Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 55. Health data access bodies
- 1.Member States shall designate one or more health data access bodies responsible for carrying out the tasks and obligations set out in Articles 57, 58 and 59. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies that fulfil the conditions set out in this Article. The tasks set out in Article 57 may be distributed between different health data access bodies. Where a Member State designates several health data access bodies, it shall designate one health data access body to act as coordinator, with responsibility for coordinating tasks with the other health data access bodies both within the territory of that Member State and in other Member States. Each health data access body shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, health data access bodies shall cooperate with each other, with the Commission and, for concerns regarding data protection, with the relevant supervisory authorities.
- 2.In order to support the effective performance of the tasks and the exercise of the powers of the health data access bodies, Member States shall ensure that each health data access body is provided with the following elements:
- (a)the necessary human, financial and technical resources;
- (b)the necessary expertise; and
- (c)the necessary premises and infrastructure.
Where an assessment by ethics bodies is required under national law, those bodies shall make expertise available to the health data access body. As an alternative, Member States may provide for ethics bodies to form part of the health data access body.
- 3.Member States shall ensure that any conflicts of interest between the organisational parts of health data access bodies performing the different tasks of such bodies is avoided by, for example, providing for organisational safeguards such as segregation between health data access bodies’ different functions, including assessing applications, the reception and preparation of datasets, for example pseudonymisation and anonymisation of datasets, and the provision of data in secure processing environments.
- 4.In the performance of their tasks, health data access bodies shall actively cooperate with relevant stakeholders’ representatives, especially with representatives of patients, health data holders and health data users and shall avoid any conflicts of interest.
- 5.In the performance of their tasks and exercise of their powers, health data access bodies shall avoid any conflicts of interest. Health data access bodies’ staff shall act in the public interest and in an independent manner.
- 6.Member States shall inform the Commission of the identity of the health data access bodies designated pursuant to paragraph 1 by 26 March 2027. They shall also inform the Commission of any subsequent modification of the identity of those bodies. The Commission and the Member States shall make that information publicly available.
Relevant Recitals for this Article
The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is essential to promoting the secondary use of health-related data. Member States should therefore establish one or more health data access bodies to reflect, inter alia, their constitutional, organisational and administrative structure. However, one of those health data access bodies should be designated as a coordinator in the event there is more than one health data access body. Where a Member State establishes several health data access bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the European Health Data Space Board (the ‘EHDS Board’). That Member State should, in particular, designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies could vary in terms of organisation and size, spanning from a dedicated fully fledged organisation to a unit or department in an existing organisation. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use and should avoid any conflicts of interest. Therefore, members of the governance and decision-making bodies of each health data access body and its staff should refrain from any action that is incompatible with their duties and should not engage in any incompatible occupation. However, the independence of the health data access bodies should not mean that they cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review. Each health data access body should be provided with the financial, technical and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. The members of the governance and decision-making bodies of health data access bodies and their staff should have the necessary qualifications, experience and skills. Each health data access body should have a separate public annual budget, which could be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(2) of Regulation (EU) 2022/868, Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation (EU) 2022/868 or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
Health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, health data access bodies should cooperate with each other and with the Commission. Health data access bodies should also cooperate with stakeholders, including patient organisations. Health data access bodies should support health data holders that are small enterprises in accordance with Commission Recommendation 2003/361/EC , in particular medical practitioners and pharmacies. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulations (EU) 2016/679 and (EU) 2018/1725 apply and the supervisory authorities under those Regulations should remain the only authorities competent for enforcing those provisions. Health data access bodies should inform the data protection authorities of any penalties imposed and any potential issues related to data processing for secondary use and exchange any relevant information at their disposal to ensure enforcement of the relevant rules. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, and promote the development of common standards. They should apply tested state-of-the-art techniques that ensure electronic health data are processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets for the health data user as required under the issued data permit. In that regard, health data access bodies should cooperate across borders to develop and exchange best practices and techniques. This includes rules for pseudonymisation and anonymisation of micro datasets. When relevant, the Commission should set out the procedures and requirements, and provide technical tools, for a unified procedure for pseudonymising and anonymising electronic health data.
Health data access bodies should ensure that secondary use is transparent by providing public information about the data permits granted and their justifications, the measures taken to protect the rights of natural persons, the means for natural persons to exercise their rights in relation to secondary use, and the outcomes of secondary use including through links to scientific publications. Where appropriate, that information on the outcomes of secondary use should also include a lay summary to be provided by the health data user. Those transparency obligations complement the obligations laid down in Article 14 of Regulation (EU) 2016/679. The exceptions provided for in Article 14(5) of that Regulation could apply. Where such exceptions do apply, the transparency obligations established in this Regulation should contribute to ensuring fair and transparent processing as referred to in Article 14(2) of Regulation (EU) 2016/679, for example through providing information on the purpose of the processing and the data categories processed, thereby enabling natural persons to understand whether their data are being made available for secondary use pursuant to data permits.