Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Where an assessment by ethics bodies is required under national law, those bodies shall make expertise available to the health data access body. As an alternative, Member States may provide for ethics bodies to form part of the health data access body.
The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is essential to promoting the secondary use of health-related data. Member States should therefore establish one or more health data access bodies to reflect, inter alia, their constitutional, organisational and administrative structure. However, one of those health data access bodies should be designated as a coordinator in the event there is more than one health data access body. Where a Member State establishes several health data access bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the European Health Data Space Board (the ‘EHDS Board’). That Member State should, in particular, designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies could vary in terms of organisation and size, spanning from a dedicated fully fledged organisation to a unit or department in an existing organisation. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use and should avoid any conflicts of interest. Therefore, members of the governance and decision-making bodies of each health data access body and its staff should refrain from any action that is incompatible with their duties and should not engage in any incompatible occupation. However, the independence of the health data access bodies should not mean that they cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review. Each health data access body should be provided with the financial, technical and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. The members of the governance and decision-making bodies of health data access bodies and their staff should have the necessary qualifications, experience and skills. Each health data access body should have a separate public annual budget, which could be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(2) of Regulation (EU) 2022/868, Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation (EU) 2022/868 or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
Health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, health data access bodies should cooperate with each other and with the Commission. Health data access bodies should also cooperate with stakeholders, including patient organisations. Health data access bodies should support health data holders that are small enterprises in accordance with Commission Recommendation 2003/361/EC , in particular medical practitioners and pharmacies. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulations (EU) 2016/679 and (EU) 2018/1725 apply and the supervisory authorities under those Regulations should remain the only authorities competent for enforcing those provisions. Health data access bodies should inform the data protection authorities of any penalties imposed and any potential issues related to data processing for secondary use and exchange any relevant information at their disposal to ensure enforcement of the relevant rules. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, and promote the development of common standards. They should apply tested state-of-the-art techniques that ensure electronic health data are processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets for the health data user as required under the issued data permit. In that regard, health data access bodies should cooperate across borders to develop and exchange best practices and techniques. This includes rules for pseudonymisation and anonymisation of micro datasets. When relevant, the Commission should set out the procedures and requirements, and provide technical tools, for a unified procedure for pseudonymising and anonymising electronic health data.
Health data access bodies should ensure that secondary use is transparent by providing public information about the data permits granted and their justifications, the measures taken to protect the rights of natural persons, the means for natural persons to exercise their rights in relation to secondary use, and the outcomes of secondary use including through links to scientific publications. Where appropriate, that information on the outcomes of secondary use should also include a lay summary to be provided by the health data user. Those transparency obligations complement the obligations laid down in Article 14 of Regulation (EU) 2016/679. The exceptions provided for in Article 14(5) of that Regulation could apply. Where such exceptions do apply, the transparency obligations established in this Regulation should contribute to ensuring fair and transparent processing as referred to in Article 14(2) of Regulation (EU) 2016/679, for example through providing information on the purpose of the processing and the data categories processed, thereby enabling natural persons to understand whether their data are being made available for secondary use pursuant to data permits.