronic health data and secondary use of electronic health data;
(d) establishes a cross-border infrastructure enabling the primary use of personal electronic health data across the Union;
(e) establishes a cross-border infrastructure for secondary use of electronic health data;
(f) establishes governance and coordination mechanisms at Union and national level for both primary use of electronic health data and secondary use of electronic health data.
Next steps: The regulation will now be formally signed by the Council and the European Parliament. It will enter into force 20 days after publication in the EU’s Official Journal.
21 January 2025 - European Health Data Space, text of the regulation.
https://data.consilium.europa.eu/doc/document/PE-76-2024-INIT/en/pdf
24 April 2024 - The Members of the European Parliament (MEPs) approved the creation of the European Health Data Space (EHDS)
MEPs voted with 445 in favour and 142 against (39 abstentions) to approve the inter-institutional agreement on establishing a European Health Data Space. It will empower patients to access their health data in an electronic format, including from a different member state to the one in which they live, and allow health professionals to consult their patients’ files with their consent (so-called primary use), also from other EU countries. These electronic health records (EHR) would include patient summaries, electronic prescriptions, medical imagery and laboratory results.
The law will make it possible to transfer health data safely to health professionals in other EU countries (based on MyHealth@EU infrastructure), for example when citizens move to another state. It will be possible to download the health record free of charge.
Additionally, the Health Data Space would unleash the research potential of health data in an anonymised or pseudonymised format. Data including health records, clinical trials, pathogens, health claims and reimbursements, genetic data, public health registry information, wellness data and information on healthcare resources, expenditure and financing, could be processed for public interest purposes, including research, statistics and policy-making (so-called secondary use). Data could, for example, be used to find treatments for rare diseases, where small datasets and fragmentation currently prevent advances in treatments.
Secondary use will not be allowed for commercial purposes including advertising, assessing insurance requests or lending conditions or making job market decisions. Access decisions will be made by national data access bodies.
Next steps
The provisional agreement still needs to be formally approved by the Council. Once published in the EU’s Official Journal, it will enter into force twenty days later. It will be applied two years after, with certain exceptions, including primary and secondary use of data categories, which will apply four to six years later, depending on the category.
15 March 2024 - political agreement reached between the European Parliament and the Council of the EU on the European Health Data Space (EHDS), one of the central building blocks of a strong European Health Union.
Next step: The European Parliament and the Council will formally adopt the new Regulation.
The agreement reached by the co-legislators establishes clear rules for the use of health data for better healthcare delivery, research, innovation, and policymaking.
The new rules will harness the potential offered by the safe and secure exchange, use, and re-use of health data, while ensuring full compliance with the EU's high data protection standards.
Under the new rules, citizens will have immediate and easy access to their digital health data wherever they are in the EU. Health professionals will be able to access the medical records of a patient when required for treatment in a different Member State, allowing for evidence-based decision making, in full compliance with EU data protection rules.
The EHDS also creates a strong legal framework for the re-use of health data for research, innovation, and public health purposes. The data will help develop life-saving treatments and personalised medicines, but also improve crisis preparedness, under strict data security and access conditions, and respecting fundamental rights.
6 December 2023 - Agreement on the Council’s proposal for the European Health Data Space (EHDS)
After this agreement, the EU Council presidency begins negotiations with the European Parliament, with a view to reaching a provisional agreement on the proposed regulation.
The Council’s mandate provides clarity on issues such as the scope of the regulation, alignment with the General Data Protection Regulation (GDPR) and the criteria for providing access to electronic health data.
The Council proposes the creation of two steering groups, made up of member-state representatives, to manage MyHealth@EU and HealthData@EU; other stakeholders may be invited as observers to discuss relevant issues.
The Council’s mandate expands the role of EU member states in the proposed EHDS governing board, and requires national digital health authorities to publish an activity report every two years.
Under the Council’s mandate, member states will have the discretion to allow patients to opt out of the new data-sharing system.
3 May 2022 - The European Commission launched the European Health Data Space (EHDS)
1. Thanks to the EHDS, people will have immediate, and easy access to the data in electronic form, free of charge. They can easily share these data with other health professionals in and across Member States to improve health care delivery. Citizens will be in full control of their data and will be able to add information, rectify wrong data, restrict access to others and obtain information on how their data are used and for which purpose.
2. Member States will ensure that patient summaries, ePrescriptions, images and image reports, laboratory results, discharge reports are issued and accepted in a common European format.
3. Interoperability and security will become mandatory requirements. Manufacturers of electronic health record systems will need to certify compliance with these standards.
4. To ensure that citizens' rights are safeguarded, all Member States have to appoint digital health authorities. These authorities will participate in the cross-border digital infrastructure (MyHealth@EU) that will support patients to share their data across borders.
5. The EHDS creates a strong legal framework for the use of health data for research, innovation, public health, policy-making and regulatory purposes. Under strict conditions, researchers, innovators, public institutions or industry will have access to large amounts of high-quality health data, crucial to develop life-saving treatments, vaccines or medical devices and ensuring better access to healthcare and more resilient health systems.
