Accept Refuse

EUR-Lex Access to European Union law

This document is an excerpt from the EUR-Lex website

Document Ares(2019)116373

COMMISSION IMPLEMENTING DECISION (EU) …/… providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU

Please be aware that this draft act does not constitute the final position of the institution.

COMMISSION IMPLEMENTING DECISION (EU) …/…

of XXX

providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare 1 , and in particular Article 14(3) thereof,

Whereas:

(1)Article 14 of Directive 2011/24/EU assigned the Union to support and facilitate cooperation and the exchange of information among Member States working within a voluntary network connecting national authorities responsible for eHealth (the ‘eHealth Network’) designated by the Member States.

(2)Commission Implementing Decision (EU) 2011/890 2  provides rules for the establishment, the management and the functioning of the eHealth Network.

(3)That decision does not at the moment provide appropriate rules with regard to certain aspects necessary for sufficiently transparent functioning of the eHealth Network, in particular, on specific tasks that aim to pursue some of the objectives assigned to it by Directive 2011/24/EU, the role of eHealth Network and the Commission in relation to the eHealth Digital Service Infrastructure, the possibility for some Members of the eHealth Network to advance their cooperation in certain areas, and the new requirements on data protection under Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) 3 , and Regulation (EU) 2018/1725 of the European Parliament and of the Council 4 .

(4)The transparent management of the eHealth Network should be ensured by laying down rules on becoming a member of the eHealth Network and withdrawing from it. Participation in the eHealth Network being voluntary, the Member States should be able to join at any time. For organisational purposes, the Member States wishing to participate should inform the Commission of this intention in advance.

(5)Electronic communication is a suitable means for rapid and reliable exchange of data between Member States participating in the eHealth Network. In this area, significant developments took place. In particular, in order to facilitate the interoperability of European eHealth systems, the eHealth Digital Service Infrastructure was developed, within the eHealth Network as an IT tool for the exchange of health data under the Connecting Europe Facility programme 5 , supported by the Commission. These developments should be reflected in this Decision. Moreover, as stressed in the Commission Communication of 25 April 2018 on enabling the digital transformation of health and care in the Digital Single Market, empowering citizens and building a healthier society 6 , the role of the eHealth Network in relation to the functioning of the eHealth Digital Service Infrastructure should be clarified.

(6)The role of the eHealth Digital Service Infrastructure should be to enable the cross-border exchange of health data among Member States as recognised in the 2017 Council Conclusions on Health in the Digital Society 7 such as patient data contained in ePrescriptions and Patient Summaries and eventually more comprehensive electronic health records, as well as in developing other uses.

(7)The eHealth Digital Service Infrastructure is composed of core services and generic services as provided for in Regulation (EU) No 283/2014 of the European Parliament of the Council 8 . The core services are developed, deployed and maintained by the European Commission. Together with the generic services, they should enable and support trans-European connectivity. The generic services are developed, deployed and maintained by the National Contact Points for eHealth designated by the Member States. The National Contact Points for eHealth using the generic services link the national infrastructure with the core service platforms.

(8)For reasons of transparency, tasks through which some of the objectives of the eHealth Network provided for by Article 14(2) of Directive 2011/24/EU may be achieved, should be indicated, notably in the context of the developments described above.

(9)In particular, in order to achieve technical, semantic, and organisational interoperability between national eHealth systems, the eHealth Network should, in the context of the eHealth Digital Service Infrastructure, play a leading role in the elaboration and coordination of the necessary common requirements, specifications, standards and formats.

(10)On xxx, the Commission adopted a Recommendation on a European Electronic Health Record exchange format. In order to facilitate implementing the format, the eHealth Network, working together with the Commission, stakeholders, clinicians and relevant authorities, should develop guidance, support further developing the format and support the Member States in ensuring the security of data exchange.

(11)When preparing guidance concerning security aspects of data exchange, the ‘eHealth Network’ should benefit from the expertise of the NIS Cooperation Group established under Article 11 of Directive (EU) 2016/1148 of the European Parliament and of the Council 9 , and the European Union Agency for Network and Information Security-ENISA.

(12)In order to promote the interoperability of eHealth solutions, the eHealth Network should have a possibility to provide guidance on the necessary investments in the national digital infrastructure. Where appropriate, it could provide, in cooperation with the concerned parties at national and EU level, guidance to Member States participating in the eHealth Network in areas related to eHealth, supporting health promotion, disease prevention and improved delivery of healthcare through better use of health data, including at national level, with the view of advancing scientific research and public health, as well as continuity of care and access to safe and high quality healthcare. It should also be able to allow its Members to exchange views on national strategic challenges with regard to new technologies and data usages and promote the discussion with other relevant EU fora (such as the Steering Group on Health Promotion, Disease Prevention and Management of Non-Communicable Diseases) on priorities, strategic orientations and implementation.

