(1)

The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes that would benefit the society such as research , innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.

(1)

The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for better achieving other purposes in the health sector that would benefit society such as research such as innovation, policy-making , health threats preparedness and response , patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.

(1a)

The EHDS is intended to constitute a key component in the creation of a strong and resilient European Health Union to better protect the health of Union citizens, prevent and address future pandemics and improve the resilience of Union healthcare systems.

(1b)

This Regulation should complement Union programmes such as the EU4Health Programme, Digital Europe Programme, Connecting Europe Facility and Horizon Europe. The Commission should ensure that Union programmes complement and facilitate the implementation of the European Health Data Space.

(2)

The COVID-19 pandemic has highlighted the imperative of having timely access to electronic health data for health threats preparedness and response, as well as for diagnosis and treatment and secondary use of health data. Such timely access would have contributed , through efficient public health surveillance and monitoring, to a more effective management of the pandemic, and ultimately would have helped to save lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 (41) , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and Union level.

(2)

The COVID-19 pandemic has highlighted the imperative of having timely access to quality electronic health data for health threats preparedness and response, as well as for prevention, diagnosis and treatment through the secondary use of health data. Such timely access can potentially contribute , through efficient public health surveillance and monitoring, to a more effective management of the pandemic, to a reduction of costs and to improving the response to health threats and ultimately can help to save more lives in the future . In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 (41) , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural and consistent approach at Member States and Union level on access to electronic health data in order to steer effective policy responses and contribute to high standards of human health .

(3)

The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that electronic health data are as open as possible and as closed as necessary . Synergies between the EHDS, the European Open Science Cloud (42) and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.

(3)

The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that the necessary electronic health data are available while respecting the principle of data minimisation . Synergies between the EHDS, the European Open Science Cloud (42) and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.

(3a)

Given the sensitivity of personal health data, this Regulation seeks to provide sufficient safeguards at both Union and national level to ensure a high degree of data protection, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of the health data of natural persons for primary and secondary uses. To achieve those objectives, pursuant to Article 9(4) of Regulation (EU) 2016/679, Member States can impose further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

(4)

The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (43) and, for Union institutions and bodies, Regulation (EU) 2018/1725 of the European Parliament and of the Council (44) . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.

(4)

The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (43), Regulation (EU) 2018/1725 of the European Parliament and of the Council (44) , as regards Union institutions, bodies, offices and agencies, and Regulation (EU) 2022/868  (44a) of the European Parliament and of the Council . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions , bodies , offices and agencies , where relevant. In relation to mixed datasets, where personal and non-personal data are inextricably linked, and where it is difficult to distinguish between those categories thereby resulting in the possibility of inferring personal data from non-personal data, the provisions of Regulation (EU) 2016/679 and of this Regulation concerning personal electronic health data should apply.

(4a)

The implementation of the EHDS should take into consideration the European ethical principles for digital health adopted by the eHealth network  (1a) on 26 January 2022. Monitoring the application of those ethical principles should be one of the tasks of the EHDS Board.

(5)

More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.

(5)

More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, health threat assessment, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.

(5a)

The scope of this Regulation should not cover natural persons who are not Union citizens, or third-country nationals not legally residing on the territory of the Member States. Therefore, where Member States require electronic registration of health data or where health data holders register health data regarding those natural persons, processors can only process the electronic health data of such persons, in accordance with Articles 6(1) and 9(2) of Regulation (EU) 2016/679 including for any secondary use.

(7)

In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved acess to their own personal electronic health data and are empowered to share it.

(7)

In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results , and other complementary diagnosis and therapeutics results , spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved access to their own personal electronic health data and are empowered to share it. To that end, Member States should ensure a common standard is in place for the exchange of electronic health data to ensure and facilitate its transfer and translation into the Union’s official languages. In this respect, appropriate funding and support at Union and national level should be fairly distributed and considered as a means of reducing fragmentation, heterogeneity, and division and to achieve a system that is user-friendly and intuitive in all Member States.

(9)

At the same time, it should be considered that immediate access to certain types of personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period. Where health data is only available on paper, if the effort to make data available electronically is disproportionate, there should be no obligation that such health data is converted into electronic format by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.

(9)

At the same time, it should be considered that immediate access of natural persons to certain types of their personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period , for instance until the moment where the patient and the health professional get in contact. Member States should be encouraged to require that health data available prior to the implementation of this Regulation be converted into an electronic format through a process facilitated by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.

(10)

Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be clearly marked to indicate the source of such additional data. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals.

(10)

Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals and does not have the same clinical or legal value as information provided by a health professional , therefore it should be clearly marked to indicate the source of such additional data and should be validated only by a health professional. More specifically, relevant fields in the EHR should be clearly marked . Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals , with a relevant specialisation, responsible for the natural person’s treatment .

(11)

Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679. This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.

(11)

Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679 and to download their health data . This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.

(12)

Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.

(12)

Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability . In accordance with Regulation (EU) 2016/679, healthcare providers should follow the data minimisation principle when accessing personal health data, limiting the data accessed to data that are strictly necessary and justified for a given service . For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.

(13)

Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.

(13)

Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported . However, natural persons should be informed of the patient safety risks associated with limiting access to health data . However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law , in particular as regards medical liability in the event that restrictions have been placed by the natural person, Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.

(14)

In the context of the EHDS, natural persons should be able to exercise their rights as they are enshrined in Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.

