The secondary use of health data in the European Health Data Space proposal
The secondary use of health data in the European Health Data Space proposal
21 November 2022
The essence of the EHDS Proposal: On May 3, 2022, the European Commission published its draft regulation on the European Health Data Space (EHDS). This proposal aims to achieve two main objectives. The first is to improve the provision of cross-border healthcare in the EU, regardless of the patient’s location in member states (MS). The second objective, that is of more interest to us, aims to enable the secondary use of electronic health data by researchers, companies, innovators and public institutions (the data users) for other new purposes that benefit society.
The EHDS proposal builds upon and complements the General Data Protection Regulation (GDPR) by establishing specific harmonized rules for the secondary use of health data and strengthens data portability. The requirement for harmonized rules at EU level stems from the limitations of the current framework provided by the GDPR, as well as from the current national laws of member states that have enacted specific provisions regarding the secondary use of health data.
The current framework for secondary use of health data and challenges for data users
The current framework for cross border access to health data initially collected for a completely different purpose (secondary use of data) in the context of international scientific research is highly fragmented due to several national specificities.
This fragmentation originates from a provision of the GDPR granting MS the ability to adopt stricter laws regarding the processing of health data.
The lack of a common definition at EU level of what is considered “secondary use” of data increases the ability of MS to establish different frameworks. A study carried out under the TEHDAS (Towards the European Health Data Space project on barriers to cross-border sharing of health data for secondary use points out that this difficult demarcation between primary and secondary use of data makes it more complex to delimit what the data subject has really consented to during the initial research, when the initial research was based on his consent.
A second source of fragmentation concerns some MS, such as Italy, imposing the consent of participants as the only legal basis for the primary use of health data, despite a reluctance by the European Data Protection Board (EDPB) to use this legal basis. In fact, the existence of different legal bases applied in different MS has made transnational studies very difficult, as data users must comply with different requirements in each jurisdiction. According to the TEHDAS report, it has increased compliance and research costs. Consequently, when the initial collection of data is based on the consent of participants, the secondary use of the data may only be possible with a new consent of the data subject or in compliance with a legal obligation as a separate legal basis.
Another important barrier exists in national specificities concerning informing data subjects about future research, specifically when the obligation to inform is impossible or requires a disproportionate effort. Some MS such as France and Italy, have introduced a procedure in domestic laws to request authorization from the data protection authority in the event of impossibility or disproportionate effort to provide information to data subjects.
The EHDS provides elements of an alternative framework
A common definition of secondary use. Indeed, the EHDS regulation defines secondary use of electronic health data as being the processing of electronic health data particularly generated during healthcare provision with the purpose of supporting research, innovation, policy making, regulatory activities and other uses, such as healthcare delivery to a patient, based on the data concerning other patients. More concretely, the EHDS highlights in chapter IV some purposes compatible with its definition of secondary use. Among the purposes listed in that chapter IV, we find:
– the development and innovation activities for products or services contributing to public health or social security or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices and
– the training, testing, and evaluating of algorithms, including in medical devices, AI systems and digital health applications.
These categories of purposes can be pursued by private organisations such as within the pharmaceutical industry.
The EHDS regulation goes further and lists a set of prohibited purposes, such as:
- taking decisions detrimental to a natural person based on their electronic health data;
- advertising or marketing activities towards health professionals, organisations in health or natural persons; and
- developing products or services that may harm individuals and societies at large.
The common theme of this list is to prohibit all secondary uses that could harm an individual.
Another major change is related to the health data access procedure. Private data users wishing to conduct international clinical studies will be able to have access to the data of patients established in different MS by sending a single authorization request to an authority called the Health Data Access Body (HDAB). Data users will no longer have to bear the costs of complying with different national laws to have access to the data. As the European database of electronic health data will also be fed by data holders established in different MS, more than one HDAB will be competent. Therefore, data users will have the choice of submitting the single authorization request to any HDAB, which will in turn communicate the request for authorisation to the other HDABs concerned, which will decide whether to grant authorisation for access to their nationals’ data.
The rules for the secondary use of health data provided by the EHDS proposal are not intended to supplant those provided by the GDPR and national legislations. On the contrary, the purpose of the EHDS is to create a complementary framework for the secondary use of health data compliant with GDPR.
The proposed EHDS regulation does not violate the legal basis established by the GDPR regarding the processing of health data. Three legal bases from GDPR are provided by the EHDS for the secondary use of health data.
- The first legal basis relates to the processing of data carried out by data holders when they receive data from data subjects. For processing of electronic health data held by the data holder, the EHDS proposal refers to a legal obligation in the sense of Article 6(1) point (c) of GDPR combined with article 9(2) (h), (i) or (j) of GDPR for disclosing the data by the data holder to health data access bodies;
- The second legal basis concerns the processing of data carried out by the HDABs when they require access to data to the data holders for the purpose of providing it to data users. Here, the proposed regulation bases the processing on the performance of tasks in the public interest by the HDABs (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1) (e) of GDPR, and meets the requirements of Article 9(2)(h), (i) or (j) of the GDPR;
- The third legal basis concerns access to data by the data user, a private organization in our case. Private data-users may have access to health data based on a combination of their legitimate interest (Article 6(1), f. of the GDPR) and the necessity of the processing for the purpose of scientific research based on a European regulation, here the EHDS (article 9 (2), (j) of the GDPR).
To be aligned with national laws imposing patient consent as a legal basis for health data processing, the EHDS proposal highlights that when the consent of the data subject is required by national law, health data access organizations are responsible for fulfilling certain obligations.
Among these obligations listed in Article 38 of the proposed regulation, there is the obligation to provide general information through HDAB’s website about:
– the legal basis under which access is granted;
– the technical and organizational measures taken to protect the rights of natural persons;
– the applicable rights of natural persons in relation to secondary use of electronic health data;
– the arrangements for natural persons to exercise their rights in accordance with Chapter III of GDPR;
– the results or outcomes of the projects for which the electronic health data were used.
Challenges for the EHDS proposal
The EHDS provides a regulatory framework that is favorable to the conduct of cross-border clinical research, as it will facilitate the establishment of health databases from data holders established across the EU. However, some challenges need to be overcome.
A major challenge of accessing these data under EHDS is practicality. Beyond legal harmonization, it will be necessary to ensure technical interoperability between national electronic health data records, particularly regarding the interoperability among digital devices and digital health applications.
Although the EHDS already states that in case of contradiction with the GDPR the latter shall prevail, the cooperation between HDABs and data protection authorities is also of key importance. However, the HDAB does not specify what form this cooperation will take in practice. This issue will need to be properly addressed through guidance.
Winnie F. Dongbou Wamba