Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. The EHDS builds upon those rights and complements some of them as applied to personal electronic health data. Those rights apply regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of those data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided them, the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation. The additional rights of access and portability of personal electronic health data provided for in this Regulation should be without prejudice to the rights of access and portability as established under Regulation (EU) 2016/679. Natural persons continue to have those rights under the conditions set out in that Regulation.
While the rights conferred by Regulation (EU) 2016/679 should continue to apply, the right of access to data by a natural person, established in Regulation (EU) 2016/679, should be further complemented in the healthcare sector. Under that Regulation, controllers do not have to provide access immediately. The right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming for the controller, such as a hospital or other healthcare provider that provides access. That situation slows down access to health data by natural persons, and can have a negative impact on them if they need such access immediately due to urgent circumstances pertaining to their health condition. It is therefore necessary to provide for a more efficient way for natural persons to access their own personal electronic health data. They should have the right to have free-of-charge and immediate access, while respecting the need for technological practicability, to specific priority categories of personal electronic health data, such as the patient summary, through an electronic health data access service. That right should apply regardless of the Member State in which the personal electronic health data are processed, the type of healthcare provider, the sources of those data or the Member State of affiliation of the natural person. The scope of that complementary right established under this Regulation and the conditions for exercising it differ in certain ways from the right of access to personal data under Regulation (EU) 2016/679, which covers all personal data held by a controller and is exercised against an individual controller, which has up to one month to reply to a request. The right to access personal electronic health data under this Regulation should be limited to the categories of data falling within its scope, be exercised via an electronic health data access service and entail an immediate answer. The rights under Regulation (EU) 2016/679 should continue to apply, allowing natural persons to benefit from their rights under both legal frameworks, in particular the right to obtain a paper copy of the electronic health data.
It should be considered that immediate access of natural persons to certain categories of their personal electronic health data could be harmful for the safety of those natural persons or unethical. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis of an incurable disease that is likely to be terminal instead of first providing that information in a consultation with the patient. Therefore, it should be possible to delay the provision of the access to personal electronic health data in such situations for a limited amount of time, for instance until the moment when the health professional can explain the situation to the patient. Member States should be able to establish such an exception where it constitutes a necessary and proportionate measure in a democratic society, in line with restrictions as provided for in Article 23 of Regulation (EU) 2016/679.
This Regulation does not affect Member States’ competences concerning the initial registration of personal electronic health data, such as making the registration of genetic data subject to the natural person’s consent or other safeguards. Member States may require that data be made available in an electronic format prior to the application of this Regulation. This should not affect the obligation to make personal electronic health data, registered after the date of application of this Regulation, available in an electronic format.