(14)

In the context of the EHDS, natural persons should be able to exercise their rights under this Regulation without prejudice to Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.

(15)

Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of senstitive data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data, including the legislation establishing categories of health professionals that can process different categories of electronic health data.

(15)

Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of sensitive data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data outside the scope of this Regulation, including for other secondary use purposes established by this Regulation , including the legislation establishing categories of health professionals that can process different categories of electronic health data.

(16)

Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care and avoiding duplications and errors. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as health professional portals, to use personal electronic health data for the exercise of their duties. Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format.

(16)

Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care , avoiding duplications and errors and reducing costs . However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as appropriate electronic and digital devices and health professional portals, to use personal electronic health data for the exercise of their duties on a need-to-know basis . Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format. This Regulation should not be construed or interpreted as limiting the obligation of health professionals to comply with the applicable law, codes of conduct, deontological guidelines or other provisions governing ethical conduct with respect to sharing or accessing information, particularly in life-threatening or extreme situations. For that purpose, providers of electronic health records should keep a record of who has accessed data in the previous 36 months and which data they accessed.

(16a)

Health professionals are faced with a profound change in the context of digitalisation and implementation of the EHDS. Health professionals need to develop their digital health literacy and digital skills. Therefore, health professionals who qualify as micro enterprises, as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC  (1a) , should be temporarily exempted from the obligations laid down in this Regulation, in order to avoid a disproportionate administrative burden for micro enterprises. During the period of exemption, Member States should enable health professionals working as micro enterprises to take digital literacy courses to be able to prepare to work in EHR systems.

(17)

The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded . The Commission should be empowered to extend the list of priority categories , after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.

(17)

The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.

(19)

The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format. This would also contribute to the achievement of the target of 100 % of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data accesible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/243 (45) provides the foundations for such a common European electronic health record exchange format. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council (46) recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.

(19)

The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format as well as for them to have better control over accessing and sharing their personal electronic health data . This would also contribute to the achievement of the target of 100 % of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data accessible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/243 (45) provides the foundations for such a common European electronic health record exchange format. The interoperability of the EHDS should contribute to a high quality of European health data sets. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council (46) recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.

(20)

While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt implementing acts for determining additional aspects related to the registration of electronic health data, such as categories of healthcare providers that are to register health data electronically, categories of data to be registered electronically, or data quality requirements.

(20)

While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt delegated acts for determining data quality requirements.

(20a)

In order to support the successful implementation of the EHDS and the creation of effective conditions for European health data cooperation, the Commission and Member States should agree on time-based targets to implement conditions for improved health data interoperability across the Union with a range of objectives and milestones, including in respect of disease-specific registry interoperability, which should be reviewed and assessed in an annual report.

(21)

Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services (including telemedicine) that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.

(21)

Under Article 168 of the Treaty on the Functioning of the European Union (TFEU), Member States are responsible for their health policy, in particular for decisions on the services that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision. Telemedicine is becoming an increasingly important tool that can provide patients with access to care and tackle inequities and has the potential to reduce health inequalities and reinforce the free movement of Union citizens across borders. Digital and other technological tools can facilitate the provision of care in remote regions. However, telemedicine should not be viewed as a replacement for in-person medicine, as there are certain conditions and procedures that require in-person physical examination and intervention.

(22)

Regulation (EU) No 910/2014 of the European Parliament and of the Council (47) lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level. Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities.

(22)

Regulation (EU) No 910/2014 of the European Parliament and of the Council (47) lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. Therefore, natural persons and health professionals should have the right to electronic identification using any recognised electronic identification, including eID schemes where such are offered. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’). As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level.

(22a)

Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access and transmission and the enforcement of the rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising on the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of currently existing authorities.

(23)

Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.

(23)

Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. Member States should ensure that appropriate training initiatives are undertaken. In particular, health professionals should be informed and trained with respect to their rights and obligations under this Regulation. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, health professionals, manufacturers of EHR systems and wellness applications, as well as other stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.

(24)

Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data.

(24)

Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data , and funding as well as other means of support at Union level should be considered .

(25)

In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities among the Member States, as joint controllers, and prescribe its own obligations, as processor.

(25)

In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities with time-based targets among the Member States, as joint controllers, and prescribe its own obligations, as processor.

(26)

In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases. Connection of national contact points for digital health of third countries or interoperability with digital systems established at international level should be subject to a check ensuring the compliance of the national contact point with the technical specifications, data protection rules and other requirements of MyHealth@EU. A decision to connect a national contact point of a third country should be taken by data controllers in the joint controllership group for MyHealth@EU.

(26)

In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases.

(34a)

EHR systems could qualify as medical devices under Regulation (EU) 2017/745 or in-vitro diagnostic devices under Regulation (EU) 2017/746 of the European Parliament and of the Council  (1a) . While those EHR systems need to fulfil the requirements under each applicable regulation, Member States should take appropriate measures to ensure that the respective conformity assessment is carried out as a joint or coordinated procedure, as appropriate, inter alia by encouraging the same notified bodies to become responsible for the conformity assessment under each applicable regulation.

(35)

Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A voluntary labelling scheme should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission may set out in implementing acts the details regarding the format and content of such label.

(35)

Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A mandatory labelling scheme for wellness applications claiming interoperability with EHR systems should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission should set out in implementing acts the details regarding the format and content of such label.

(36a)

The uptake of real-world data and real-world evidence, including patient-reported outcomes, for evidence-based regulatory and policy purposes as well as for research, health technology assessment and clinical objectives should be encouraged. Real-world data and real-world evidence have the potential to complement health data currently made available.