(13)In order to ensure the effective exchange of information among Member States, the eHealth Network should be able to work towards enabling Member States to start exchanging it. In particular, the eHealth Network should have a possibility to agree, based on tests provided and audits carried out by the Commission, on the organisational, semantic and technical readiness of Member States to exchange electronic health data through their National Contact Points for eHealth and their continued compliance in that respect. For the required level of trust and confidence, only the members participating in eHealth Digital Service Infrastructure and thus having the necessary experience and expertise should vote on the adoption of decisions concerning the exchange of electronic health data.

(14)For an effective and transparent functioning of the network, rules should be laid down on the adoption of the Rules of Procedure and multiannual work programme as well as the creation of subgroups in order to ensure the effective functioning of the eHealth Network. The Rules of Procedure should specify the procedure for the decisions concerning the exchange of personal data through the eHealth Digital Service Infrastructure, as described above.

(15)Provisions should be made for the possibility of some Members of the eHealth Network to advance their cooperation in areas covered by the tasks of the Network. This should also be the case for the eHealth Digital Service Infrastructure and other shared European eHealth Services developed under the responsibility of the eHealth Network.

(16)In order to further ensure the transparent functioning of the eHealth Network, its relation with the Commission should be set out, in particular in relation to the tasks of the eHealth Network and the Commission’s role in the cross-border exchange of health data through the eHealth Digital Service Infrastructure.

(17)Processing of personal data of patients, representatives of Member States, experts and observers participating in the eHealth Network, which is done under the responsibility of the Member States, or other public organisations or bodies in the Member States, should be carried out in accordance with the General Data Protection Regulation and Directive 2002/58/EC of the European Parliament and of the Council 10 . Personal data of representatives of national authorities responsible for eHealth, other representatives of Member States, experts and observers participating in the eHealth Network shall be processed by the Commission in accordance with the Regulation (EU) 2018/1725. Processing of personal data for the purpose of managing and ensuring the security of the core services of the eHealth Digital Service Infrastructure done under the responsibility of the Commission should comply with Regulation (EU) 2018/1725.

(18)The Member States determine the purpose and means of processing of personal data through the eHealth Digital Service Infrastructure and are therefore controllers of this processing. The Commission, as provider of technical and organisational solutions of the eHealth Digital Service Infrastructure, processes personal data on behalf of the Member States and is therefore a processor. According to Article 28 of the GDPR, the processing by a processor shall be governed by a contract or a legal act under Union or Member State law that is binding on the processor with regard to the controller and that specifies the processing. This Decision sets rules governing the processing by the Commission as a processor.

(19)In order to ensure equal access rights on the basis of the GDPR and Regulation (EU) 2018/1725, the Commission should be regarded as controller of personal data processing relating to the management of access rights to the eHealth Digital Health Infrastructure core services.

(20)In order to make reimbursement procedures transparent, rules on the expenses of participants in the activities of the eHealth Network should be set.

(21)Implementing Decision (EU) 2011/890 should therefore be repealed and replaced by this Decision for reasons of legal certainty and clarity.

(22)The measures provided for in this Decision are in accordance with the opinion of the Committee set up under Article 16 of Directive 2011/24/EU,

HAS ADOPTED THIS DECISION:

Article 1
Subject matter

This Decision provides the necessary rules for the establishment, the management and the functioning of the eHealth Network of national authorities responsible for eHealth, as provided for by Article 14 of Directive 2011/24/EU.

Article 2
Definitions

1.For the purposes of this Decision:

(a)‘eHealth Network’ means the voluntary network connecting national authorities responsible for eHealth designated by the Member States and pursuing the objectives laid down in Article 14 of Directive 2011/24/EU;

(b)‘National Contact Points for eHealth’ means organisational and technical gateways for the provision of Cross-Border eHealth Information Services under the responsibility of the Member States; 

(c)‘Cross-Border eHealth Information Services’ means existing services that are processed via National Contact Points for eHealth and through a core service platform developed by the Commission for the purpose of cross-border healthcare;

(d)‘eHealth Digital Service Infrastructure’ means the infrastructure that enables the provision of Cross-Border eHealth Information Services via National Contact Points for eHealth. This infrastructure includes both generic services, as defined in Article 2(2)(e) of Regulation (EU) No 283/2014, developed by the Member States and a core service platform, as defined in Article 2(d) therein, developed by the Commission;

(e)‘electronic health record’ means the comprehensive collection of medical records or similar documentations of the past and present physical and mental state of health of an individual, in digital form, which provides for ready availability of these data for medical treatment and other specified and closely related purposes;

(f)‘other shared European eHealth Services’ means digital services that may be in the future developed under the responsibility of the eHealth Network and shared between Member States;

(g)‘governance model’ means a set of rules concerning the designation of bodies participating in decision-making processes concerning the eHealth Digital Service Infrastructure or other shared European eHealth Services developed under the responsibility of the eHealth Network, as well as description of those processes.

