FantasticSearch

(1) The aim of this Regulation is to establish the European Health Data Space (EHDS) in order to improve natural persons’ access to and control over their personal electronic health data in the context of healthcare, as well as to better achieve other purposes involving the use of electronic health data in the healthcare and care sectors that would benefit society, such as research, innovation, policymaking, health threats preparedness and response, including preventing and addressing future pandemics, patient safety, personalised medicine, official statistics or regulatory activities. In addition, this Regulation’s goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values. The EHDS will be a key element in the creation of a strong and resilient European Health Union.

(2) The COVID-19 pandemic highlighted the imperative of having timely access to quality electronic health data for health threats preparedness and response, as well as for prevention, diagnosis and treatment and for secondary use of such electronic health data. Such timely access could potentially contribute, through efficient public health surveillance and monitoring, to more effective management of future pandemics, to a reduction of costs and to improving the response to health threats, and ultimately could help to save more lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of that pandemic. However, that adaptation was only an emergency solution, showing the need for a structural and consistent approach at Member State and Union level, both in order to improve the availability of electronic health data for healthcare and to facilitate access to electronic health data in order to steer effective policy responses and contribute to high standards of human health.

(3) The COVID-19 crisis strongly cemented the work of the eHealth Network, a voluntary network of authorities responsible for digital health, as the main pillar for the development of contact-tracing and contact-warning applications for mobile devices and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (the ‘FAIR principles’), and ensuring that electronic health data are as open as possible, while respecting the data minimisation principle as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council . Synergies between the EHDS, the European Open Science Cloud and the European Research Infrastructures should be ensured, and lessons should be learned from data-sharing solutions developed under the European COVID-19 Data Platform.

(4) Given the sensitivity of personal electronic health data, this Regulation seeks to provide sufficient safeguards at both Union and national level to ensure a high degree of data protection, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of electronic health data of natural persons for primary use and secondary use as defined in this Regulation.

(5) The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 and, for Union institutions, bodies, offices and agencies, of Regulation (EU) 2018/1725 of the European Parliament and of the Council . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions, bodies, offices and agencies, where relevant.

(6) More and more individuals living in the Union cross national borders to work, study, visit relatives, or for other reasons. To facilitate the exchange of health data, and in line with the need to empower citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including related to the provision of healthcare services, and which reveal information about that natural person’s health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental and physical influences, medical care, and social or educational factors. Electronic health data also include data that have been initially collected for research, statistical, health threat assessment, policymaking or regulatory purposes and it should be possible to make them available in accordance with the rules laid down in this Regulation. Electronic health data consist of all categories of those data, irrespective of whether such data are provided by the data subject or other natural or legal persons, such as health professionals, or are processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automated means.

(7) In health systems, personal electronic health data are usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies and vaccinations, as well as radiology images, laboratory results and other medical data, spread between different actors in the health system, such as general practitioners, hospitals, pharmacies or care services. In order to allow electronic health data to be accessed, shared and modified by natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. In addition, some Member States provide support to public and private healthcare providers to set up personal electronic health data spaces to enable interoperability between different healthcare providers. Several Member States also support or provide electronic health data access services for patients and health professionals, for instance through patient or health professional portals. Those Member States have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data to the central EHR system, for instance by providing a system of certification. However, not all Member States have put in place such systems, and those Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal electronic health data across the Union and avoid negative consequences for patients when receiving healthcare in a cross-border context, Union action is needed to improve natural persons’ access to their own personal electronic health data and to empower them to share those data. In this respect, appropriate action at Union and national level should be taken as a means of reducing fragmentation, heterogeneity and division, and to create a system that is user-friendly and intuitive in all Member States. Any digital transformation in the healthcare sector should aim to be inclusive and also benefit natural persons with limited ability to access and use digital services, including people with disabilities.

(8) Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. The EHDS builds upon those rights and complements some of them as applied to personal electronic health data. Those rights apply regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of those data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided them, the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation. The additional rights of access and portability of personal electronic health data provided for in this Regulation should be without prejudice to the rights of access and portability as established under Regulation (EU) 2016/679. Natural persons continue to have those rights under the conditions set out in that Regulation.

(9) While the rights conferred by Regulation (EU) 2016/679 should continue to apply, the right of access to data by a natural person, established in Regulation (EU) 2016/679, should be further complemented in the healthcare sector. Under that Regulation, controllers do not have to provide access immediately. The right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming for the controller, such as a hospital or other healthcare provider that provides access. That situation slows down access to health data by natural persons, and can have a negative impact on them if they need such access immediately due to urgent circumstances pertaining to their health condition. It is therefore necessary to provide for a more efficient way for natural persons to access their own personal electronic health data. They should have the right to have free-of-charge and immediate access, while respecting the need for technological practicability, to specific priority categories of personal electronic health data, such as the patient summary, through an electronic health data access service. That right should apply regardless of the Member State in which the personal electronic health data are processed, the type of healthcare provider, the sources of those data or the Member State of affiliation of the natural person. The scope of that complementary right established under this Regulation and the conditions for exercising it differ in certain ways from the right of access to personal data under Regulation (EU) 2016/679, which covers all personal data held by a controller and is exercised against an individual controller, which has up to one month to reply to a request. The right to access personal electronic health data under this Regulation should be limited to the categories of data falling within its scope, be exercised via an electronic health data access service and entail an immediate answer. The rights under Regulation (EU) 2016/679 should continue to apply, allowing natural persons to benefit from their rights under both legal frameworks, in particular the right to obtain a paper copy of the electronic health data.

(10) It should be considered that immediate access of natural persons to certain categories of their personal electronic health data could be harmful for the safety of those natural persons or unethical. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis of an incurable disease that is likely to be terminal instead of first providing that information in a consultation with the patient. Therefore, it should be possible to delay the provision of the access to personal electronic health data in such situations for a limited amount of time, for instance until the moment when the health professional can explain the situation to the patient. Member States should be able to establish such an exception where it constitutes a necessary and proportionate measure in a democratic society, in line with restrictions as provided for in Article 23 of Regulation (EU) 2016/679.

(11) This Regulation does not affect Member States’ competences concerning the initial registration of personal electronic health data, such as making the registration of genetic data subject to the natural person’s consent or other safeguards. Member States may require that data be made available in an electronic format prior to the application of this Regulation. This should not affect the obligation to make personal electronic health data, registered after the date of application of this Regulation, available in an electronic format.