EHDS Article 60. Duties of health data holders

Without hindering or replacing contractual arrangements or other mechanisms in place, this Regulation is aimed at establishing a common mechanism to access electronic health data for secondary use across the Union. Under that mechanism, health data holders should make the data they hold available on the basis of a data permit or a health data request. For the purpose of processing electronic health data for secondary use, one of the legal bases referred to in Article 6(1), points (a), (c), (e) or (f), of Regulation (EU) 2016/679 in conjunction with Article 9(2) thereof is required. Accordingly, this Regulation provides for a legal basis for the secondary use of personal electronic health data, including the safeguards required under Article 9(2), points (g) to (j), of Regulation (EU) 2016/679 to allow the processing of special categories of data, in terms of lawful purposes, trusted governance for providing access to health data through the involvement of health data access bodies, and processing in a secure processing environment, as well as arrangements for data processing, set out in the data permit. Consequently, Member States should no longer be able to maintain or introduce under Article 9(4) of Regulation (EU) 2016/679 further conditions, including limitations and specific provisions requesting the consent of natural persons, with regard to the processing for secondary use of personal electronic health data under this Regulation, with the exception of the introduction of stricter measures and additional safeguards at national level aimed at safeguarding the sensitivity and value of certain data as laid down in this Regulation. Health data applicants should also demonstrate a legal basis referred to in Article 6 of Regulation (EU) 2016/679 that allows them to request access to electronic health data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV thereof. In addition, the health data access body should assess the information provided by the health data applicant, based on which it should be able to issue a data permit for the processing of personal electronic health data pursuant to this Regulation that should fulfil the requirements and conditions set out in Chapter IV of this Regulation. For processing of electronic health data held by the health data holders, this Regulation creates the legal obligation within the meaning of Article 6(1), point (c), of Regulation (EU) 2016/679, in accordance with Article 9(2), points (i) and (j), of that Regulation, for the health data holder to make available the personal electronic health data to health data access bodies, while the legal basis for the purpose of the initial processing, for example the delivery of healthcare, is unaffected. This Regulation also assigns tasks in the public interest within the meaning of Article 6(1), point (e), of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2), points (g) to (j), as applicable, of that Regulation. If the health data user relies upon a legal basis set out in Article 6(1), point (e) or (f), of Regulation (EU) 2016/679, this Regulation should provide for the safeguards required under Article 9(2) of Regulation (EU) 2016/679.

Health data users who benefit from access to datasets provided for under this Regulation could enrich the data in those datasets with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of the data in the datasets. Health data users should be encouraged to report critical errors in datasets to health data access bodies. To support the improvement of the initial database and further use of the enriched dataset, Member States should be able to establish rules for the processing and the use of electronic health data containing improvements related to the processing of those data. The improved dataset should be made available free of charge to the original health data holder together with a description of the improvements. The health data holder should make the new dataset available, unless it provides a justified notification to the health data access body for not doing so, for instance in cases in which the enrichment by the health data user is of low quality. It should be ensured that non-personal electronic health data are available for secondary use. In particular, pathogen genomic data hold significant value for human health, as shown during the COVID-19 pandemic during which timely access to and sharing of such data proved to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics efforts will be achieved when public health and research processes share datasets and cooperate to inform and improve each other.

Public or private entities often receive public funding from national or Union funds to collect and process electronic health data for research, official or unofficial statistics, or other similar purposes, including in areas where the collection of such data is fragmented or difficult, such as in relation to rare diseases or cancer. Such data, collected and processed by health data holders with the support of Union or national public funding, should be made available to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policymaking, benefiting society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. The health data holders in the context of secondary use should therefore be entities that are healthcare providers or care providers or carry out research with regard to the healthcare or care sectors, or develop products or services intended for the healthcare or care sectors. Such entities can be public, not for profit or private. In line with this definition, nursing homes, day-care centres, entities providing services for people with disabilities, entities carrying out business and technological activities related to care such as orthopaedics and companies providing care services should be considered health data holders. Legal persons developing wellness applications should also be considered health data holders. Union institutions, bodies, offices or agencies that process those categories of health and healthcare data as well as mortality registries should also be considered health data holders.In order to avoid a disproportionate burden for natural persons and microenterprises, they should be, as a general rule, exempted from the obligations on health data holders. Member States should, however, be able to extend the obligations of health data holders to natural persons and microenterprises in their national law. To reduce the administrative burden, and in light of the effectiveness and efficiency principles, Member States should be able to require in their national law that health data intermediation entities carry out the duties of certain categories of health data holders. Such health data intermediation entities should be legal persons able to process, make available, register, provide, restrict access to, and exchange electronic health data for secondary use provided by health data holders. Such health data intermediation entities perform tasks that differ from those of data intermediation services under Regulation (EU) 2022/868.

In order to support secondary use, health data holders should refrain from withholding the data, requesting unjustified fees that are not transparent or proportionate to the costs of making the data available or, where relevant, to marginal costs of data collection, requesting the health data users to co-publish the research or other practices that could dissuade the health data users from requesting the data. Where a health data holder is a public sector body, the part of the fees linked to its costs should not cover the costs of the initial collection of the data. Where ethical approval is necessary for providing a data permit, the evaluation related to ethical approval should be based on its own merits.