Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 67. Health data access applications
- 1.A natural or legal person may submit a health data access application for the purposes referred to in Article 53(1) to a health data access body.
- 2.The health data access application shall include:
- (a)the health data applicant’s identity, a description of that health data applicant’s professional functions and activities, including the identity of the natural persons who would have access to the electronic health data if a data permit were issued; the health data applicant shall notify the health data access body of any update of the list of natural persons;
- (b)the purposes referred to in Article 53(1) for which access to data is applied for;
- (c)a detailed explanation of the intended use of the electronic health data and expected benefit related to that use and how that benefit would contribute to the purposes referred to in Article 53(1);
- (d)a description of the requested electronic health data, including their scope, time range, format, sources and, where possible, the geographical coverage where such data are requested from health data holders in several Member States or from authorised participants in HealthData@EU referred to in Article 75;
- (e)a description explaining whether the electronic health data need to be made available in a pseudonymised or anonymised format; in the case of a pseudonymised format, a justification as to why the processing cannot be carried out using anonymised data;
- (f)where the health data applicant intends to bring datasets already held by that health data applicant into the secure processing environment, a description of those datasets;
- (g)a description of the safeguards, which are to be proportionate to the risks, planned to prevent any misuse of the electronic health data, as well as to protect the rights and interests of the health data holder and of the natural persons concerned, including to prevent any re-identification of natural persons in the dataset;
- (h)a justified indication of the period during which the electronic health data are needed for processing in a secure processing environment;
- (i)a description of the tools and computing resources needed for a secure processing environment;
- (j)where applicable, information on any assessment of ethical aspects of the processing, required under national law, which may serve to replace the health data applicant’s own ethics assessment;
- (k)where the health data applicant intends to make use of an exception under Article 71(4), the justification required by national law pursuant to that Article.
- 3.When seeking access to electronic health data held by health data holders established in more than one Member State or from the relevant authorised participants in HealthData@EU referred to in Article 75, the health data applicant shall submit a single health data access application through the health data access body of the Member State where the main establishment of the health data applicant is located, through the health data access body of the Member State in which one of those health data holders is established or through the services provided by the Commission in HealthData@EU referred to in Article 75. The health data access application shall be automatically forwarded to the relevant authorised participants in HealthData@EU and to the health data access bodies of the Member States where the health data holders identified in the health data access application are established.
- 4.When seeking access to the personal electronic health data in a pseudonymised format, the health data applicant shall provide, together with the health data access application, a description of how the processing would comply with applicable Union and national law on data protection and privacy, in particular with Regulation (EU) 2016/679 and, more specifically, with Article 6(1) thereof.
- 5.Public sector bodies and Union institutions, bodies, offices and agencies shall provide the same information as required under paragraphs 2 and 4, except for paragraph 2, point (h), in which case they shall submit instead information concerning the period for which the electronic health data can be accessed, the frequency of that access or the frequency of the data updates.
Relevant Recitals for this Article
Member States ought to strive to adhere to ethical principles, such as the European ethical principles for digital health adopted by the eHealth Network on 26 January 2022 and the principle of health professional-patient confidentiality, in the application of this Regulation. Recognising the importance of ethical principles, the European ethical principles for digital health provide guidance to practitioners, researchers, innovators, policy-makers and regulators.
In order to ensure that all health data access bodies issue data permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The health data applicant should provide health data access bodies with several elements of information that would help the body evaluate the health data access application and decide if the health data applicant can receive a data permit, and coherence should be ensured between different health data access bodies. The information provided as part of the health data access application should comply with the requirements established under this Regulation in order to enable it to be thoroughly assessed, as a data permit should only be issued if all the necessary conditions set out in this Regulation are met. In addition, where relevant, that information should include a declaration by the health data applicant that the intended use of the health data requested does not pose a risk of stigmatisation, or of causing harm to the dignity, of natural persons or groups to which the dataset requested relates. An ethical assessment could be requested based on national law. In that case, it should be possible for existing ethics bodies to carry out such assessments for the health data access body. Existing ethics bodies of Member States should make their expertise available to the health data access body for that purpose. Alternatively, Member States should be able to provide for ethics bodies to be part of the health data access body. The health data access body, and where relevant health data holders, should assist health data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the health data applicant needs data in an anonymised statistical format, it should submit a health data request, requiring the health data access body to provide the result directly. A refusal of a data permit by the health data access body should not preclude the health data applicant from submitting a new health data access application. In order to ensure a harmonised approach between health data access bodies and to limit the administrative burden for the health data applicants, the Commission should support the harmonisation of health data access applications, as well as health data requests, including by establishing the relevant templates. In justified cases, such as in the case of a complex and burdensome request, the health data access body should be allowed to extend the time period for health data holders to make the requested electronic health data available to it.