(37)

For the secondary use of the clinical data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis and rules and mechanisms and providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. This Regulation provides the legal basis in accordance with Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV. More specifically: for processing of electronic health data held by the data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing the data by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected . This Regulation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679 . This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1)(e) of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2)(h),(i),(j) of the Regulation (EU) 2016/679. Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which electronic health data can be processed. In the case where the user has access to electronic health data (for secondary use of data for one of the purposes defined in this Regulation), the data user should demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f), of Regulation (EU) 2016/679 and explain the specific legal basis on which it relies as part of the application for access to electronic health data pursuant to this Regulation : on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it should make reference to another EU or national law, different from this Regulation , mandating the user to process personal health data for the compliance of its tasks . If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data access bodies are an administrative decision defining the conditions for the access to the data.

(37)

For the secondary use of personal electronic health data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis for rules and mechanisms providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. For the purpose of processing electronic health data for secondary use, one of the legal bases set out in Article 6(1), points (a), (c), (e) or (f), of Regulation (EU) 2016/679 combined with Article 9(2) of that Regulation should be required. The most relevant processing condition listed in Article 9(2) of Regulation (EU) 2016/679 in this context is that of substantial public interest, the provision of health or social care, public interest in the area of public health and research. Hence, this Regulation provides the legal basis in accordance with Article 6 and Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. More specifically , for processing of electronic health data held by the health data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1) , point (c) , of Regulation (EU) 2016/679 for disclosing the data by the health data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1), point (e), of Regulation (EU) 2016/679 and meets the requirements of Article 9(2), points (g) to (j), of the Regulation (EU) 2016/679. At the same time, the health data access body should verify the compliance with Article 6 of Regulation (EU) 2016/679 , combined with Article 9(2) thereof, based on which they should be able to issue a data permit for the processing of personal electronic health data pursuant to this Regulation that should fulfil the requirements and conditions set out in Chapter IV of this Regulation.

(37a)

In the case where the health data user has access to electronic health data for secondary use of data for one of the purposes defined in this Regulation, the health data user should demonstrate the specific legal ground on which it relies as part of the application for access to electronic health data pursuant to this Regulation, namely, on the basis of the applicable law, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or Article 6(1), point (f), thereof. If the health data user relies upon the ground provided for in Article 6(1), point (e), it should make reference to another Union or national law, requiring the user to process personal health data for the compliance of its tasks. If the ground for processing by the health data user is Article 6(1), point (f), of Regulation (EU) 2016/679, appropriate and necessary safeguards should be determined in accordance with this Regulation. In this context, the data permits issued by the health data access bodies should be an administrative decision defining the conditions for the access to the data.

(38)

In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use.

(38)

In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all health data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use provided that such effort is always made through effective and secured processes, such as aggregation and randomisation, and with due respect for professional duties, such as confidentiality duties .

(39)

The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances, homelessness, health insurance, minimum income, professional status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include person-generated data, such as data from medical devices, wellness applications or other wearables and digital health applications. The data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.

(39)

The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of health data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances, socio-economic status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include automatically generated data from medical devices and person-generated data, such as wellness applications . The health data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset . Health data users should be encouraged to report critical errors in datasets to health data access bodies . To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.

(39a)

In order to guarantee trust in the patient-physician relationship, the principle of professional secrecy and the patient's right to confidentiality should be safeguarded when digitalising healthcare services. A relationship of trust between patients and health professionals and healthcare providers and other holders of personal health data is a paramount element of the provision of health or social care or treatment. It is within that context that the patient or the legal representative of the patient should have a say in the processing of their health data for secondary use in the form of a right to opt-out of the processing of all or parts of their health data for secondary use for some or all purposes. An easily understandable and accessible opt-out mechanism in a user-friendly format should be provided for in this regard. However, due to the sensitive nature of human genetic, genomic and proteomic data, data from biobanks and to the nature of the use of data from wellness applications, it is appropriate to provide that the secondary use of such data can only occur following the consent of the natural person concerned in accordance with Article 4(11) of the Regulation (EU) 2016/679. An opt-in mechanism whereby data subjects explicitly consent or give their permission to the processing of part or all of such data for some or all secondary use purposes should be envisaged. Where data subjects explicitly consent to the use of parts or all of this data for some or all secondary use purposes, they should be made aware of the sensitive nature of the data they are sharing. Moreover, it is imperative to provide natural persons with sufficient information regarding their right to opt-out, including on the possibility of reconsidering their choice of opting-out and agreeing to some or all of their health data being processed for secondary use at a later point.

(40)

The data holders can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding, should be made available by data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.

(40)

The health data holders in the context of secondary use of electronic health data can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above To the extent that they process personal electronic health data, health data holders are controllers within the meaning of Regulation (EU) 2016/679 in the health or care sector . In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS . Health data access bodies should provide specific support to small enterprises, in particular medical practitioners and pharmacies, in complying with their obligation to make data available for secondary use . The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by health data holders with the support of Union or national public funding, should be made available by health data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection and should be made available while taking all necessary measures to protect such rights . However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.