2.The definitions in points (1), (2), (7) and (8) of Article 4 of Regulation (EU) 2016/679 shall apply.

Article 3
Membership of the eHealth Network

1.Members of the eHealth Network shall be Member States’ authorities responsible for eHealth, designated by those Member States participating in the eHealth Network.

2.Member States wishing to participate in the eHealth Network shall notify the Commission in writing of:

(a)the decision to participate in the eHealth Network;

(b)the national authority responsible for eHealth which will become a Member of the eHealth Network, as well as the name of the representative and that of his/her alternate.

3.Members shall notify the Commission in writing of the following:

(a)their decision to withdraw from the eHealth Network;

(b)any change in the information referred to in point (b) of paragraph (2).

4.The Commission shall make available to the public the list of Members participating in the eHealth Network.

Article 4
Tasks of the eHealth Network

1.The eHealth Network shall pursue the objectives assigned to it by article 14(2) of Directive 2011/24/EU.

2.In pursuing the objective assigned to it by Article 14(2)(a) of Directive 2011/24/EU the eHealth Network may, in particular:

(a)facilitate greater interoperability of the national information and communications technology systems and cross-border transferability of electronic health data in cross-border healthcare by agreeing which requirements, specifications and standards should be used to achieve technical, semantic and organisational interoperability between national digital healthcare systems;

(b)provide guidance, in cooperation with other competent supervisory authorities in relation to empowering citizens to access and share their own health data;

(c)provide guidance as regards supporting health promotion, disease prevention and improved delivery of healthcare through better use of health data;

(d)provide guidance on the necessary investments in digital infrastructure;

(e)provide guidance on interoperability of electronic health records;

(f)provide guidance on security of the eHealth Digital Service Infrastructure or other shared European eHealth Services developed under the responsibility of the eHealth Network, taking into account legislation and documents elaborated at Union level as well as recommendations in the field of cybersecurity, working in close cooperation with the NIS Cooperation Group and with ENISA and with national authorities, where relevant;

(g)elaborate, together with the Commission, the governance models of the eHealth Digital Service Infrastructure 11 and other shared European eHealth Services developed under the responsibility of the eHealth Network and participate in that governance. That participation may, in particular include:

i.setting the priorities of the eHealth Digital Service Infrastructure or other shared European eHealth Services developed under the responsibility of the eHealth Network, and overseeing their operation;

ii.drawing up guidelines for the operation, as well as the standards used, of the eHealth Digital Service Infrastructure and for other shared European eHealth Services developed under the responsibility of the eHealth Network;

iii.agreeing whether Member States participating in the eHealth Network should be allowed to start exchanging electronic health data through the eHealth Digital Service Infrastructure via their National Contact Points for eHealth based on their compliance with the requirements, standards and formats established under (a) as evaluated in tests provided and audits carried out by the Commission;

iv.endorsing the annual work plan for the eHealth Digital Service Infrastructure.

3.In drawing up the guidelines on effective methods for enabling the use of medical information for public health and research referred to in Article 14(2)(b)(ii) of Directive 2011/24/EU, the eHealth Network shall take into account the guidelines adopted by and, where appropriate, consult with the European Data Protection Board. These guidelines may also address in particular information exchanged through the eHealth Digital Service Infrastructure or other shared European eHealth Services.

Article 5
Functioning of the eHealth Network

1.The eHealth Network shall establish its own Rules of Procedure, by simple majority of its Members.

2.To accomplish its tasks, the eHealth Network may set up temporary sub-groups, including with experts to examine specific questions on the basis of terms of reference defined by the eHealth Network itself. Such sub-groups shall be disbanded as soon as their mandate is fulfilled.

3.The eHealth Network may also set up permanent subgroups in relation to specific tasks, in particular related to the eHealth Digital Service Infrastructure or the other shared European eHealth Services developed under the responsibility of the eHealth Network.

4.In pursuing its objectives, the eHealth Network shall work in close cooperation with the Joint Actions supporting the activities of the eHealth Network where such joint actions exist, with stakeholders or other concerned bodies or supporting mechanisms and shall take into account the results achieved in the framework of those activities.

