On January 21, 2025, the EU Council approved the EU Health Data Space Regulation (the EHDSR). This will come into force 20 days after its publication in the EU Official Journal, which is expected shortly.

The EHDSR:

• creates an EU health “data space” and is designed to facilitate:
  • access to and control of health data by individuals; and
  • access to health records for primary purposes (broadly, healthcare) and secondary purposes (for example occupational health, research, education, product development etc) by health professionals, policy makers, researchers and innovators; 
• sets out a cross-border infrastructure enabling the use of health data for primary and secondary purposes and a governance framework;
• sets up a European Health Data Space Board to oversee the sharing of data between member states and the Commission;
• seeks to enhance interoperability by mandating certain software components for electronic health records (see “interoperability” below).   

Who is affected by the EHDSR?

Private or public organizations operating in the life science sectors, including:

• health care providers (HCPs),
• medical device manufacturers,
• providers of electronic health records systems,
• manufacturers of wellbeing apps and
• other developers of health care products and services.

What does this mean to you?

The EHDSR will:

• require changes in some organizations’ compliance policies and procedures, the technology used, the development of products and its contracts terms;
• require organizations falling under the “data holder” definition (see below) to share their health data records to those “applying” for it; 
• also open up opportunities for users to access third party health data for their own purposes, subject to conditions, including AI testing and training and research purposes.  

Enhanced individuals’ rights

The EHDSA enhances existing individual rights under the GDPR and creates new rights in relation to individual health records.

These include the right for individuals:

• to insert information in health records;
• to port health data between providers; and
• to be informed when health data has been accessed, for example, by receiving an automatic alert. 

HCPs will have to honour these rights when requested and providers of the information systems used by these HCPs will have ensure the systems they offer facilitate such compliance.  

Interoperability

Electronic health record (EHR) systems used by HCPs (except general purposes software used in healthcare) are required to incorporate an interoperability software component and a logging software component. Certain software components may be considered medical devices, in vitro diagnostics medical devices and/or high-risk AI systems under EU law. There may be a regime overlap manufacturers of such software components are subject to, which the EHDSR addresses.

Manufacturers of wellness applications claiming interoperability with EHR systems will have to comply with labelling requirements. The EHDSR sets out that the sharing of personal data between the wellness applications and the EHR systems will be subject to the individual’s consent (which reduces the conditions otherwise available under GDPR).

Secondary purposes

The EHDS regulation sets out that data holders (a broadly defined term including public and private organizations in the health space) are obliged to make certain categories of health data available for certain secondary processing purposes such as research, product improvement, training, or testing or evaluating algorithms. (Use in other secondary purposes – such as advertising and marketing is prohibited.)  

Where the data holder is not a ‘trusted data holder’ (as designated by EU member states local procedures based on criteria such as the security measures they implement, their expertise, etc), data users will have to apply for a permit, which will be issued by the EU member state health data access body. In addition to granting permits, health data access bodies will monitor the activities of data users and data holders and may issue penalties for non-compliance with their obligations.

Conclusion

While the opportunities afforded by the EHDSR, including the promise of access to health data, are exciting, the advent of yet another regulation may feel a bit overwhelming for those operating in the life science and digital health space.

Indeed, organizations in this space have seen, in recent years, a continuous stream of digital regulations in the UK and the EU setting out novel and complex regimes to comply with, often subjecting them to the highest level of requirements given the critical nature of the services provided and the sensitive nature of the data they handle. The EU Data Act, the EU Network and Information Security Directive 2 (NIS2), the EU Artificial Intelligence Act, the UK Online Safety Act, the UK Product Security and Telecommunications Infrastructure Act are some of these regulations.