(40a)

Different demographic groups have varying degrees of digital literacy, which can affect natural persons’ ability to exercise their rights to control their electronic health data. In addition to the right for natural persons to authorise another natural person of their choice to access or control their electronic health data on their behalf, Member States should create targeted national digital literacy programmes, including programmes to maximise social inclusion and to ensure all natural persons can effectively exercise their rights under this Regulation. Member States should also provide patient-centric guidance to natural persons in relation to the use of electronic health records and primary use of their personal electronic health data. Guidance should be tailored to the patient’s level of digital health literacy, with specific attention to be given to the needs of vulnerable groups.

(40b)

Clinical trials and studies are of utmost importance in fostering innovation within the Union for the benefit of Union patients. In order to incentivise continuous Union leadership in this domain, the sharing of the clinical trials data through the EHDS for secondary use should be consistent with the relevant transparency provisions laid down in Union law including Regulation (EU) .../... [proposal for a Regulation on blood, tissue, cells and organs (SoHO) COM(2022)338 final], Regulations (EC) No 726/2004  (1a) and (EU) 2019/6  (1b) of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council  (1c) regarding veterinary and human medicines and establishing the EMA, Regulation (EC) No 141/2000 of the European Parliament and of the Council  (1d) related to medicinal products for rare diseases (‘orphan medicines’), Regulation (EC) No 1901/2006 of the European Parliament and of the Council  (1e) on medicinal products for children, Regulation (EC) No 1394/2007 of the European Parliament and of the Council  (1f) on advanced therapy medicinal products, Regulation (EU) No 536/2014 of the European Parliament and of the Council  (1g) on clinical trials, Regulation (EU) No 2017/745 and Regulation (EU) No 2017/746.

(41)

The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of AI algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.

(41)

The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers , with a demonstrated link to the field of public health, to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society . In particular, the secondary use of health data for research and development purposes should contribute to a benefit to society in the form of new medicines, medical devices, health care products and services at affordable and fair prices for Union citizens, as well as to enhancing access to and the availability of such products and services in all Member States . Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research, development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of artificial intelligence algorithms that could protect the health or care of natural persons). In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, to automate individual decision-making, to re-identify natural persons, or develop harmful products should be prohibited.

(42)

The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.

(42)

The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use , Members of the governance and decision-making bodies and staff of each health data access body should therefore refrain from any action that is incompatible with their duties and should not engage in any incompatible occupation . However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial , technical and human resources , ethics bodies , premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union and have separate structures for application processing on the one hand, and anonymisation, pseudonymisation and re-identification on the other hand . Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data. Given the central role of the health data access bodies in the context of secondary use of electronic health data, and especially regarding the decision-making on granting or refusing a health data permit and preparing the data to make them available to health data users, the members and staff of such bodies should have the necessary qualifications, experience and skills, including legal and technical expertise as regards the protection of personal data, specifically data concerning health, and expertise in the areas of ethics, healthcare, scientific research, cybersecurity, protection of intellectual property and trade secrets, artificial intelligence and other relevant areas. In addition, the decision-making process regarding the granting or refusal of the health data permit should involve ethical considerations. The staff of health access bodies should not have any conflict of interest that is prejudicial to their independence and the impartiality of their conduct.

(43)

The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties . In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.

(43)

The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. The selection procedure for health stakeholders should be transparent, public and free of any conflict of interest. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should remain the only authorities competent for enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including administrative fines and enforcement measures . In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, and promote the development of common standards. They should apply tested state-of-the-art techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. In that regard, health data access bodies should cooperate across borders and agree on common definitions and techniques. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymisation of microdata sets.

(44)

Considering the administrative burden for health data access bodies to inform the natural persons whose data are used in data projects within a secure processing environment , the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore , health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the data subject or his health professional. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.

(44)

Health data access bodies should comply with the obligations laid down in Article 14 of Regulation (EU) 2016/679 and inform the natural persons whose data are used in data projects within a secure processing environment. The exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 could apply. Where such exceptions are applied , health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed , enabling natural persons to understand whether their data are being made available for secondary use pursuant to data permits . Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the health data user should inform the health data access body, which should inform the health professional treating the natural person concerned or, in the event that the treating health professional is not traceable, the natural person, with due regard for their stated wish not to be informed, while fully respecting the principles of medical confidentiality and professional secrecy . Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.

(46)

In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand, Union institutions, bodies, offices and agencies , including EMA, ECDC and the Commission , have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.

(46)

In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand, public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health , have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.

(47)

Health data access bodies and single data holders should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission may adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.

(47)

Health data access bodies should be allowed to charge fees based on the applicable provisions under this Regulation and the provisions of Regulations (EU) .../... […] [Data Governance Act COM/2020/767 final] and (EU) .../... […] [Data Act COM/2022/68 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Health data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private health data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission should adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation. Public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health should not be charged fees.

(48)

In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to penalties or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement. The imposition of penalties should be subject to appropriate procedural safeguards in accordance with the general principles of law of the relevant Member State, including effective judicial protection and due process .

(48)

In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures should be envisaged that can lead to administrative fines or enforcement measures by health data access bodies or temporary or definitive exclusions from the EHDS framework of the health data users or health data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give health data users and holders the opportunity to reply to any findings and to remedy any infringement. When deciding on the amount of the administrative fine or enforcement measure for each individual case, health data access bodies should take into account the margins for costs and criteria set out in this Regulation .

(49)

Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it . If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person (s) . Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form . In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.

