By Petra Müllerová*
Introducing the European Health Data Space
Before summer, a game-changing European Health Data Space regulation (EHDS) that could transform how European citizens interact with their electronic health data will be launched.[1] The regulation has a two-fold mission. First, it’s designed to significantly improve access to electronic health data for individuals across all Member States. Second, it aims to streamline the provision of anonymised data from individuals to European researchers, paving the way for more comprehensive studies concerning health. But what about the safety of our electronic health data? What assurances does the EHDS provide?
Shared access to electronic health data in all Member States is not new. The 2011 directive encouraged Member States to establish interoperability between their national patient summaries.[2] At that time, except for the Nordic countries, most Member States lacked the legislative and technical expertise in this field. However, the situation has evolved over the past decade, accelerated by the COVID-19 pandemic. By 2022, already twenty-six Member States legally provided their citizens with EHR data access.[3]
The EHDS is dedicated to reinforcing individuals’ right to immediate, simple, user-friendly and free-of-charge access to their electronic health data while maintaining the highest data privacy standards. Individuals should be able to obtain an electronic copy of the EHR whenever needed. This implies that the European Union (EU) strives to ensure that individuals across the EU can access their data instantly through the MyHealth@EU platform. In practical terms, if, for example, persons are injured in another Member State, medical professionals should be able to access their health data from the home country with their consent. This could lead to enhanced care, as medical professionals will have a comprehensive medical history of the patient. The EHDS stipulates that individuals should have access to their patient summaries, electronic prescriptions, medical images and image reports, laboratory results or discharge reports.
The revolution in the accessibility of individual health data across the EU also brings challenges. The main challenge is to create a single interoperable system between 27 Member States that reliably protects individual data. Under European law, what guarantees do individuals have that their data will be reliably protected?
Protecting health data in the framework of EHDS
The processing of the electronic health data of individuals within the EHDS is subject to Regulation 2016/679, known as GDPR.[4] This means that manufacturers, distributors, and medical professionals must comply with all rules regarding health data processing in the GDPR. In the framework of the EHDS, the legislator wants to increase the powers of individuals and thus underlines that individuals gain complete control over their health data. They will dispose of the right to decide which data will be shared in the EHR and which will be excluded. Individuals must be guaranteed access to the system, where they can check what data is there and add data themselves. To avoid confusion between data entered by the medical professional and the patient, the EHR will indicate which data has been entered by the patient. The most important feature with the system is that the patients shall determine who can access their electronic health data. Thus, each individual will have the ability to grant access to a specific medical professional or facility, as well as the ability to deny access in the same way. Access will however always be granted to a particular medical intervention but only the necessary data will be shared, not all EHR. The medical professional will need to pass secure authentication to obtain further data. In addition to protecting the data in the system, this also enables the patient to check who, when, and what data has been accessed.
Thus, EHDS increases an individual’s control over their data. Given the already existing European legislation on the protection of health data (GDPR) and its application within the framework of national laws, the rules for processing the data are clearly given. The individuals’ electronic health data will continue to be highly protected.
However, it is necessary to consider the technical side of the EHR setup. Setting up this system in Europe requires extreme cooperation concerning the technical background to ensure patient summaries’ interoperability from all 27 Member States. According to data from 2022, eighteen Member States have a legislative framework that allows the sharing of EHR data across national borders. However, for technical reasons, currently, only the Czech Republic, Lithuania, Latvia, Poland and Slovakia can send or receive patient record summaries from other countries.[5] A substantial part of the new regulation is devoted to EHR interoperability. Each Member State will designate one or more national contact points responsible for sharing an individual’s data with other national contact points through an interoperable platform.
Due to the national healthcare organisation, this system may be complicated for some countries, such as Sweden. Since the Swedish healthcare system is decentralised, it is managed and run by the local self-governments responsible for maintaining the EHR. For this reason, it will be essential to ensure interoperability between all regions within Sweden so that the national contact point can receive health data in a uniform format. This may be the most significant challenge in protecting individual health data. Unlike some other Member States, Sweden has already been able to implement the patient summary record into the healthcare system. This experience means that Sweden is already familiar with some challenges of introducing patient summary records.
Wellness apps as a source of health data or the potential risk of losing control?
EHDS brings a new source of electronic health data: wellness applications. These applications include both special applications designed for monitoring or diagnosing a patient in this group, as well as commonly used sleep monitoring applications, mental or meditation applications, or fitness applications recording physiological values during exercise. This wide range of apps can collect data about the individual that may be important for medical professionals, such as blood pressure, heart rate, or sleep disorders. As the tendency to use these apps is increasing in the Member States, this resource can be an essential data source for both patient treatment and European research, and its incorporation into the EHDS is a look into the future.[6]
The EHDS established a mandatory labelling of these applications within the framework of a European platform and made them available to users. Each user will thus be able to verify whether the application is interoperable with the EHR. Regarding the protection of personal data, the application’s manufacturer is obliged to comply with all the obligations laid down for the processing of health data obtained based on the user’s consent. However, the research shows that the application of data protection is not necessarily very efficient. 40% of apps pose a high risk to user privacy, 32% pose a moderate to high risk, and 28% pose a low to moderate risk.[7]
Does EHDS guarantee to individuals that only data-safe applications will receive this label? This question has no easy answer. On the one hand, the regulation sets out the requirements, which state that the actual sharing of data with the EHR must follow a secure format. Transferring health data from wellness applications to the EHR is not automatic. Data sharing requires user consent. On the other hand, the regulation does not control how the manufacturer obtains the user’s data. This means that in the context of using the application, the manufacturer may violate the rules on data processing. Therefore, the labelling can mislead users and make them feel that the application is fully secure for their data. It is essential that users are vigilant and do not rely solely on the labelling but verify that the application complies with all GDPR rules.
Conclusion
EHDS represents an excellent opportunity for users; it will significantly simplify medical data sharing for individuals while travelling between Member States. The GDPR will protect their data, and there is no need to be more concerned. However, the integration of wellness applications deserves vigilance. Even if their inclusion is a vision for the future, closer attention is needed to see which apps get labelled as interoperable with EHR. For this reason, educating users to recognise and use only safe wellness applications is essential.
* Petra Müllerová is a postdoctoral researcher at the Department of Law, Lund University.
[1] Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space [2022] COM/2022/197 final.
[2] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare [2011] OJ L 88, 4.4.2011, p. 45–65.
[3] Thiel R., Lupiáñez-Villanueva F., Deimel L., Gunderson L. et Sokolyanskaya A., eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU (2020) Study on eHealth, interoperability of health data and artificial intelligence for health and care in the European Union – Publications Office of the EU (europa.eu) accessed 14 April 2024.
[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1.
[5] López A., The electronic health record is not yet in force in the European Union (2022) https://www.uoc.edu/en/news/2022/096-electronic-health-record-europe accessed 13 April 2024.
[6] ORCHA, ‘Digital Health in The UK National Attitudes and Behaviour Research‘ (2022) <Digital Health in the UK National Attitudes and Behaviour Research 2022.pdf (hubspotusercontent-eu1.net) > accessed 13 April 2024.
[7] Papageorgiou A., Strigkos M., Politou E., Alepis E., Solanas A., Patsakis C., Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice (2018) IEEE Access.
