Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 68. Data permit
- 1.For the purposes of granting access to electronic health data, the health data access bodies shall assess whether all the following criteria are fulfilled:
- (a)the purposes described in the health data access application correspond to one or more of the purposes listed in Article 53(1);
- (b)the requested data are necessary, adequate and proportionate for the purposes described in the health data access application, taking into account data minimisation and purpose limitation requirements provided for in Article 66;
- (c)the processing complies with Article 6(1) of Regulation (EU) 2016/679 and, in the case of pseudonymised data, there is sufficient justification that the purpose cannot be achieved with anonymised data;
- (d)the health data applicant is qualified in relation to the intended purposes of data use and has appropriate expertise, including professional qualifications in the areas of healthcare, care, public health or research, consistent with ethical practice and applicable laws and regulations;
- (e)the health data applicant demonstrates sufficient technical and organisational measures to prevent the misuse of the electronic health data and to protect the rights and interests of the health data holder and of the natural persons concerned;
- (f)the information on the assessment of ethical aspects of the processing, referred to in Article 67(2), point (j), where applicable, complies with national law;
- (g)where the health data applicant intends to make use of an exception under Article 71(4), the justification required by national law adopted pursuant to that Article has been provided;
- (h)all other requirements in this Chapter are fulfilled by the health data applicant.
- 2.The health data access body shall also take into account the following:
- (a)risks for national defence, security, public security and public order;
- (b)the risk of undermining the confidentiality of data in governmental databases of regulatory authorities.
- 3.Where the health data access body concludes that the requirements in paragraph 1 are fulfilled and the risks referred to in paragraph 2 are sufficiently mitigated, the health data access body shall grant access to electronic health data by issuing a data permit. Health data access bodies shall refuse all health data access applications where the requirements in this Chapter are not fulfilled. Where the requirements for issuing a data permit are not met, but the requirements to provide a response in an anonymised statistical format under Article 69 are, the health data access body may decide to provide such response, on condition that providing that response would mitigate the risks and, if the purpose of the health data access application can be fulfilled in this manner, that the health data applicant agrees to receiving a response in an anonymised statistical format under Article 69.
- 4.By way of derogation from Regulation (EU) 2022/868, the health data access body shall issue or refuse a data permit within three months of receiving a complete health data access application. If the health data access body finds that the health data access application is incomplete, it shall notify the health data applicant, which shall be given the possibility of completing that application. If the health data applicant does not complete the health data access application within four weeks, the data permit shall not be issued. The health data access body may extend the period for responding to a health data access application by three additional months where necessary, taking into account the urgency and complexity of the health data access application and the volume of health data access applications submitted for decision. In such cases, the health data access body shall notify the health data applicant as soon as possible that more time is needed for examining the health data access application, together with the reasons for the delay.
- 5.When handling a health data access application for cross-border access to electronic health data referred to in Article 67(3), health data access bodies and relevant authorised participants in HealthData@EU referred to in Article 75 shall remain responsible for adopting decisions to grant or refuse access to electronic health data within their remit in accordance with this Chapter. The health data access bodies and authorised participants in HealthData@EU concerned shall inform each other of their decisions. They may take that information into consideration when deciding on granting or refusing access to electronic health data. A data permit issued by one health data access body may benefit from mutual recognition by the other health data access bodies.
- 6.Member States shall provide for an accelerated health data access application procedure for public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health if the processing of electronic health data is to be carried out for the purposes established in Article 53(1), points (a), (b) and (c). When such accelerated procedure applies, the health data access body shall issue or refuse a data permit within two months of receiving a complete health data access application. The health data access body may extend the period for responding to a health data access application by one additional month where necessary.
- 7.Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the health data holder. The health data access body shall make available the electronic health data to the health data user within two months of receiving them from the health data holders, unless the health data access body specifies that the data are to be provided within a longer specified timeframe.
- 8.In cases referred to in paragraph 5, first subparagraph, of this Article, the health data access bodies and authorised participants in HealthData@EU which issued a data permit or access approval, respectively, may decide to provide access to the electronic health data in the secure processing environment provided by the Commission as referred to in Article 75(9).
- 9.Where the health data access body refuses to issue a data permit, it shall provide a justification for that refusal to the health data applicant.
- 10.When issuing a data permit, the health data access body shall set out in that data permit the general conditions applicable to the health data user. The data permit shall contain the following:
- (a)the categories, specification and format of the electronic health data to be accessed, which are covered by the data permit, including their sources and an indication of whether the electronic health data are to be accessed in a pseudonymised format in the secure processing environment;
- (b)a detailed description of the purpose for which the electronic health data are made available;
- (c)where a mechanism to implement an exception is provided for and applicable under Article 71(4), information on whether it has been applied and the reason for the related decision;
- (d)the identity of authorised persons, in particular the identity of the principal investigator, with access rights to the electronic health data in the secure processing environment;
- (e)the duration of the data permit;
- (f)information about the technical characteristics and tools available to the health data user within the secure processing environment;
- (g)the fees to be paid by the health data user;
- (h)any specific conditions.