(49)

Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, common standards for data anonymisation should be further developed and the use of anonymised electronic health data which is devoid of any personal data should be made available when possible. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity and the health data access body should determine the validity of that justification . The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. When providing access to an anonymised or pseudonymised dataset, a health data access body should use state-of-the-art anonymisation or pseudonymisation technology, ensuring to the maximum extent possible that natural persons cannot be re-identified. Health data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative fines and the enforcement measures laid down in this Regulation or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a significant health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the health data users to inform the health data access body, which in turn would inform the treating health professional of the concerned natural person or, in the event that the treating health professional is not traceable, the natural person, with due regard for any stated wish not to be informed. To that end, the health data user should be guided by ethical principles, and guidelines from EMA and the ECDC as regards what constitutes a significant finding . Moreover, a health data applicant can request the health data access bodies to provide the answer to a health data request, including in an anonymised or aggregated statistical format . In this case, the health data user would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the health data request.

(50)

In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide health data access bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information include : the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data access bodies and, where relevant data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data , it should submit a data request application, requiring the health data access body to provide directly the result. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data application , as well as data request .

(50)

In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The health data applicant should provide health data access bodies with several information elements that would help the body evaluate the application and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information includes : the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, the identity of the health data applicant as well as the specific persons who are authorised to have access to the electronic health data in the secure processing environment and how they are qualified vis-à-vis the intended secondary use, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed , a description of the safeguards planned to prevent any other use, misuse or possible re-identification, and an explanation of the expected benefits of the secondary use . Where data is requested in pseudonymised format, the health data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. A thorough assessment of the health data access applications and documents submitted by the health data applicant should be required and the health data access body should only issue a data permit if all the conditions set out in this Regulation are met. The health data access body and, where relevant health data holders, should assist health data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the health applicant needs data in an anonymised and aggregated statistical format , it should submit a data request application, requiring the health data access body to provide directly the result. A refusal of a data permit by the health data body should not preclude the health data applicant from submitting a new data access application. In order to ensure a harmonised approach between health data access bodies and to limit an unnecessary administrative burden for the health data applicants to the greatest extent possible , the Commission should support the harmonisation of health data access applications , as well as health data requests, including by establishing, by means of implementing acts, templates for health data access applications and requests .

(50a)

A standard ethics assessment should be carried out by ethics bodies within health data access bodies. Such assessment should be an important part of the process. However, where the health data applicant had previously obtained the approval of the competent ethics committee in accordance with national law for research purposes for which they are requesting data through the EHDS, the health data applicant should make that information available to the health data access body as part of the data access application.

(51)

As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an additonal fee. However, in all the cases, the data permit should reflect theses additionals uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.

(51)

As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The health data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the health data permit and may be subject to an additional fee. However, in all the cases, the data permit should reflect theses additional uses of the dataset. Preferably, the health data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.

(52)

As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies, especially the Commission, need access to health data for a longer period and on a recurring basis. This is may be the case not only in specific circumstances in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.

(52)

As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies with a legal mandate in the field of public health , especially the Commission, need access to health data for a longer period and on a recurring basis. This may be the case not only for specific circumstances stipulated by Union or national law in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.

(53)

For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data access bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi-country requests and requests requiring combination of datasets from several data holders should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or data requests they provide.

(54)

Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body or, where relevant, single data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.

(54)

Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data , in accordance with the data minimisation principle . All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V . Nevertheless, in order to ensure the proper supervision and security of personal data, such environments need to be located in the Union if they are used to access personal health data . Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.

(55)

For the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users , the Commission should , by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter into. In order to achieve an inclusive and sustainable framework for multi-country secondary use of electronic health data , a cross-border infrastructure should be established . HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/2009 (50) or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council (51) .

(55)

For the processing of electronic health data in the scope of a granted permit, the health data holders, the health data access bodies and the health data users should each, in turn, be deemed a controller for a specific part of the process and according to their respective roles therein. The health data holder should be deemed controller for the disclosure of the requested personal electronic health data to the health data access body, while the health data access body should in turn be deemed controller for the processing of the personal electronic health data when preparing the data and making them available to the health data user. The health data user should be deemed controller for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to its data permit. The health data access body should be deemed a processor for processing carried out by the health data user pursuant to a data permit in the secure processing environment . HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” , “privacy by default”, and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/2009 (50) or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council (51) .

(59)

Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.

(59)

Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework. The labels should be subject to the evaluation by the health data access bodies. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.

(61)

Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases, and statistics and shall be taken into account when defining new standards. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare.

(61)

Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases, cardiovascular and metabolic diseases, risk factor assessment, and statistics and shall be taken into account when defining new standards and disease-specific harmonised templates for structured data elements . However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare. Existing health data infrastructures and registries put in place by institutions and stakeholders can contribute to defining and implementing data standards, to ensuring interoperability and should be leveraged to allow for continuity and build on existing expertise.

(62a)

Improving digital health literacy for both natural persons and their health professionals is key in order to achieve trust, safety and appropriate use of health data and thus to achieve successful implementation of this Regulation. Improving digital health literacy is fundamental in order to empower natural persons to have true control over their health data and actively manage their health and care, and understand the implications of the management of such data for both primary and secondary use. Member States, including regional and local authorities, should therefore support digital health literacy and public awareness, while ensuring that the implementation of this Regulation contributes to reducing inequalities and does not discriminate against people lacking digital skills. Particular attention should be given to persons with disabilities and vulnerable groups including migrants and the elderly. Health professionals and IT operators should have sufficient training in working with new digital infrastructures to ensure cybersecurity and ethical management of health data.

