P9_TA(2023)0462
European Health Data Space
Amendments adopted by the European Parliament on 13 December 2023 on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space (COM(2022)0197 – C9-0167/2022 – 2022/0140(COD))
(1)
(Ordinary legislative procedure: first reading)
(C/2024/4200)
Amendment 1
Proposal for a regulation
Recital 1
Text proposed by the Commission
|
Amendment
|
(1)
|
The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes that would benefit
the
society such as research
,
innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
|
|
(1)
|
The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for
better achieving
other purposes
in the health sector
that would benefit society such as research
such as
innovation, policy-making
, health threats preparedness and response
, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal
and technical
framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
|
|
Amendment 2
Proposal for a regulation
Recital 1 a (new)
Text proposed by the Commission
|
Amendment
|
|
(1a)
|
The EHDS is intended to constitute a key component in the creation of a strong and resilient European Health Union to better protect the health of Union citizens, prevent and address future pandemics and improve the resilience of Union healthcare systems.
|
|
Amendment 3
Proposal for a regulation
Recital 1 b (new)
Text proposed by the Commission
|
Amendment
|
|
(1b)
|
This Regulation should complement Union programmes such as the EU4Health Programme, Digital Europe Programme, Connecting Europe Facility and Horizon Europe. The Commission should ensure that Union programmes complement and facilitate the implementation of the European Health Data Space.
|
|
Amendment 4
Proposal for a regulation
Recital 2
Text proposed by the Commission
|
Amendment
|
(2)
|
The COVID-19 pandemic has highlighted the imperative of having timely access to electronic health data for health threats preparedness and response, as well as for diagnosis and treatment
and
secondary use of health data. Such timely access
would have contributed
, through efficient public health surveillance and monitoring, to a more effective management of the pandemic, and ultimately
would have helped
to save lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 (41) , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and Union level.
|
|
(2)
|
The COVID-19 pandemic has highlighted the imperative of having timely access to
quality
electronic health data for health threats preparedness and response, as well as for
prevention,
diagnosis and treatment
through the
secondary use of health data. Such timely access
can potentially contribute
, through efficient public health surveillance and monitoring, to a more effective management of the pandemic,
to a reduction of costs and to improving the response to health threats
and ultimately
can help
to save
more
lives
in the future
. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 (41)
, to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural
and consistent
approach at Member States and Union level
on access to electronic health data in order to steer effective policy responses and contribute to high standards of human health
.
|
|
Amendment 5
Proposal for a regulation
Recital 3
Text proposed by the Commission
|
Amendment
|
(3)
|
The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that electronic health data are
as open as possible and as closed as necessary
. Synergies between the EHDS, the European Open Science Cloud (42) and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.
|
|
(3)
|
The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that
the necessary
electronic health data are
available while respecting the principle of data minimisation
. Synergies between the EHDS, the European Open Science Cloud (42) and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.
|
|
Amendment 6
Proposal for a regulation
Recital 3 a (new)
Text proposed by the Commission
|
Amendment
|
|
(3a)
|
Given the sensitivity of personal health data, this Regulation seeks to provide sufficient safeguards at both Union and national level to ensure a high degree of data protection, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of the health data of natural persons for primary and secondary uses. To achieve those objectives, pursuant to Article 9(4) of Regulation (EU) 2016/679, Member States can impose further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
|
|
Amendment 7
Proposal for a regulation
Recital 4
Text proposed by the Commission
|
Amendment
|
(4)
|
The processing of personal electronic health data is subject to the provisions of
Regulation
(EU) 2016/679 of the European Parliament and of the Council (43) and, for Union institutions and bodies, Regulation (EU) 2018/1725 of the European Parliament and of the Council (44) . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions
and
bodies, where relevant.
|
|
(4)
|
The processing of personal electronic health data is subject to the provisions of
Regulation
(EU) 2016/679 of the European Parliament and of the Council (43), Regulation (EU) 2018/1725 of the European Parliament and of the Council (44)
, as regards Union institutions, bodies, offices and agencies, and Regulation (EU) 2022/868
(44a)
of the European Parliament and of the Council
. References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions
,
bodies
, offices and agencies
, where relevant.
