Overview
March 26, 2025, marked a pivotal moment in the EU with the European Health Data Space Regulation, (EU) 2025/327 (“EHDS Regulation”), coming into force. The EHDS represents a transformative initiative by the European Union aimed at amending the management and utilization of health data across its Member States. In an era when digitalization is reshaping healthcare, the EHDS seeks to establish a cohesive framework that enhances individuals’ access to and control over their personal electronic health data and fosters a robust environment for the secondary use of health data that benefits researchers and innovators.
The most important changes the EHDS Regulation seeks to achieve include
- Primary use: Improving access to and control of personal electronic health data across borders in the context of healthcare services
- Secondary use: Enhancing the secure and trustworthy reuse of health data for research, innovation, policymaking, and regulatory activities
- Electronic Health Records (“EHR”) : Laying down a uniform legal and technical framework, in particular for the development, marketing, and use of electronic health record systems, supporting both primary and secondary use
The EHDS will enable the EU to fully exploit the benefits of the secure and safe ex-change, use, and reuse of health data, serving the interests of patients, healthcare professionals, researchers, regulators, and innovators.
Facilitating Healthcare Services with EU-wide Use of Health Data
The EHDS Regulation creates a standardized digital framework for handling and sharing electronic health data to facilitate healthcare services that will significantly improve cross-border access to electronic health data, enabling healthcare professionals to effortlessly retrieve patient information from other EU countries. This will streamline administrative processes for international medical treatments and enhance the quality of healthcare.
Rights and Responsibilities along the Healthcare System
The EHDS regulation stipulates essential rights and responsibilities for various participants in the healthcare system, particularly for the following:
- Data collection responsibilities: Healthcare providers, including healthcare professionals, clinics and medical practices, within the EU are required to collect data for primary purposes.
- Patients’ rights: Natural persons are granted specific rights to access, control, and share their personal electronic health data through an online service. However, these rights do not imply an obligation to digitize paper documents; they cover data that is already processed electronically.
- Transmission responsibilities: Health data holders are required to extensively transmit data for secondary purposes.
- Access rights: Healthcare professionals are provided access rights for primary purposes, while health data users (e.g., research institutions and life sciences companies) will have access and usage rights for secondary purposes.
- Testing, standardization, and documentation responsibilities: Manufacturers, importers, and distributors of software and devices for electronic health records (EHR) must adhere to testing, standardization, and documentation requirements.
Secondary Use of Health Data
For many years, the secondary use of health data was fraught with legal uncertainties due to the absence of a clear legal basis, which impeded innovative research, especially in the field of artificial intelligence. The EHDS Regulation seeks to mitigate the previous uncertainties by providing a clear legal foundation for the secondary use of health data, in compliance with the General Data Protection Regulation (GDPR) and other data protection laws.
Intellectual property rights and trade secrets are not considered to be an obstacle to the secondary use. Subject to the data holder flagging such rights or secrets to the health data access body, it will be the responsibility of the latter to determine whether protective measures should be put in place to protect the rights or secrets or if the permit application should be refused.
The EHDS regulation explicitly defines permissible secondary purposes to include
- Scientific research
- Development and innovation of healthcare products or services
- Training, testing, and evaluating algorithms in medical devices, AI systems, and digital health applications
- Enhancing care, optimizing treatment, and healthcare delivery
Health data cannot be used for prohibited purposes, such as advertising, marketing, or developing products or services that could harm individuals, public health, or society as a whole, as well as illegal drugs, alcoholic beverages, or tobacco and nicotine products.
Provision of EHR Systems
Besides the provisions on health data processing, the EHDS Regulation imposes product-specific responsibilities on manufacturers, importers, and distributors of so-called EHR systems (i.e., software and devices for electronic health records). These systems, comprising software or a combination of hardware and software, are designed to process health data in accordance with the EHDS Regulation. EHR systems are intended for use by healthcare providers in patient care or by patients enabling access to their health data.
The EHDS Regulation imposes tiered responsibilities on economic operators based on their roles in the supply chain. While manufacturers must issue a declaration of conformity under the EHDS Regulation and affix the CE marking , importers can only market EHR systems that are in compliance with EHDS Regulation (i.e., they have the appropriate CE marking and are accompanied by sufficient instructions for use). Distributors, on the other hand, must verify that the manufacturer has issued a declaration of conformity. If the EHR systems include digital elements, then manufacturers, importers, and distributors must also adhere to the provisions of EU Regulation 2024/2847, the Cyber Resilience Act, which the EHDS Regulation complements regarding electronic health records.