(63)

The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds.

(63)

The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds. To procure or fund services provided by controllers and processors established in the Union that process personal electronic health data, they should be required to demonstrate that they will store the data in the Union and that they are not subject to third country law that conflicts with Union data protection rules. Union funds should be distributed transparently and sufficiently among the Member States, ensuring it is adequate and taking into account different levels of health system digitalisation and the costs involved in making national data infrastructures interoperable and compatible with the requirements of the EHDS. Making data available for secondary use requires additional resources for healthcare systems, in particular public systems. That additional burden for public entities should be addressed and minimised to the greatest possible extent during the implementation phase of the EHDS.

(63a)

The economic costs of implementing this Regulation should be borne at both Member State and Union level, and a fair sharing of that burden between national and Union funds should be found. The initial Union funding to achieve a timely application of the EHDS is limited to what can be mobilised under the 2021-2027 Multiannual Financial Framework (MFF) where EUR 220 million can be made available under the EU4Health and Digital Europe programmes. The successful and coherent application of the EHDS across all Member States will however require higher funding. The implementation of the EHDS requires appropriate investments in capacity building and training and a well-funded commitment to public consultation and engagement. The Commission should therefore mobilise further resources for the EHDS as part of the review of the 2021-2027 MFF and for the forthcoming MFF under the principle that new initiatives should be matched with new funding.

(64a)

The functioning of the EHDS involves processing of a large quantity of personal and non-personal health data of a highly sensitive nature. Article 8(3) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) requires control over the processing of such health data by an independent authority. The control of the compliance with the requirements of protection and security by an independent supervisory authority, carried out on the basis of Union law, is an essential component of the protection of individuals with regard to the processing of personal data and cannot be fully ensured in the absence of a requirement to retain the electronic health data in question within the Union. Therefore, taking into account the need to mitigate the risks of unlawful access and ineffective supervision, in compliance with the principle of proportionality, this Regulation should require Member States to store electronic health data within the Union. Such storage requirements should ensure a uniform high level of protection for data subjects across the Union, preserve the proper functioning of the internal market, in line with Article 114 TFEU, which constitutes the legal basis of this Regulation, and serve to enhance citizens’ trust in the EHDS.

(64b)

The obligation to store electronic health data in the Union does not preclude transfers of those data to third countries or international organisations by means of granting access to electronic health data. Access to data through the secure processing environment can entail the transfer of personal data, as defined in Chapter V of Regulation (EU) 2016/679. It is possible to reconcile a general requirement to store personal data in the Union with specific transfers being allowed in compliance with Union law on personal data protection, for instance in the context of scientific research, provision of care or international cooperation. In particular, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union under Regulation (EU) 2016/679 should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. Transfers of personal health data to third countries and international organisations can only be carried out in full compliance with Chapter V of Regulation (EU) 2016/679. For instance, controllers and processors processing personal electronic health data remain subject to Article 48 of that Regulation on transfers or disclosures not authorised by Union law and should comply with this provision in the case of an access request stemming from a third country. In accordance with the conditions of Article 9(4) of Regulation (EU) 2016/679, Member States can maintain or introduce further conditions, including limitations, in relation to transfers of personal health data to third countries or international organisations.

(64c)

Access to electronic health data for entities from third countries should take place only on the basis of the reciprocity principle. Making available of health data to a third country can take place only where the Commission has established by means of a delegated act that the third country concerned allows for the use of health data by Union entities under the same conditions and with the same safeguards as within the Union. The Commission should monitor that list and provide for a periodic review thereof. Where the Commission finds that a third country no longer ensures access on the same terms, that third country should be removed from that list.

(65)

In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].

(65)

In order to promote the consistent application of this Regulation , including cross-border interoperability of health data, and potential mechanisms of funding support to ensure equal development of data systems across the Union in respect of the primary and secondary use of electronic health data , a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. The EHDS Board should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act]. The EHDS Board should operate in line with its Code of Conduct, impartially, independently, in the public interest and transparently, with open publication of meeting dates and minutes of its discussions as well as of an annual report. It is furthermore appropriate to lay down sufficient guarantees to ensure that members of the EHDS Board do not have any conflicts of interest.

(65a)

An advisory forum should be set up to advise the EHDS Board in the fulfilment of its tasks by providing stakeholder input on matters pertaining to this Regulation. The advisory forum should be composed of representatives of patients, consumers, health professionals, industry, scientific researchers and academia. It should have a balanced composition and represent the views of different relevant stakeholders. Both commercial and non-commercial interests should be represented.

(66a)

Any natural person should have the right to lodge a complaint with a digital health authority or with a health data access body, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the natural person considers that his or her rights under this Regulation have been infringed or where the digital health authority or health data access body does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the natural person. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The digital health authority or health data access body should inform the natural person of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another digital health authority or health data access body, intermediate information should be given to the natural person. In order to facilitate the submission of complaints, each digital health authority and health data access body should take measures such as providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication. Where the complaint concerns the rights of natural persons, the health data access body should inform the supervisory authorities under Regulation (EU) 2016/679 and send them a copy of the complaint .

(66b)

Where a natural person considers that his or her rights under this Regulation have been infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data, to lodge a complaint on his or her behalf.

