The Committee on the Environment, Public Health and Food Safety and the Committee on Civil Liberties, Justice and Home Affairs jointly adopted the report by Tomislav SOKOL (EPP, HR) and Annalisa TARDINO (ID, IT) on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space.
The aim of the proposed regulation is to establish the European Health Data Space (EHDS) in order to:
- improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data);
- better achieve as well as for other purposes that would benefit the society such as research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data).
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Rights of natural persons in relation to the primary use of their personal electronic health data
Access to EHR for primary use should be strictly limited to healthcare providers. Where they process data in an electronic format, health professionals should have access, based on the data minimisation and purpose limitation principles, to the electronic health data of natural persons under their treatment and exclusively for the purpose of that treatment, including relevant administration, irrespective of the Member State of affiliation and the Member State of treatment.
Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals should not be informed of the restricted content of the electronic health data without prior explicit consent the natural person.
Priority categories of personal electronic health data for primary use
The right of access should cover: patient records; electronic prescriptions; laboratory results; medical test results and other complementary and diagnostic results; discharge reports; patient discharge reports; medical directives of the natural persons and information about consent for substances of human origin and organ donations.
The patient summary should be harmonised across Member States and include a minimum data set that can be expanded to include disease-specific data. Prescription, dispensation and administration of current and past medications across the continuum of care, including, hospital and ambulatory/day hospitals.
The Commission should, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data. The Commission should ensure that those implementing acts contain the latest versions of healthcare coding systems and nomenclatures and that they are updated regularly in order to keep up with the revisions of the healthcare coding systems and nomenclatures.
Registration of personal electronic health data
When health data are registered or updated, electronic health records should identify the health professional, time and health care provider that carried out the registration or the update. Member States may provide for other aspects of data registration to be recorded.
Right to an effective judicial remedy against a health data access body
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person should have the right to an effective judicial remedy against a legally binding decision of a health data access body concerning them. Proceedings against a health data access body should be brought before the courts of the Member States where the health data access body is established.
Conformity assessment of EHR systems
In order to certify the conformity of an EHR system with this Regulation, prior to placing an EHR system on the market, the manufacturer, its authorised representative, or any economic operator should apply for a conformity assessment procedure. Only after an Union wide approval has been issued, may the CE marking be affixed, together with an identification number.
Minimum categories of electronic data for secondary use
Natural persons should have the right to opt-out of the processing of their electronic health data for secondary use. Member States should provide for an accessible and easily understandable opt-out mechanism, whereby natural persons should be offered the possibility to explicitly express their wish not to have all or part of their personal electronic health data processed for some or all secondary use purposes.
Intellectual property rights and trade secrets for secondary use
Electronic health data entailing protected intellectual property and trade secrets from health data holders should be made available for secondary use. In this case, a specific procedure should apply.
Prohibited secondary use of electronic health data
Members call for rules to prohibit the processing of such data for the following purposes:
- taking decisions which are detrimental to an individual or a group of individuals and which are likely to have legal, economic or social effects;
- taking decisions in relation to a natural person or groups of natural persons in relation to job offers or offering less favourable terms in the provision of goods or services, including to exclude them from the benefit of an insurance or credit contract or to modify their contributions and insurance premiums or conditions of loans;
- advertising or marketing activities;
- automated individual decision-making, including profiling.
Health data access body
Member States should need to designate one or more health data access bodies responsible for granting access to electronic health data for secondary use.
Member States should ensure that designated separate structures are set up within health data access bodies for the authorisation of the data permit, on the one hand, and for the reception and preparation of the data set, including anonymisation, pseudonymisation of the electronic health data.
Each health data access body should act with full independence in performing its tasks and exercising its powers in accordance with this Regulation. These bodies should decide on data access applications, including deciding on whether the data should be made accessible in anonymised or pseudonymised form, based on its own thorough assessment of any reasons provided by the health data applicant.
The data access body should only issue an authorisation for data processing if all the conditions set out in this Regulation are met.
Natural and legal persons should have the right to: (i) lodge a complaint, individually or, where relevant, collectively, with the health data access body; (ii) have the data processed by the health data access body reviewed.
Right to receive compensation
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation should have the right to receive compensation. Where a natural person considers that their rights under this Regulation have been infringed, they should have the right to mandate a not-for-profit body, organisation or association to lodge a complaint on their behalf.