Published in May 2022, the draft regulation on the European Health Data Space (EHDS) is part of a pre-existing body of legislation (NIS/NIS2, RGPD) that is currently being developed (DSA, DMA, Data Act, etc.). This body of work demonstrates the intense activity of the European Union when approaching the data economy as a whole. Indeed, the proposed EHDS regulation is the first text in the European data strategy to propose a data sharing framework for a specific sector.
The objectives of the proposed regulation are:
- To harmonize patient data management within the EU: usage, governance, etc.
- To simplify the conditions of access, with a particular focus on the secondary use of health data (to facilitate their consideration in creating public policies, in innovation, etc.);
- To set up a European infrastructure for cross-border use, such as HealthData@EU.
Whatever its final form, this regulation will have a major impact on the use of health data in Europe.
Why does this regulation matter?
The EHDS project aims to provide a framework for sharing health data. There are two significant aspects to this. The first one concerns the harmonization of the notion of secondary use of health data between different Member States. The second is to implement a robust technological infrastructure to enable the use of this data.
In concrete terms, the EHDS proposal aims to allow a Spanish patient traveling to Italy on vacation to access a prescription in a local pharmacy, or a doctor in an emergency room in France to access the basic health information of a Finnish patient. It should be mentioned that a prototype infrastructure already exists (MyHealth@EU).
However, the proposal as it stands would expand access to items such as medical test results and MRIs. There would also be mandatory interoperability and security requirements. This health data would be available to patients “immediately, free of charge [and] in an easy-to-read format“.
Is this a sign of awareness?
The text is ambitious as it is, but does it really reflect an awareness of the need to address the multifaceted threat to the health sector?
In this regard, it is always relevant to remember that the purpose of the law is the sharing of health data on a European scale. In other words, it does not deal with the protection or security of health data, as these aspects are already covered by other legislation (e.g., the NIS Directive2). Finally, given the ambition and objectives of the EHDS, the health data use framework is of major importance, overshadowing the techno-centric approach to security.
Thus, there are only a few technical security requirements in the EHDS proposal and they are limited to a couple of specific practices: the access and traceability requirements listed in Article 50. The obligation concerning data processing environments aims to provide security guarantees. These include restricted, identifiable and traceable access to data, and the compartmentalization of data according to the permits granted for the use cases.
The article also specifies that the auditability of these environments is mandatory. Finally, it mentions the security and interoperability criteria to which the players concerned by the regulation must adhere.
Beyond the need for protection
Regardless of the technical requirements for health data security, the main challenge remains the technical and technological implementation of such a “space”. At this stage, it raises issues related to data control. The question of control by the user is not sufficiently addressed. Even if a governance body is foreseen by the EHDS, it does not foresee, for example, patient representatives.
On the technological side, the text does not contemplate the creation of a centralized database of health data for European residents. The trend is to interconnect different data pools. It is important to understand the scope of the subject: the technological form must follow its function. In other words, designing governance, user pathways, mandatory points of passage, data formats and recourse approaches are the substance and the real challenge of EHDS. Responding to these questions cannot and should not begin with a technical approach.
In this sense, the questions related to the individuals’ rights and capacity to act are very delicate. Thus, the relationship between this proposed regulation and the RGPD will have to be taken into account. Generally speaking, the EHDS proposal, as it stands, weakens the rights and protections of individuals conferred by the RGPD: the EHDS would create a right of access that is not consistent with the current one on the RGPD.
In addition, the scope of the proposal may lead to situations of legal ambiguity with respect to wellness and health behavior applications and data. If these data are retained, the processing of personal data from wellness and other digital apps for secondary purposes should be subject to prior consent meaning of the GDPR. Finally, similar uncertainties exist in the relationship of this proposed sectoral regulation with cross-cutting texts. They will have to be resolved before we can talk about technical implementation.
Paving the future
Improving the quality of health data and facilitating their availability will allow us to better face current and future public health challenges (preventive medicine, epidemics, etc.). Thus, understanding the technical and technological implications of such a regulatory proposal becomes an obligation. This is especially true when we see unfolding before our eyes, across the Atlantic, the impossibility of controlling the future of women’s health data in the context of the criminalization of abortion.
Nowadays, the operational and security maintenance of digital health infrastructures and tools is under-resourced. However, with health data, we are at the crossroads of several points of particular tension: rapid technological evolution on the one hand, which comes with its own uncertainties, changes in the landscape of threats, specificities of health systems and data, complex combined requirements related to both data (formats and standards, for example) and system interoperability, changes in the business models of private providers of health products and services, and, of course, the involvement of individuals.