(66c)

Any natural or legal person has the right to bring an action for annulment of decisions of the EHDS Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the digital health authorities or health data access bodies concerned which wish to challenge them have to bring an action within two months of being notified of them, in accordance with Article 263 TFEU. In accordance with Article 263 TFEU, a health data holder, a health data applicant, a health data user or a complainant can bring an action for annulment against the decisions of the EHDS Board which concern them within two months of their publication on the website of the EHDS Board. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a digital health authority or health data access body which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the health data access body or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by digital health authorities and health data access bodies which are not legally binding, such as opinions issued or advice provided. Proceedings against a digital health authority or health data access body should be brought before the courts of the Member State where the digital health authority or health data access body is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them. Where a complaint has been rejected or dismissed by a digital health authority or health data access body, the complainant can bring proceedings before the courts in the same Member State.

(66d)

Where a court seised of proceedings against a decision by a digital health authority or health data access body has reason to believe that proceedings concerning the same access to electronic health data by the same health data user, such as for the same purpose for processing for secondary use, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seised should be able to stay its proceedings or be able to, on request of one of the parties, decline jurisdiction in favour of the court first seised if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings should be deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.

(66e)

For proceedings against a health data holder or health data user, the plaintiff should have the choice of bringing the action before the courts of the Member States where the health data holder or health data user has an establishment or where the natural person resides, unless the health data holder is a public authority of a Member State acting in the exercise of its public powers.

(66f)

The digital health authority, health data access body, health data holder or health data user should compensate any damage which a person could suffer as a result of processing that infringes this Regulation. The digital health authority, health data access body, health data holder or health data user should be exempt from liability if it proves that it was not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or national law. Processing that infringes this Regulation should also include processing that infringes delegated and implementing acts adopted in accordance with this Regulation and national law specifying rules related to this Regulation. Natural persons should receive full and effective compensation for the damage they have suffered. Where digital health authorities, health data access bodies, health data holders or health data users are involved in the same processing, each actor should be held liable for the entire extent of the damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, it should be possible to apportion compensation according to the responsibility of each digital health authority, health data access body, health data holder or health data user for the damage caused by the processing, provided that full and effective compensation of the natural person who suffered the damage is ensured. Any digital health authority, health data access body, health data holder or health data user which has paid full compensation should be able to subsequently institute recourse proceedings against other digital health authorities, health data access bodies, health data holders or health data users involved in the same processing.

(66g)

Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a digital health authority, health data access body, health data holder or health data user, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council  (1a) should not prejudice the application of such specific rules.

(66h)

In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of, appropriate measures imposed by the digital health authority or health data access body pursuant to this Regulation. In the case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden for a natural person, it should be possible to issue a reprimand instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, the degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the digital health authority or health data access body, compliance with measures ordered against the health data holder or health data user, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

(66i)

Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Such criminal penalties could also involve the deprivation of profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(66j)

It is appropriate to lay down provisions enabling health data access bodies to apply administrative fines for certain infringements of this Regulation whereby certain infringements are to be regarded as serious infringements, such as the re-identification of natural persons, downloading personal health data outside of the secure processing environment and processing of data for prohibited uses or outside a data permit. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent health data access body in each individual case, taking into account all the relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the health data access body should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism could also be used to promote the consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the health data access bodies or of other penalties under this Regulation.

(66k)

The legal systems of Denmark and Estonia do not provide for administrative fines as set out in this Regulation. It should be possible to apply the rules on administrative fines in a manner such that in Denmark the fine is imposed by competent national courts as a criminal penalty, and that in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the health data access body initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

(66 l)

Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by national law.

(69a)

In accordance with Article 42 of Regulation (EU) 2018/1725, the Commission should, when preparing delegated acts or implementing acts, consult the European Data Protection Supervisor where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, and where such an act is of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data, the Commission can also consult the European Data Protection Board. The Commission should moreover consult the European Data Protection Board in the cases specified in Regulation (EU) 2016/679 and when relevant in the context of this Regulation.

(70)

Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. For certain specific infringements, Member States should take into account the margins and criteria set out in this Regulation.

(70)

Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. When deciding on the amount of the penalty for each individual case Member States should take into account the margins and criteria set out in this Regulation. Re-identification of natural persons should be considered a particularly serious breach of this Regulation. Member States should be able to consider criminalising re-identification by health data users so that it serves as a deterrent measure.

(71)

In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, on the self-certification of EHR systems, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.

(71)

In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.

(74)

The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on […] .

(74)

The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered Joint opinion 03/2022 on 12 July 2022 .

(76)

Given the need for technical preparation, this Regulation should apply from [ 12 months after entry into force],

(76)

Given the need for technical preparation, this Regulation should apply from [ 24 months after entry into force],

(a)

strengthens the rights of natural persons in relation to the availability and control of their electronic health data;

(a)

specifies the rights of natural persons in relation to the availability , sharing and control of their electronic health data;

(a)

manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;

(a)

manufacturers and suppliers of EHR systems and wellness applications , and of products claiming interoperability with EHR systems, placed on the market and put into service in the Union and the users of such products;

(c)

the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2 (1), (8), (10), (11) and (14) of [Data Governance Act COM/2020/767 final] ;

(c)

the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2, points (1), (8), (10), (11) and (14) of Regulation (EU) 2022/868 ;

(a)

‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form;

(a)

‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, that are processed in an electronic form;

(b)

‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;

(b)

‘non-personal electronic health data’ means data concerning health and aggregated genetic data in electronic format that falls outside the definition of personal data provided in Article 4 , point (1) , of Regulation (EU) 2016/679; where personal and non-personal data in a data set are inextricably linked, the entire dataset shall be processed as personal electronic health data;

