Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
The implementing acts referred to in the first subparagraph of this paragraph shall be adopted in accordance with the examination procedure referred to in Article 98(2).
In order to achieve an inclusive and sustainable framework for multi-country secondary use, a cross-border infrastructure should be established (‘HealthData@EU’). HealthData@EU should accelerate secondary use while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as ‘privacy by design’ and ‘privacy by default’ and the concept of bringing questions to data instead of moving those data should be respected whenever possible. Member States should designate national contact points for secondary use, as organisational and technical gateways for health data access bodies, and connect those contact points to HealthData@EU. The Union health data access service should also be connected to HealthData@EU. In addition, authorised participants in HealthData@EU could be research infrastructures established as a European Research Infrastructure Consortium (ERIC) under Council Regulation (EC) No 723/2009 , as a European digital infrastructure consortium (EDIC) under Decision (EU) 2022/2481 or similar infrastructures established under other Union legal acts, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI) or infrastructures federated under the European Open Science Cloud (EOSC). Third countries and international organisations could also become authorised participants in HealthData@EU, provided that they are compliant with the requirements in this Regulation. The Commission communication of 19 February 2020 entitled ‘A European strategy for data’ promoted the linking of the various common European data spaces. HealthData@EU should therefore enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as those relating to the environment, agriculture and social sector. Such interoperability between the health sector and other sectors such as the environmental, agricultural or social sectors could be relevant for obtaining additional insights on health determinants. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants in HealthData@EU for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission could also set up a secure processing environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, such as those being built for the exchange of evidence under the ‘once-only’ technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council .
In addition, given that the connection to HealthData@EU could entail transfers of personal data related to the applicant or the health data user to third countries, relevant transfer instruments under Chapter V of Regulation (EU) 2016/679 need to be in place for such transfers.
The authorisation process to gain access to personal electronic health data in different Member States can be repetitive and cumbersome for health data users. Whenever possible, synergies should be established to reduce the burden and barriers for health data users. One way to achieve that aim is to adhere to the ‘single application’ principle whereby, with one application, the health data user can obtain authorisation from multiple health data access bodies in different Member States or authorised participants in HealthData@EU.