The European Health Data Space (EHDS): new opportunities and obligations for healthcare institutions
The European Health Data Space (EHDS) will enter into force on 25 March 2025. The aim of the new European Regulation (EU) 2025/327 on the EHDS is to optimise the exchange of and access to health information within the EU. The regulation ensures that hospitals, researchers, universities, companies and policymakers gain access to essential health information more quickly and easily. The EHDS also introduces new obligations for organisations that process health data. In this blog post, we discuss the most important points for healthcare organisations.
What is the EHDS about?
The European Commission wants health data to be able to circulate as freely as goods, capital, services and people within the EU. The EHDS distinguishes between two different ways of using health data:
- Primary use: This refers to health data that is used directly in healthcare. For data subjects, this means that they have access to their medical information at any time and at any location, which makes care easier and more effective. EHDS gives medical professionals in every EU member state access to critical patient information when needed, enabling them to make more targeted and better-informed decisions.
- Secondary use: Health data can also be used for research, monitoring public health and policy development. This includes analysing disease outbreaks or developing new treatments based on aggregated data. This means that anonymised and secure health data can be used for research, policy-making and innovation.
The data shared within the EHDS comes from various sources, such as electronic health records (EHRs) and clinical studies.
The impact of the EHDS on health data holders
For institutions that process health data, such as hospitals, medical laboratories and research institutions, the EHDS brings both opportunities and challenges. On the one hand, the EHDS makes it easier to share and consult health data, encourages cooperation and contributes to better healthcare throughout the EU. On the other hand, healthcare institutions must invest in order to properly support the EHDS and guarantee the privacy rights of those involved, such as their right to information, transparency, opt-out, etc.
These are the main challenges for organisations:
1. Securing health data
Organisations must take sufficient technical and organisational measures to guarantee the security, integrity and confidentiality of health data. This includes encrypting the data, implementing strict access controls and continuously monitoring data traffic.
2. Standardisation and interoperability
Health data must be maintained according to clear standards, so that this data can be easily integrated from different data sources. This means that metadata about data sets (the quality, the format, etc.) must be recorded.
3. Secure and controlled access to data
Relevant data must be securely accessible at the right time to authorised parties, such as healthcare providers, researchers and policymakers. This requires clear access modalities.
4. In accordance with the FAIR principles
Health data must be findable, accessible, interoperable and reusable (FAIR). This means that the data must be stored in a standard and readable way to facilitate both primary and secondary use.
5. Accountability and transparency
Organisations must be able to demonstrate that they are meeting EHDS obligations. They will therefore be subject to audits and reports on how and by whom health data should be used.
Implementation and enforcement of the EHDS
Supervisory authorities and national Health Data Access Bodies (HDAB) will monitor compliance and ensure the legal and technical protection of the data.
One of the most important players in the successful implementation of the EHDS is the Health Data Access Body (HDAB). This body acts as a facilitator to give organisations secure access to health data.
Enforcement of the EHDS is carried out by the supervisory authorities that are already active under the GDPR, in Belgium the Data Protection Authority. The Data Protection Authority handles complaints and can also impose administrative fines (under Article 83 GDPR) in the event of a breach. Healthcare institutions and other organisations that process health data must therefore not only invest in secure and transparent data exchange, but also take into account possible sanctions in case of non-compliance.
Conclusion
The EHDS will take effect on 25 March 2025, marking a major milestone in the digital transformation and harmonisation of health data across Europe.This creates the opportunity for healthcare institutions to optimise the exchange and collaboration of data, but also requires extra efforts in the area of compliance and infrastructure.
Stibbe's Privacy & Data Protection team has extensive knowledge of cybersecurity and data protection. Do you have questions about the EHDS and its impact on your organisation? Then don't hesitate to contact us.