(d)

‘primary use of electronic health data’ means the processing of personal electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;

(d)

‘primary use of electronic health data’ means the processing of electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;

(e)

‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use ;

(e)

‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of Chapter IV of this Regulation ;

(j)

‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their treatment ;

(j)

‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their care ;

(k)

‘data recipient’ means a natural or legal person that receives data from another controller in the context of the primary use of electronic health data;

(k)

‘ health data recipient’ means a recipient as defined in Article 4, point (9), of Regulation (EU) 2016/679, in the context of the primary use of electronic health data;

(l)

‘telemedicine’ means the provision of healthcare services, including remote care and online pharmacies, through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;

(l)

‘telemedicine’ means the provision of healthcare services, including remote care through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;

(m)

‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for healthcare purposes ;

(m)

‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare services ;

(n)

‘EHR system’ (electronic health record system) means any appliance or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records;

(n)

‘EHR system’ (electronic health record system) means any product (hardware or software ) primarily intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records between health professionals or that can be reasonably expected by the manufacturer to be used for those purposes ;

(o)

‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data for other purposes than healthcare, such as well-being and pursuing healthy life-styles;

(q)

‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads, might have led or might lead to any of the following:

(q)

‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads, has led or is likely to lead to any of the following:

(i)

the death of a natural person or serious damage to a natural person’s health;

(i)

the death of a natural person or serious damage to a natural person’s health or rights ;

(y)

‘data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data ;

(y)

‘ health data holder’ means any natural or legal person, which is an entity or a body in the health , social security or care sector or in the reimbursement services sector , or perform s research in relation to these sectors, as well as Union institutions, bodies, offices and agencies , and which, in accordance with this Regulation, applicable Union law or national legislation implementing Union law:

(i)

is a controller as set out in Regulation (EU) 2016/679 and has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, to process personal electronic health data; or

(ii)

has the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, through control of the technical design of a product and related services ;

(z)

‘data user’ means a natural or legal person who has lawful access to personal or non-personal electronic health data for secondary use;

(z)

‘ health data user’ means a natural or legal person, as well as a Union institution, body, office or agency, which has been granted lawful access , in accordance with this Regulation, to electronic health data for secondary use pursuant to a data permit or a health data request ;

(za)

‘health data applicant’ means any natural or legal person with a demonstrable professional link to the areas of health care, public health or medical research and that submits an application for health data;

(aa)

‘data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;

(aa)

‘ health data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;

(aea)

‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on, managing, maintaining or improving the health of individual persons, or the delivery of care.

(a)

establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in paragraphs 1 and 2 ;

(a)

establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in this Article ;

(b)

establish one or more proxy services enabling a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf.

(b)

establish one or more proxy services enabling a natural person to legally authorise other natural persons of their choice to access their electronic health data on their behalf for a specified or indeterminate period and if needed, for a specific purpose only, or enabling legal representatives of patients to access electronic health data of the natural persons whose affairs they administer, in accordance with national law .

(a)

have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;

(a)

have access , based on the data minimisation and purpose limitation principles, to the electronic health data of natural persons under their treatment and exclusively for the purpose of that treatment, including relevant administration , irrespective of the Member State of affiliation and the Member State of treatment , in accordance with Article 9(2), point (h), of Regulation 2016/679 ;

(e)

laboratory results;

(e)

laboratory results , medical test results and other complementary and diagnostic results ;

(f)

discharge reports.

(f)

patient discharge reports;

(fa)

medical directives of the natural persons and information about consent for substances of human origin and organ donations.

(a)

the category is relevant for health services provided to natural persons;

(b)

according to the most recent information, the category is used in a significant number of EHR systems used in Member States;

(c)

international standards exist for the category that have been examined for the possibility of their application in the Union.

(a)

datasets containing electronic health data and defining structures, such as data fields and data groups for the content representation of clinical content and other parts of the electronic health data;

(a)

harmonised datasets containing electronic health data and defining structures, such as minimum data fields and data groups for the content representation of clinical content and other parts of the electronic health data , which can be enlarged to include disease-specific data ;

(c)

technical specifications for the exchange of electronic health data, including its content representation, standards and profiles.

(c)

technical interoperability specifications for the exchange of electronic health data, including its content representation, standards and profiles , and for the translation of electronic health data .

(a)

categories of healthcare providers that are to register health data electronically;

(b)

categories of health data that are to be registered systematically in electronic format by healthcare providers referred to in point (a);

(c)

data quality requirements pertaining to the electronic registration of health data.

(b)

ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers;

(b)

ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers and that appropriate training initiatives are undertaken at the local, regional and national level ;

(h)

contribute, at Union level, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing interoperability, security, safety or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;

(h)

contribute, at Union level , and, where relevant, in cooperation at local and regional level within the Member States , to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing quality, interoperability, security, safety , ease of use, accessibility, non-discrimination or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;

(k)

offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, do not discriminate and offer the possibility of choosing between in person and digital services;

(k)

offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible and equitable to different groups of natural persons and health professionals, including natural persons with disabilities, under the same non-discriminatory conditions and offer the possibility of choosing between in person and digital services;

(m)

cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data , as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals, industry associations ;

(m)

cooperate with other relevant entities and bodies at local, regional, national or Union level, to ensure interoperability, data portability and security of electronic health data;