- 11.Health data users shall have the right to access and process the electronic health data in a secure processing environment in accordance with the data permit issued to them on the basis of this Regulation.
- 12.A data permit shall be issued for the duration necessary to fulfil the requested purposes and that duration shall not exceed 10 years. That duration may be extended once, for a period which does not exceed 10 years, at the request of the health data user, based on arguments and documents to justify that extension which shall be provided one month before the expiry of the data permit. The health data access body may charge fees which increase to reflect the costs and risks of storing electronic health data for a period exceeding the initial period. In order to reduce such costs and fees, the health data access body may also propose to the health data user to store the dataset in a storage system with reduced capabilities. Such reduced capabilities shall not affect the security of the processed dataset. The electronic health data within the secure processing environment shall be deleted within six months of the expiry of the data permit. At the request of the health data user, the formula for the creation of the requested dataset may be stored by the health data access body.
- 13.If the data permit needs to be updated, the health data user shall submit a request for an amendment of the data permit.
- 14.The Commission may, by means of an implementing act, develop a logo for acknowledging the contribution of the EHDS. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2).
Relevant Recitals for this Article
Member States ought to strive to adhere to ethical principles, such as the European ethical principles for digital health adopted by the eHealth Network on 26 January 2022 and the principle of health professional-patient confidentiality, in the application of this Regulation. Recognising the importance of ethical principles, the European ethical principles for digital health provide guidance to practitioners, researchers, innovators, policy-makers and regulators.
In order to ensure that all health data access bodies issue data permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The health data applicant should provide health data access bodies with several elements of information that would help the body evaluate the health data access application and decide if the health data applicant can receive a data permit, and coherence should be ensured between different health data access bodies. The information provided as part of the health data access application should comply with the requirements established under this Regulation in order to enable it to be thoroughly assessed, as a data permit should only be issued if all the necessary conditions set out in this Regulation are met. In addition, where relevant, that information should include a declaration by the health data applicant that the intended use of the health data requested does not pose a risk of stigmatisation, or of causing harm to the dignity, of natural persons or groups to which the dataset requested relates. An ethical assessment could be requested based on national law. In that case, it should be possible for existing ethics bodies to carry out such assessments for the health data access body. Existing ethics bodies of Member States should make their expertise available to the health data access body for that purpose. Alternatively, Member States should be able to provide for ethics bodies to be part of the health data access body. The health data access body, and where relevant health data holders, should assist health data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the health data applicant needs data in an anonymised statistical format, it should submit a health data request, requiring the health data access body to provide the result directly. A refusal of a data permit by the health data access body should not preclude the health data applicant from submitting a new health data access application. In order to ensure a harmonised approach between health data access bodies and to limit the administrative burden for the health data applicants, the Commission should support the harmonisation of health data access applications, as well as health data requests, including by establishing the relevant templates. In justified cases, such as in the case of a complex and burdensome request, the health data access body should be allowed to extend the time period for health data holders to make the requested electronic health data available to it.
As their resources are limited, health data access bodies should be allowed to apply prioritisation rules, for instance prioritising public institutions over private entities, but they should not discriminate between the national organisations and organisations from other Member States within the same category of priorities. A health data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publications or to enable additional analysis of the dataset based on the initial findings. This should require an amendment of the data permit and could be subject to an additional fee. However, in all cases, the data permit should reflect such additional uses of the dataset. Preferably, the health data user should mention them in their initial health data access application. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permits.
As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies with a legal mandate in the field of public health, especially the Commission, need access to health data for a longer period and on a recurring basis. This may be the case not only for specific circumstances provided for in Union or national law in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data could be required in specific Member States or throughout the whole territory of the Union. Such Union institutions, bodies, offices and agencies should be able to benefit from an accelerated procedure for having data made available, ordinarily in less than two months, with a possibility of prolonging the timeline by one month in more complex cases.
Member States should be able to designate trusted health data holders for which the data permit issuing procedure can be performed in a simplified manner, in order to alleviate the administrative burden for health data access bodies of managing requests for the data processed by them. Trusted health data holders should be allowed to assess the health data access applications submitted under this simplified procedure, based on their expertise in dealing with the type of health data they are processing, and issue a recommendation regarding a data permit. The health data access body should remain responsible for issuing the final data permit and should not be bound by the recommendation provided by the trusted health data holder. Health data intermediation entities should not be designated as trusted health data holders.