European Health Data Space (EHDS) New ways of using medical data
European Health Data Space
The aim of the EU Commission is to improve the use and exchange of health data in the European Union in order to keep pace with developments abroad. One of the most significant "experiences" in this regard is likely to have been the fact that, during the height of the coronavirus pandemic, data on pandemic events from abroad, such as Israel and the UK, was needed, while such comprehensive data was not accessible within the European Union, as it was - in the words of Federal Minister Karl Lauterbach - isolated in "data silos". Various sector-specific data rooms are to be created to improve the usability of the data. In addition to data rooms for health data, for example, data rooms for mobility data are also to be created. Data owners will then have to make their data available to specific, defined data users. The first concrete implementation of such a data space is now available in the form of the European Health Data Space Regulation.
The draft regulation on the European Health Data Space (EHDS) consists of two main components: the primary use of health data and the secondary use of health data.
Primary use of health data
Two aspects are to be achieved in the primary use of electronic health data:
The first is to facilitate the exchange of data between the various EU Member States. Firstly, a central European platform for digital health is to be created. The draft regulation already provides a specific name for this: "MyHealth@EU". Secondly, a standardized exchange format for electronic patient records and data is to be defined so that the exchange across the various Member States is also technically possible.
Secondly, specifications are to be made for the software for electronic patient records. The English term for this is: Electronic Health Records ("EHR"). The EHDS Regulation then sets out various requirements for such an EHR - roughly comparable to the requirements for a Class I product under the EU Medical Device Regulation ("MDR"). In particular, there are requirements for interoperability, compatibility and security.
Secondary use of electronic health data
The second relevant part of the EHDS Regulation relates to the secondary use of electronic health data. This means that data available in the data room should and may be used for other purposes, in particular for medical research.
According to this - roughly outlined - so-called data users should be able to apply to a national body for access to data from so-called data holders. The national body may then issue a data authorization as a result of which a data owner must provide the data. Data holders can also be MedTech companies. The data may even include data from medical devices.
It is envisaged that data users will be able to view the data in a "secure environment". This essentially means a kind of log-in to the MyHealth@EU portal - as opposed to downloading the data. It should only be possible to download data relating to non-personal electronic health data.
Criticism
The draft regulation on the EHDS is currently facing considerable criticism:
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) consider the draft EHDS Regulation to be currently incompatible with data protection law and themselves see a violation of the EU Charter of Fundamental Rights, in which data protection is also enshrined.
Another point of criticism is that simple wellness apps are also to be covered, i.e. software that has not reached the threshold of a medical device. If, for example, data from fitness trackers is also collected, this raises considerable concerns in two respects: firstly, the quality of the data is likely to be different to that of data generated by a certified medical device. Secondly, such wellness apps (e.g. a fitness wristwatch) collect much more extensive data about a person over the course of a day. The storage and accessibility of this data provides a far more comprehensive insight into the everyday life and thus also the personality of the person concerned than a selective view, for example by taking an X-ray at a certain point in time.
There is also criticism that the age-old principle of processing health data, namely patient confidentiality and medical confidentiality, is no longer given any special consideration.
There are also considerable concerns with regard to the question of whether data can actually be pseudonymized or whether a personal reference can be established after all due to the possibility of merging with other data or from inferences.
Other points of contention concern the question of the obligation to cooperate or the "unsolicited" provision of this data, possibly without an opt-out rule.
There are also calls for data authorization to be granted not by a national authority, but by a single European body, which should also carry out an ethical assessment. This would avoid different decision-making practices and also a so-called "race to the bottom", whereby data users would preferentially request the body that has created the lowest hurdles in administrative practice.
Finally, the lack of coordination with the provisions of the GDPR is criticized. The draft EHDS Regulation does contain the provision that it should remain unaffected by the GDPR. Nevertheless, many questions arise, e.g. regarding the interaction with the regulation on special categories of personal data (in particular health data) in accordance with Art. 9 GDPR.
Parallel efforts in Germany
Two parallel projects were agreed in the coalition agreement, namely a Health Data Usage Act and a Register Act.
Health Data Utilization Act
The Health Data Utilization Act is currently only mentioned in the coalition agreement. A draft is not yet available. At the request of Baden-Württemberg, the Bundesrat approved it in December 2022. The federal government is now called upon to swiftly present a draft law on the use of health data.
The aim is to improve the scientific use of health data in accordance with the GDPR. In particular, a decentralized research data infrastructure is to be created. In this respect, there are many parallels to the EHDS Regulation, so that the national designs must then also be coordinated with the regulations from the upcoming EHDS Regulation.
Register Act
The Register Act is also only mentioned in the coalition agreement. A draft bill is not yet available.
There are over 350 different medical-scientific registers in Germany - some required by law and many on a voluntary basis. The aim of the Register Act is to help improve access to and the usability of existing medical register data for research and healthcare. In this respect, a certain degree of standardization is to be achieved. In this respect, the legislation follows on from some aspects of the previous government's Digital Care Act (DVG), e.g. with regard to the Research Data Center (FDZ). The question of the extent to which data may be added to the register, in particular whether consent is required or whether a mere opt-out can be provided for, will also be a major dispute here.
Conclusion
The draft EHDS Regulation and the two intended national laws, the Health Data Utilization Act and the Register Act, have given new impetus to legislation in the area of the "utilization" of medical data. In this respect, there is hope that access to health data will be made considerably easier and that further opportunities for research and, above all, commercial exploitation will arise. However, it should also be noted that the current legislative drafts or their preliminary stages are subject to considerable criticism. If this cannot be resolved in the course of further legislation, it is to be feared that there will be considerable concerns regarding the ineffectiveness of the application of the new regulations and the use of the new possibilities. It will then be necessary to assess precisely which measures can be taken on the basis of the new laws - or, in perspective, beforehand - without taking too great a legal risk.