European Health Data Space  
2022/0140(COD) - 13/12/2023  

The European Parliament adopted by 516 votes to 95, with 20 abstentions, amendments to the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space.

The matter was referred back to the committee responsible for interinstitutional negotiations.

The aim of the proposed regulation is to establish the European Health Data Space (EHDS) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as to better achieve as well as for other purposes that would benefit the society such as research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data).

Access to and transmission of personal electronic health data for primary use

Natural persons should have the right to access, immediately, free of charge and in an easily readable, consolidated and accessible format, their personal electronic health data processed in the context of the primary use of electronic health data. They should have the right to request a health data holder in the health or social security sector, or in the reimbursement services, to transmit some or all of their electronic health data to a health data recipient of their choice in the health or social security sector, or in the reimbursement services, immediately and free of charge.

Access to EHR for primary use should be strictly limited to healthcare providers. Where they process data in an electronic format, health professionals should have access, based on the data minimisation and purpose limitation principles, to the electronic health data of natural persons under their treatment and exclusively for the purpose of that treatment, including relevant administration, irrespective of the Member State of affiliation and the Member State of treatment.

Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals should not be informed of the restricted content of the electronic health data without prior explicit consent the natural person.

Priority categories of personal electronic health data for primary use

The right of access should cover: patient records; electronic prescriptions; laboratory results; medical test results and other complementary and diagnostic results; discharge reports; patient discharge reports; medical directives of the natural persons and information about consent for substances of human origin and organ donations.

Personal electronic health data of priority data categories should be delivered across the continuum of care. Member States may provide that individuals have a right to object to the recording of their personal health data in an EMR system.

Right to an effective judicial remedy against a health data access body

Natural and legal persons should have the right to lodge a complaint, individually or, where relevant, collectively, with the health data access body, where their rights are affected. Each natural or legal person should have the right to an effective judicial remedy against a legally binding decision of a health data access body concerning them. Proceedings against a health data access body should be brought before the courts of the Member States where the health data access body is established.

Conformity assessment of EHR systems

In order to certify the conformity of an EHR system with this Regulation, prior to placing an EHR system on the market, the manufacturer, its authorised representative, or any economic operator should apply for a conformity assessment procedure. Only after an EU wide approval has been issued, may the CE marking be affixed, together with an identification number.

Minimum categories of electronic data for secondary use

Natural persons should have the right to opt-out of the processing of their electronic health data for secondary use. Member States should provide for an accessible and easily understandable opt-out mechanism, whereby natural persons should be offered the possibility to explicitly express their wish not to have all or part of their personal electronic health data processed for some or all secondary use purposes. The amended regulation requires explicit consent to be obtained from a patient for the secondary use of certain sensitive data (e.g. genetic and genomic information).

Intellectual property rights and trade secrets for secondary use

Electronic health data entailing protected intellectual property and trade secrets from health data holders should be made available for secondary use. In this case, a specific procedure should apply.

In this case, health data access bodies should take measures necessary to preserve the confidentiality of such data and to ensure such rights are not infringed.

Prohibited secondary use of electronic health data

Members call for rules to prohibit the processing of such data for the following purposes:

- taking decisions which are detrimental to an individual or a group of individuals and which are likely to have legal, economic or social effects;

- taking decisions in relation to a natural person or groups of natural persons in relation to job offers or offering less favourable terms in the provision of goods or services, including to exclude them from the benefit of an insurance or credit contract or to modify their contributions and insurance premiums or conditions of loans;

- advertising or marketing activities;

- automated individual decision-making, including profiling.

Health data access body

Member States should designate one or more health data access bodies responsible for granting access to electronic health data for secondary use. They should also ensure that designated separate structures are set up within health data access bodies for the authorisation of the data permit.

Each health data access body should act with full independence in performing its tasks and exercising its powers in accordance with this Regulation. These bodies should decide on data access applications, including deciding on whether the data should be made accessible in anonymised or pseudonymised form, based on its own thorough assessment of any reasons provided by the health data applicant.

The data access body should only issue an authorisation for data processing if all the conditions set out in this Regulation are met.

Natural and legal persons should have the right to: (i) lodge a complaint, individually or, where relevant, collectively, with the health data access body; (ii) have the data processed by the health data access body reviewed.

Right to receive compensation

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation should have the right to receive compensation. Where a natural person considers that their rights under this Regulation have been infringed, they should have the right to mandate a not-for-profit body, organisation or association to lodge a complaint on their behalf.