6. The access to such data by researchers, companies or institutions will require a permit from a health data access body, to be set up in all Member States. Access will only be granted if the requested data is used for specific purposes, in closed, secure environments and without revealing the identity of the individual. It is also strictly prohibited to use the data for decisions, which are detrimental to citizens such as designing harmful products or services or increasing an insurance premium.
7. The health data access bodies will be connected to the new decentralised EU-infrastructure for secondary use (HealthData@EU) which will be set up to support cross-border projects.
Understanding the European Health Data Space (EHDS)
Digitalisation is essential for the future of healthcare. The digital transformation is crucial to provide better healthcare to citizens, to build stronger and more resilient health systems, to support long-term competitiveness and innovation in the EU’s medical industry, and to help the EU recover from the pandemic.
Data is an indispensable part of today’s world. When used responsibly and in full respect of fundamental rights, it can bring incredible benefits to every aspect of our everyday lives, including our health. Member States’ health systems already generate, process and store a vast amount of data. Yet it often remains difficult for citizens to access their health data electronically and for researchers to use it to improve diagnosis and treatments.
A vast amount of health data is generated every second, providing healthcare services and researchers with potential valuable insights. Health data reuse is estimated to be worth around EUR 25-30 billion annually. That figure is expected to reach around EUR 50 billion within 10 years.
However, the complexity and divergence of rules, structures and processes within and across Member States makes it difficult to easily access and share health data. This creates barriers to healthcare delivery and innovation, leaving patients unable to benefit from its potential.
Moreover, health systems are becoming the target of cyberattacks. Therefore, the healthcare sector and relevant cyber security authorities need to consider cybersecurity as a key factor for ensuring the resilience and availability of key healthcare services.
In essence, the EU health sector is rich in data, but poor in making it work for people and science. The EU needs to tap into this huge potential to turn the wealth of health data across Europe into knowledge at the service of citizens, and to better prevent, diagnose and treat diseases.
Health data can help achieve more efficient, higher-quality, safer and more personalised care, and help improve healthcare delivery. Health data3 and data science could dramatically transform public health and revolutionise healthcare systems, enabling lifesaving healthcare improvements. Health data can also play a crucial role in speeding up the development of new medical products and treatments for patients who need them most.
The COVID-19 pandemic has clearly demonstrated the importance of digital services in the health domain. It has shown that up-to-date, reliable and FAIR health data is key in providing an efficient public health response to crisis and in developing effective treatments and vaccines. It has also significantly accelerated the uptake of digital tools, such as electronic health records (personal medical records or similar documents in digital form), e-prescriptions and digital health applications, as well as the sharing of research data. Digital health products and services, including telehealth, are no longer novelties. They are becoming a part of everyday care delivery.
Harnessing the power of health data through the digital transformation is especially relevant when patients move within or to other EU countries; and when researchers, innovators, policy-makers or regulators need critical data that can enable the power of science to help patients. Similarly, sharing health data in border regions where individuals access healthcare services across the border much more frequently will be far easier.
Current challenges in using health data.
People cannot always easily access their health data electronically, and if they want to consult doctors in more than one hospital or medical centre, they often cannot share the data with other health professionals. Today, a patient’s health data is often still recorded on paper, untraceable and scattered across various places (hospitals, general practitioners’ venues, medical centres, etc.).
The situation becomes even more difficult when crossing national borders. If a patient visits a doctor in another country, their medical information (including diagnostic images) is often not accessible, which can lead to delays and errors in diagnosis or treatment. In most cases, doctors cannot see the patient’s health data if they have undergone health interventions in another country. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to receive healthcare.
The open public consultation23 for the European Health Data Space proposal showed that 88% of respondents think it should promote citizens’ control over their own health data, including access to health data and transmission of their health data in electronic format. 84% of respondents say that citizens should have the right to transmit one’s health data in electronic format to another professional or entity of their choice and 82% feel that they should have the right to request public healthcare providers to share their health data electronically with other healthcare providers/entities of their choice. 83% of respondents say that the European Health Data Space should facilitate delivery of healthcare for citizens across borders.
Researchers and industry, along with policy-makers and innovators, face important obstacles in accessing the data they need to develop new products, to take informed decisions or to monitor the side effects of medicinal products over the long term, based on real-world evidence, with impact on patient safety. In many cases, consent is the only way to access data for research, policy-making and regulatory purposes. It is very costly and cumbersome for researchers to get consent from every patient to use the patient’s data in their research.
Even when the patient consents, data holders are sometimes reluctant to provide data for reasons other than data protection and prefer to keep the health data for their activities. The current regulatory fragmentation between Member States hampers research and innovation by small players, as well as cross-border research.
Primary use of health data.
1. Patients will have their electronic health data available via access points established by Member States. A cross-border digital infrastructure for primary use will connect Member States and allow patients to share their health data.
2. Patients will be empowered to control and share their electronic health data with a healthcare provider of their choice.
3. Member States will be required to make priority categories of data available in a common European electronic health record exchange format, such as patient summaries, e-prescriptions, e-dispensations, medical images and image reports, laboratory results and discharge reports.
