Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Member States ought to strive to adhere to ethical principles, such as the European ethical principles for digital health adopted by the eHealth Network on 26 January 2022 and the principle of health professional-patient confidentiality, in the application of this Regulation. Recognising the importance of ethical principles, the European ethical principles for digital health provide guidance to practitioners, researchers, innovators, policy-makers and regulators.
In order to ensure that all health data access bodies issue data permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The health data applicant should provide health data access bodies with several elements of information that would help the body evaluate the health data access application and decide if the health data applicant can receive a data permit, and coherence should be ensured between different health data access bodies. The information provided as part of the health data access application should comply with the requirements established under this Regulation in order to enable it to be thoroughly assessed, as a data permit should only be issued if all the necessary conditions set out in this Regulation are met. In addition, where relevant, that information should include a declaration by the health data applicant that the intended use of the health data requested does not pose a risk of stigmatisation, or of causing harm to the dignity, of natural persons or groups to which the dataset requested relates. An ethical assessment could be requested based on national law. In that case, it should be possible for existing ethics bodies to carry out such assessments for the health data access body. Existing ethics bodies of Member States should make their expertise available to the health data access body for that purpose. Alternatively, Member States should be able to provide for ethics bodies to be part of the health data access body. The health data access body, and where relevant health data holders, should assist health data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the health data applicant needs data in an anonymised statistical format, it should submit a health data request, requiring the health data access body to provide the result directly. A refusal of a data permit by the health data access body should not preclude the health data applicant from submitting a new health data access application. In order to ensure a harmonised approach between health data access bodies and to limit the administrative burden for the health data applicants, the Commission should support the harmonisation of health data access applications, as well as health data requests, including by establishing the relevant templates. In justified cases, such as in the case of a complex and burdensome request, the health data access body should be allowed to extend the time period for health data holders to make the requested electronic health data available to it.
As their resources are limited, health data access bodies should be allowed to apply prioritisation rules, for instance prioritising public institutions over private entities, but they should not discriminate between the national organisations and organisations from other Member States within the same category of priorities. A health data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publications or to enable additional analysis of the dataset based on the initial findings. This should require an amendment of the data permit and could be subject to an additional fee. However, in all cases, the data permit should reflect such additional uses of the dataset. Preferably, the health data user should mention them in their initial health data access application. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permits.
As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies with a legal mandate in the field of public health, especially the Commission, need access to health data for a longer period and on a recurring basis. This may be the case not only for specific circumstances provided for in Union or national law in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data could be required in specific Member States or throughout the whole territory of the Union. Such Union institutions, bodies, offices and agencies should be able to benefit from an accelerated procedure for having data made available, ordinarily in less than two months, with a possibility of prolonging the timeline by one month in more complex cases.
Member States should be able to designate trusted health data holders for which the data permit issuing procedure can be performed in a simplified manner, in order to alleviate the administrative burden for health data access bodies of managing requests for the data processed by them. Trusted health data holders should be allowed to assess the health data access applications submitted under this simplified procedure, based on their expertise in dealing with the type of health data they are processing, and issue a recommendation regarding a data permit. The health data access body should remain responsible for issuing the final data permit and should not be bound by the recommendation provided by the trusted health data holder. Health data intermediation entities should not be designated as trusted health data holders.