Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
The essential requirements laid down in this Annex shall apply mutatis mutandis to medical devices, in vitro diagnostic medical devices, AI systems and wellness applications claiming interoperability with EHR systems.
General requirements
The harmonised software components of an EHR system shall achieve the performance intended by its manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose and their use does not put at risk patient safety.
The harmonised software components of the EHR system shall be designed and developed in such a way that the EHR system can be supplied and installed, taking into account the instructions and information provided by the manufacturer, without adversely affecting its characteristics and performance during its intended use.
An EHR system shall be designed and developed in such a way that its interoperability, safety and security features uphold the rights of natural persons, in line with the intended purpose of the EHR system, as set out in Chapter II.
The harmonised software components of an EHR system that is intended to be operated together with other products, including medical devices, shall be designed and manufactured in such a way that interoperability and compatibility are reliable and secure, and personal electronic health data can be shared between the device and the EHR system in relation to those harmonised software components of an EHR system.
Requirements for interoperability
Where an EHR system is designed to store or intermediate personal electronic health data, it shall provide an interface enabling access to the personal electronic health data processed by it in the European electronic health record exchange format, by means of the European interoperability software component for EHR systems.
Where an EHR system is designed to store or intermediate personal electronic health data, it shall be able to receive personal electronic health data in the European electronic health record exchange format, by means of the European interoperability software component for EHR systems.
Where an EHR system is designed to provide access to personal electronic health data, it shall be able to receive personal electronic health data in the European electronic health record exchange format, by means of the European interoperability software component for EHR systems.
An EHR system that includes a functionality for entering structured personal electronic health data shall enable the entry of data with sufficient granularity to enable the provision of the entered personal electronic health data in the European electronic health record exchange format.
The harmonised software components of an EHR system shall not include features that prohibit, restrict or place an undue burden on authorised access, personal electronic health data sharing or use of personal electronic health data for permitted purposes.
The harmonised software components of an EHR system shall not include features that prohibit, restrict or place an undue burden on authorised exporting of personal electronic health data for the reasons of replacing the EHR system by another product.
Requirements for security and logging
An EHR system designed to be used by health professionals shall provide reliable mechanisms for the identification and authentication of health professionals.
The European logging software component of an EHR system designed to enable access by healthcare providers or other individuals to personal electronic health data shall provide sufficient logging mechanisms that record at least the following information on every access event or group of events:
(a)
(b)
(c)
(d)
(e)
The harmonised software components of an EHR system shall include tools or mechanisms to review and analyse the log data, or it shall support the connection and use of external software for the same purposes.
The harmonised software components of an EHR system that store personal electronic health data shall support different retention periods and access rights that take into account the origins and categories of electronic health data.