4. Where personal health data has not been collected electronically prior to the application of this Regulation, Member States may decide not to convert it into an electronic format.
5. Health professionals will be able to access electronic health records and should update the electronic health data of the patients they treat.
6. To support data being shared between healthcare providers, mandatory requirements for interoperability, security, safety and privacy will be introduced, as well as mandatory self-certification of electronic health records covering interoperability and security.
7. All Member States will be required to participate in cross-border digital infrastructure for the exchange of health data for healthcare delivery (MyHealth@EU).
8. A pilot project will support patients having access to their data on a mobile device in the language of the country of destination.
9. To facilitate the implementation, transitional periods will apply for certain obligations including the registration of health data, access of health professionals to data, making data available in the European format, the participation in the cross border digital infrastructure, self-certification of electronic health record systems, as well as the voluntary label for wellness applications.
10. Member States will have to set up a digital health authority to ensure that the additional rights for individuals are properly implemented.
Secondary use of health data.
1. The European Health Data Space sets out a common EU framework allowing for use of health data for research, innovation, public health, policy-making, regulatory activities and personalised medicine. It will draw on the creation of a new and decentralised EUinfrastructure for secondary use of health data (HealthData@EU) that will connect health data access bodies which should be set up in all Member States.
2. Those who wish to re-use health data will need to apply for a permit from a health data access body. The data permit sets out how the data may be used and for what purpose.
3. The data can only be accessed and processed in closed secure environments to be provided by the health data access bodies with clear standards for cyber security.
4. Only anonymous data can be extracted by the user who applied for the permit from the secure processing environment. Where researchers, companies or public institutions need access to personal electronic health data they can only access it in pseudonymised form, i.e. data offering information about the disease, symptoms and medication, without revealing to the user the identity of the individual. It is forbidden for the user to attempt to re-identify the data subjects.
5. It will be forbidden to use the data to take decisions detrimental to individuals, to increase insurance premiums, to market health products towards health professionals or patients or to design harmful products or services.
6. Health data access bodies will have to ensure transparency: information will be published about data access applications. In addition, data users must make public the results of their electronic health data uses and inform the health data access bodies of any significant findings relevant for the health of individuals.
7. For simple cases, users can directly request data from a single health data provider as long as the same safeguards for privacy and security are ensured.
8. Researchers and innovators from third countries can access data for secondary use under the same conditions and requirements as those from inside the EU.
9. All Member States will be required to participate in the EU-infrastructure for secondary use (HealthData@EU) to facilitate cross-border studies. This infrastructure will be piloted in a EU4Health project starting in 2022.
EU governance mechanism.
1. A new European Health Data Space Board chaired by the Commission will be created, composed of the representatives of digital health authorities and health data access bodies from all the Member States, and observers, depending on area of work.
2. It will contribute to the consistent application of the Regulation throughout the EU, to coordinate and exchange best practices and will cooperate with other bodies at EU level.
3. Member States will cooperate at EU level to ensure the smooth functioning of the two cross-border digital infrastructures (primary and secondary).
The European Health Data Space, together with the GDPR, will give people the right to:
1. Access their health data in electronic form immediately, free of charge and in an easily readable, accessible and commonly used format. Data can be accessed using patient portals, on computers or smart phones, depending on how the Member States make available this information at national level. For people with disabilities to be able to enjoy their rights, the access must be accessible in line with the requirements of the European Accessibility Act (Directive 2019/882);
2. Share their data in electronic form with other health professionals when going to another hospital, without hindrance from previous healthcare providers or manufacturers;
3. Add data to their electronic health record for themselves or for people who trust them, such as their children;
4. Request changes to erroneous data online;
5. Restrict access to their electronic health data or part of the data; in cases of vital interest, where their life is at stake, such data may however be made available with additional restrictions;
6. Easily obtain information on which professional(s) accessed their data.
Member States are required to designate digital health authorities that will have a fundamental role in enforcing the above-mentioned rights.
Examples of how the EHDS will function
Example 1: A woman living in Portugal is going on holidays to France. Unfortunately, she gets sick in France and therefore needs to see a local general practitioner. Thanks to the EHDS and MyHealth@EU, a doctor in France will see on his/her computer the medical history of this patient in French. The doctor can prescribe the necessary medicine based on the medical history of the patient, avoiding for instance products to which the patient is allergic.
Example 2: A health tech company is developing a new AI-based medical decision support tool that assists doctors to make diagnostic and treatment decisions following a review of the patient's laboratory images. The AI compares the patient's images with those of many other previous patients. Through the EHDS, the company is able to have efficient and secure access to a large number of medical images to train the AI algorithm and optimise its accuracy and effectiveness before seeking market approval.
Example 3: A man has a medical image of his lungs, taken in the public hospital where he was brought in by the emergency team. Shortly after, he visits his regular pulmonologist in another hospital. Thanks to the EHDS, his pulmonologist can see the medical image performed in the other hospital, thus avoiding a new, unnecessary test.
Cyber Risk GmbH, some of our clients