5.The eHealth Network shall adopt a multiannual work programme and an evaluation instrument on the implementation of such programme.

6.Members of the eHealth Network may decide to advance the cooperation in some areas covered by tasks of the eHealth Network. When joining, Member States should commit to the rules of the advanced cooperation.

7.The Rules of Procedure may envisage that countries, other than Member States, applying Directive 2011/24/EU, may participate in the meetings of the eHealth Network as observers.

8.Members of the eHealth Network and their representatives, as well as invited experts and observers, shall comply with the obligations of professional secrecy laid down by Article 339 of the Treaty, as well as with the Commission’s rules on security regarding the protection of EU classified information, laid down in Commission Decision (EU, Euratom) 2015/444 12 . Should they fail to respect these obligations, the Chair of the eHealth Network may take all appropriate measures as provided for in the Rules of Procedure.

Article 6
Relation between the eHealth Network and the Commission

1.The Commission shall:

(a)attend and co-chair the meetings of the eHealth Network together with the representative of the Members;

(b)provide support to the eHealth Network in relation to the tasks referred to in Article 4;

(c)provide secretarial services for the eHealth Network;

(d)develop appropriate technical and organisational measures related to the core services of the eHealth Digital Service Infrastructure;

(e)support the eHealth Network in agreeing on the technical readiness of National Contact Points for eHealth for the cross-border exchange of health data by providing the necessary tests and carrying out audits and, upon the request of Member States, by auditing the National Contact Points for eHealth to assess their compliance with the requirements, standards and formats established under Article 4(1)(a). Experts from the Member States may assist Commission auditors.

2.The Commission may attend the meetings of the eHealth Network sub-groups.

3.The Commission may consult the eHealth Network on matters relating to eHealth at Union level and eHealth best practices exchange.

4.The Commission shall publish information on activities carried out by the eHealth Network on a dedicated website.

Article 7
Data protection

1.The National Contact Points for eHealth shall be regarded as controllers of personal data processed through the eHealth Digital Service Infrastructure.

2.The Commission shall be regarded as controller of the processing of personal data necessary to grant and manage access rights to the eHealth Digital Service Infrastructure core services. Such data are contact details of users, including name, surname and e-mail address and their affiliation.

3.The Commission shall not have access to patients’ personal data processed through the eHealth Digital Service Infrastructure. 

4.The Commission shall be regarded as data processor for any processing operation of personal data processed through the eHealth Digital Service Infrastructure. In its capacity as processor, the Commission shall manage the core services of the eHealth Digital Service Infrastructure and ensure the security of personal data processing taking place through that Infrastructure. The conditions of Article 29, paragraph (3), of Regulation (EU) 2018/1725 shall be fulfilled.

Article 8
Expenses

1.Participants in the activities of the eHealth Network shall not be remunerated by the Commission for their services.

2.Travel and subsistence expenses incurred by participants in the activities of the eHealth Network shall be reimbursed by the Commission in accordance with the provisions in force within the Commission. Those expenses shall be reimbursed within the limits of the available appropriations allocated under the annual procedure for the allocation of resources.

Article 9
Repeal

Implementing Decision 2011/890 is repealed. References to the repealed Decision shall be construed as references to this Decision.

Article 10
Entry into force

This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.

Article 11
Addressees

The Decision is addressed to the Member States.

Done at Brussels,

   For the Commission

   The President

   Jean-Claude JUNCKER

(1)    OJ L 88, 4.4.2011, p. 45.
(2)    Commission Implementing Decision (EU) 2011/890 of 22 December 2011 providing the rules for the establishment, the management and the functioning of the network of national responsible authorities on eHealth (OJ L 344, 28.12.2011, p. 48).
(3)    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 
(4)    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ, L 295, 21.11.2018, p. 39).
(5)    Regulation (EU) No 1316/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010 (OJ L 348, 20.12.2013, p. 129).
(6)    Communication from the Commission on enabling the digital transformation of health and care in the Digital Market; empowering citizens and building a healthier society, SWD(2018), 126 final, p. 7.
(7)    Council conclusions on Health in the Digital Society making progress in data - driven innovation in the field of health, 2017/C 440/05, paragraph 30.
(8)    Regulation (EU) No 283/2014 of the European Parliament and of the Council of 11 March 2014 on guidelines for trans-European networks in the area of telecommunications infrastructure and repealing Decision No 1336/97/EC (OJ L 86, 21.3.2014, p. 14).
(9) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).
(10)    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
(11)    https://ec.europa.eu/health/sites/health/files/ehealth/docs/ev_20161121_co06_en.pdf
(12)    Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53). 
Top

Top