Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 73. Secure processing environment
- 1.Health data access bodies shall provide access to electronic health data pursuant to a data permit only through a secure processing environment which is subject to technical and organisational measures and security and interoperability requirements. In particular, the secure processing environment shall comply with the following security measures:
- (a)the restriction of access to the secure processing environment to authorised natural persons listed in the data permit issued pursuant to Article 68;
- (b)the minimisation of the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technical and organisational measures;
- (c)the limitation of the input of electronic health data and the inspection, modification or deletion of electronic health data hosted in the secure processing environment to a limited number of authorised identifiable individuals;
- (d)ensuring that health data users have access only to the electronic health data covered by their data permit, by means of individual and unique user identities and confidential access modes only;
- (e)the keeping of identifiable logs of access to and activities in the secure processing environment for the period necessary to verify and audit all processing operations in that environment; logs of access shall be kept for at least one year;
- (f)ensuring compliance and monitoring the security measures referred to in this paragraph to mitigate potential security threats.
- 2.Health data access bodies shall ensure that electronic health data from health data holders in the format specified in the data permit can be uploaded by those health data holders and can be accessed by the health data user in a secure processing environment. Health data access bodies shall review the electronic health data included in a download request to ensure that health data users are only able to download non-personal electronic health data, including electronic health data in an anonymised statistical format, from the secure processing environment.
- 3.Health data access bodies shall ensure that audits of the secure processing environments are carried out on a regular basis, including by third parties, and shall take corrective action for any shortcomings, risks or vulnerabilities identified by those audits in the secure processing environments.
- 4.Where recognised data altruism organisations under Chapter IV of Regulation (EU) 2022/868 process personal electronic health data using a secure processing environment, those environments shall also comply with the security measures set out in paragraph 1, points (a) to (f), of this Article.
- 5.By 26 March 2027, the Commission shall, by means of implementing acts, lay down the technical, organisational, information security, confidentiality, data protection and interoperability requirements for the secure processing environments, including with regard to the technical characteristics and tools available to the health data user within the secure processing environments. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).
Relevant Recitals for this Article
Given the sensitivity of electronic health data, health data users should not have unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure there are strong technical and security safeguards in place for the electronic health data, the health data access body or, where relevant, the trusted health data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. The processing of personal data in such a secure processing environment should comply with Regulation (EU) 2016/679, including, where the secure processing environment is managed by a third party, the requirements of Article 28 of that Regulation and, where applicable, Chapter V thereof. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the health data users. The health data access body or the health data holder providing that service should remain at all times in control of the access to the electronic health data, and the access granted to the health data users should be determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any personal electronic health data should be downloaded by the health data users from such secure processing environment. Thus, such a secure processing environment is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member States in developing common security standards in order to promote the security and interoperability of the various secure processing environments.
Regulation (EU) 2022/868 sets out the general rules for the management of data altruism. Given that the health sector manages sensitive data, additional criteria should be established through the rulebook referred to in that Regulation. Where such rules provide for the use of a secure processing environment for that sector, such secure processing environment should comply with the criteria established in this Regulation. The health data access bodies should cooperate with the competent authorities designated under Regulation (EU) 2022/868 to supervise the activity of data altruism organisations in the health or care sector.