Primary use of electronic health data
All EU citizens will have access to their electronic health records by 2030 thanks to the EU’s central eHealth platform linking national contact points to the MyHealth@EU infrastructure and efficient national digital health authorities.
Types of electronic health data
The draft Regulation on the European health data space divides electronic health data into personal and non-personal.
Electronic personal health data includes:
- Personal data on a natural person’s physical and mental health, including information about the use of healthcare services, which provides a picture of the person’s health
- Genetic data about the inherited or acquired genetic characteristics of a natural person, revealing unique information about the physiology or health of that person, resulting in particular from the analysis of a biological sample obtained from the person
- Data, including those extracted from wellness applications, on behaviour, environmental impact, physical factors, social factors, medical care or education, i.e. factors determining health
- Data processed in connection with the provision of healthcare services, such as images and image reports.
The above data is to be processed in an electronic form.
Data in the first two groups is personal data within the meaning of the General Data Protection Regulation and is subject to its provisions on protection of the rights of natural persons in connection with data processing and the provisions of the future regulation. The data from the remaining groups are health-related, and therefore their use is to be carried out in accordance with the draft regulation.
As defined in the draft regulation, electronic non-personal health data is health data and genetic data in electronic format that falls outside of the concept of personal data provided for in Art. 4(1) GDPR. Thus this is data, even sensitive data, that does not identify or allow the identification of a specific natural person to whom the data relates, but is subject to the regime of the draft regulation.
The draft regulation singles out a category of priority electronic personal health data due to its importance to the delivery of healthcare. It includes six types of data: patient summaries, electronic prescriptions, electronic dispensations, medical images and image reports, laboratory results, and discharge reports. More detailed characteristics of each category are specified in Annex 1 to the regulation. The member states should prioritise the implementation of access for authorised natural persons and entities to these categories of electronic personal health data for primary use and for enabling their use in other member states.
Over time, the list of categories of such data will expand as the technical capacity to exchange them between member states increases.
Access to electronic health data
The right to access electronic personal health data is available to the natural persons they relate to. The draft regulation requires the states to provide such access in an easy-to-read, consolidated and accessible format. The natural persons entitled to such access would be able to supplement their electronic health data, make corrections, grant or restrict access to their data to entities from the healthcare sector, and have the right to request transfer of their health data to a data recipient of their choice, including abroad. Effective respect for the rights of data subjects depends on the extent to which implementation of the European format for the exchange of electronic medical records is advanced.
The draft regulation does not forget about people who are digitally excluded for various reasons. Such persons would be able to exercise their rights with respect to electronic health data by an attorney-in-fact. Each state is obliged to establish a power of attorney service, which will also be used, for example, by guardians of minors.
The draft regulation also provides for an access service for health professionals with regard to the electronic health data of the individuals they treat, in particular access to priority data, regardless of the patient’s state of origin or insurance status. On the other hand, healthcare professionals are obliged to update this data with information about the healthcare services provided to the patient, i.e. to enter such information into electronic medical records.
Digital health authorities
The draft regulation obliges each member state to establish a digital health authority (if such an authority is not already in place in a given state). It is to be responsible for implementing regulations on access to and exchange of electronic health data and enforcing access rights to health data for natural persons and medical personnel. The state digital health authorities are expected to take various steps towards achieving the aims indicated in the regulation. The list of tasks of these bodies included in the draft regulation may be supplemented by the Commission’s delegated acts.
An interesting competence granted to the digital health authority is the power to investigate complaints filed by natural persons or legal entities. The draft does not limit the subject matter of such complaints, so it is reasonable to believe that they could relate to any issues involving the primary use of health data governed by the future regulation. The authority has the exclusive power to conduct proceedings on the issue raised in the complaint and make a decision. The draft regulation does not establish any procedure for appealing the authority’s decision. It is to be expected that specific provisions relating to the complaint procedure will be laid down by domestic regulations.
Cross-border digital infrastructure for primary use of electronic health data
One of the objectives of the new regulation is to establish uniform rights throughout the EU for natural persons to access health data, and the possibility of cross-border exchange of health data for primary use (we write more about this in “The European Health Data Space”). A condition for implementation of this aim is construction of digital infrastructure with the participation of all EU countries, coordinated and managed at the EU level. A “central platform for digital health,” established and funded by the Commission, “providing services to support and facilitate the exchange of electronic health data between national contact points for digital health,” is to serve this purpose. Each state has the duty to designate a contact point (it can function within the digital health authority) and, through this contact point, participate in the MyHealth@EU infrastructure.
A “national contact point for digital health” is defined as “an organisational and technical gateway for the provision of cross-border digital health information services for primary use of electronic health data, under the responsibility of the Member States.” It is the responsibility of each member state to connect all healthcare providers to the national contact point for digital health, enabling them to exchange electronic health data in both directions with the national contact point. Similarly, national pharmacies, including online pharmacies, are to have access via MyHealth@EU to digital prescriptions transmitted from other member states. They are to report fulfilment of prescriptions to the state where the prescription was issued, also through MyHealth@EU.
National contact points for digital health have the status of joint controllers of electronic health data transferred by MyHealth@EU in connection with the processing operation in which they participate. The Commission acts as a processor. The details of the operation of the infrastructure, especially the methods of ensuring the security and confidentiality of the transmitted electronic health data, are to be included in the Commission’s implementing acts.
The MyHealth@EU infrastructure can be used to provide additional services by member states, such as telemedicine, but also to support public health. A contact point of a third country may be allowed to operate on MyHealth@EU if it meets the requirements of the infrastructure and the MyHealth@EU infrastructure administration group issues a relevant decision. This will expand the primary use of electronic health data, including the exchange of such data, beyond the territory of member states. This could be crucial for example in a pandemic.
Dr Ewa Butkiewicz, attorney-at-law, Life Science & Healthcare practice, Wardyński & Partners