Will the EHDS finally enable health data sharing in the EU?

The EHDS represents a game-changer that may help startups to use data easily. Today, we discuss the potential of EHDS for medical device startups.
Will the EHDS finally enable health data sharing in the EU?

The use of health data to create innovative services in the B2B (and B2C) scenario has always been a challenge for companies in the digital health industry, regardless of size.

In this blog post, we will discuss the potential of EHDS for medical device startups, among others.

For those innovating in healthcare, EHDS represents more than just a digital infrastructure; it can be a game-changer that may enable companies to use data to train their algorithms, AI, digital twins, prediction analysis and many more to deliver new healthcare solutions.

What is the EHDS?

Back in 2020, the European Commission presented a regulation to set up the European Health Data Space (aka EHDS) for the first time.

This is a health-specific ecosystem composed of common rules, standards, and practices plus a framework that aims at:

🚀 Provide EU citizens with increased digital access to and control over their electronic personal health data at the EU-wide level. This will support their free movement across the EU.

🚀 Increase the adoption of electronic health record (EHR) systems, digital medical devices, and high-risk AI systems. This falls under the primary usage of data.

🚀 Establish a setup for using health data for research and innovation. This falls under the secondary usage of data.

[Don’t know the difference between primary and secondary usage of data? Check out our blog post!]

In other words, the EHDS will provide a framework for health data governance, ensuring that data is collected, shared, and used in a secure and regulated way.

And yes, it can be considered a new block on the EU data strategy work started with the GDPR. 😉​

As we can see, improving data availability and accessibility is the baseline of one of the priorities for developing the EHDS.

But let’s be careful: on the tech POV, the EHDS should not be seen as the European ‘data lake’ but as a data exchange and access system. It will be managed by common rules and technical standards to guarantee that health data can be accessed within and between EU members (according to the requirements set out in the GDPR).

At the business level, the EHDS aims to strengthen and extend the use and re-use of health data for research and innovation purposes in healthcare.

What are the benefits for innovators?

Driving innovation is one of the top priorities not only for businesses but also for governments.

The EHDS may bring benefits to all startups and companies working in the digital health ecosystem.

🚀  Increased digital access to electronic personal health data: there may be the possibility of a digital infrastructure to plug in, like ePrescriptions, that every DiGA needs to manage.

🚀 Widespread usage of EHR: also, here we see the possibility of plugging into systems that interoperate with hospitals across the EU and finally get API to get data and interoperability for primary usage of their services.

🚀 Access health data: this is the leading pro for many AI startups in the EU. The benefit is a digital space filled with data and ruled by a standard compliance and legal framework across the EU countries.

So, standardising the EHR systems across the EU will give the possibility to:

 ➡️ Access large amounts of health data (with higher quality).
 ➡️ Know what data is available, their quality, and location.
 ➡️ A cheaper and more effective access to the data for research and innovation.
 ➡️ Assist regulators in accessing relevant and non-identifiable health data.

What do companies need to consider in regards to data subject rights?

With the EHDS (and in combination with the GDPR), people will gain more rights related to their health data.

Here are some of the obligations that startups and companies need to implement to satisfy Subject Rights:

➡️ Immediate and free access to health data in electronic form (in a commonly used format).

➡️ The ability to share their data with other health professionals when visiting a different hospital.

➡️ The option to add data to their EHR for themselves, their children, and their relatives.

➡️ The right to restrict access to their EHR or specific parts of the data.

➡️ The ability to obtain information on which professionals have accessed their data.

In some cases, such as when there is a vital interest, data may still be made available with additional restrictions.

Talk to an expert

When can companies start using it?

The latest update on the European Health Data Space (EHDS) was on December 6th, 2023, when the European Commission reached an agreement on the Council's proposal.

Following this agreement, the EU Council presidency has negotiated with the European Parliament to reach a temporary agreement on the regulation.

It is still not clear when the regulation will come into force, though.

After implementation, the Council has requested 5 to 7 years to register all data into the electronic health records. With 2 years for implementation and an additional 7 years, the EHDS will become fully operational 9 years after adopting the regulation.

Pro tips if you want to access health data (now).

How to access data now? We know that innovation can’t wait and that companies need to access data right now.

Even though the issues related to access to health data can be hard to overcome currently, it is still possible to make it happen (and will be a little easier when the EHDS is in place).

While we wait for the EHDS,  let’s see what you can do to get health data.

Since there’s no magic formula to get this done, let’s see the mix of conditions can help you mitigate the risk and, thus, get more chances to access the data you need.

Important: the key challenge is always to obtain a valid legal basis (either given by GDPR or national laws based on risk minimisation) put in place. This can be done by partnering up with a health institution and starting a joint research project. Public and private institutions can (even currently) justify access to health data for research since there are possible valid legal bases (art 9. GDPR).

Once the legal basis is settled, these are a combination of measures that could help you reduce risks and enable you to access data.

Synthetic data: as EU regulations are making it difficult to process and utilise data (especially across organisational boundaries and even harder abroad), one solution is using artificially produced data designed to avoid any potential connection with real-life patients. The dataset is built on “fake data.” -  the use of AI to create and simulate datasets that mimic the real world. This is a good alternative if you don’t have the opportunity to use actual data (due to consent restrictions, for example) or if you don’t have enough real-world data.

Anonymisation: data anonymisation involves completely removing all personal identifiers from the data, making it impossible to trace the data back to the individual. The thing here is simple: the responsible for the anonymisation must have consent or a proper alternative legal basis from the patients to perform it. If you perform anonymisation, you must access the former data source - thus sensitive information such as demographics, pathologies, and other sensitive information. This won’t apply to you if you receive data anonymised by an external partner.

Specific advice from the DPO for research performed within health institutions that falls within existing legal basis related to research. DPOs, with their expertise, can provide you with precious advice and help you to solve and speed up the entire process.

Perform a Data Protection Impact Assessment: DPIAs are required if your data processing is likely to result in a high-risk procedure for your users’ data privacy and security - this is usually the case if you process sensitive data or have personal data of several data subjects. Schedule and conduct periodic data protection impact assessments from a risk perspective and identify mitigations and remediation activities for non-compliant processes. Your DPO should check that your DPIA was carried out properly and that the risk mitigation measures you implemented are sufficient.  If everything goes well, you are ready to conquer the market and gain your customers, stakeholders, and investors' trust.

Keep in mind that all the mentioned strategies need to be combined in most cases to ensure security, compliance, and smooth project execution, and by no means do they replace legal basis!

Why Chino.io.

We are the one-stop shop for solving all data privacy and security aspects. As a partner of our clients, we combine regulatory and technical expertise with a platform that allows startups and companies to eliminate compliance risks and save costs and time.

 ✅ Do you want to sell to enterprises or hospitals?
 ✅ Do you want to apply for a digital therapeutic reimbursement scheme?
 ✅ Do you want to ensure your product or company is compliant before launch?

Then, we can help you out.

During the last 6 years, we have helped several startups and companies deal with data privacy and security compliance issues. To support you in the market phase of your business, we offer remediation and ongoing compliance activities and support:

  • Legal-tech gap analysis that verifies all implementation choices and legal policies. We combine a comprehensive knowledge base of all regulations, security, and development best practices.
  • Ad-hoc remediation plans based on your needs include ongoing compliance support (DPO or Compliance Partner).
  • Our Compliance Toolkit solves the most complex challenges and gaps.

Chino.io makes compliant-by-design digital innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, contact us to book a free 30-minute consultation.

Talk to an expert