In relation to mixed datasets, where personal and non-personal data are inextricably linked, and where it is difficult to distinguish between those categories thereby resulting in the possibility of inferring personal data from non-personal data, the provisions of Regulation (EU) 2016/679 and of this Regulation concerning personal electronic health data should apply.
|
|
Amendment 8
Proposal for a regulation
Recital 4 a (new)
Text proposed by the Commission
|
Amendment
|
|
(4a)
|
The implementation of the EHDS should take into consideration the European ethical principles for digital health adopted by the eHealth network
(1a)
on 26 January 2022. Monitoring the application of those ethical principles should be one of the tasks of the EHDS Board.
|
|
Amendment 9
Proposal for a regulation
Recital 5
Text proposed by the Commission
|
Amendment
|
(5)
|
More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.
|
|
(5)
|
More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics,
health threat assessment,
policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.
|
|
Amendment 10
Proposal for a regulation
Recital 5 a (new)
Text proposed by the Commission
|
Amendment
|
|
(5a)
|
The scope of this Regulation should not cover natural persons who are not Union citizens, or third-country nationals not legally residing on the territory of the Member States. Therefore, where Member States require electronic registration of health data or where health data holders register health data regarding those natural persons, processors can only process the electronic health data of such persons, in accordance with Articles 6(1) and 9(2) of Regulation (EU) 2016/679 including for any secondary use.
|
|
Amendment 11
Proposal for a regulation
Recital 7
Text proposed by the Commission
|
Amendment
|
(7)
|
In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved
acess
to their own personal electronic health data and are empowered to share it.
|
|
(7)
|
In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results
, and other complementary diagnosis and therapeutics results
, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved
access
to their own personal electronic health data and are empowered to share it.
To that end, Member States should ensure a common standard is in place for the exchange of electronic health data to ensure and facilitate its transfer and translation into the Union’s official languages. In this respect, appropriate funding and support at Union and national level should be fairly distributed and considered as a means of reducing fragmentation, heterogeneity, and division and to achieve a system that is user-friendly and intuitive in all Member States.
|
|
Amendment 12
Proposal for a regulation
Recital 9
Text proposed by the Commission
|
Amendment
|
(9)
|
At the same time, it should be considered that immediate access to certain types of personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period. Where health
data is only available on paper, if the effort to make
data available
electronically is disproportionate, there should be no obligation that such health data is
converted into electronic format by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.
|
|
(9)
|
At the same time, it should be considered that immediate access
of natural persons
to certain types of
their
personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period
, for instance until the moment
where
the patient and the
health
professional get in contact. Member States should be encouraged to require that health
data available
prior to the implementation of this Regulation be
converted
into an
electronic format
through a process facilitated
by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.
|
|
Amendment 13
Proposal for a regulation
Recital 10
Text proposed by the Commission
|
Amendment
|
(10)
|
Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be clearly marked to indicate the source of such additional data. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals.
|
|
(10)
|
Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals
and does not have the same clinical or legal value as information provided by a health professional
, therefore it should be clearly marked to indicate the source of such additional data
and should be validated only by a health professional. More specifically, relevant fields in the EHR should be clearly marked
. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals
, with a relevant specialisation, responsible for the natural person’s treatment
.
|
|
Amendment 14
Proposal for a regulation
Recital 11
Text proposed by the Commission
|
Amendment
|
(11)
|
Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679. This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.
|
|
(11)
|
Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679
and to download their health data
. This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.
|
|
Amendment 15
Proposal for a regulation
Recital 12
Text proposed by the Commission
|
Amendment
|
(12)
|
Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.
|
|
(12)
|
Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability
. In accordance with Regulation (EU) 2016/679, healthcare providers should follow the data minimisation principle when accessing personal health data, limiting the data accessed to data that are strictly necessary and justified for a given service
. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.
|
|
Amendment 16
Proposal for a regulation
Recital 13
Text proposed by the Commission
|
Amendment
|
(13)
|
Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
|
|
(13)
|
Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported
. However, natural persons should be informed of the patient safety risks associated with limiting access to health data
. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law
, in particular as regards medical liability in the event that restrictions have been placed by the natural person,
Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
|
|
Amendment 17
Proposal for a regulation
Recital 14
Text proposed by the Commission
|
Amendment
|
(14)
|
In the context of the EHDS, natural persons should be able to exercise their rights
as they are enshrined in
Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.
|
|
(14)
|
In the context of the EHDS, natural persons should be able to exercise their rights
under this Regulation without prejudice to
Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.
|
|
Amendment 18
Proposal for a regulation
Recital 15
Text proposed by the Commission
|
Amendment
|
(15)
|
Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of
senstitive
data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data, including the legislation establishing categories of health professionals that can process different categories of electronic health data.
|
|
(15)
|
Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of
sensitive
data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data
outside the scope of this Regulation, including for other secondary use purposes established by this Regulation
, including the legislation establishing categories of health professionals that can process different categories of electronic health data.
|
|
Amendment 19
Proposal for a regulation
Recital 16
Text proposed by the Commission
|
Amendment
|
(16)
|
Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care
and
avoiding duplications and errors. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as health professional portals, to use personal electronic health data for the exercise of their duties. Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format.
|
|
(16)
|
Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care
,
avoiding duplications and errors
and reducing costs
. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as
appropriate electronic and digital devices and
health professional portals, to use personal electronic health data for the exercise of their duties
on a need-to-know basis
. Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format.
This Regulation should not be construed or interpreted as limiting the obligation of health professionals to comply with the applicable law, codes of conduct, deontological guidelines or other provisions governing ethical conduct with respect to sharing or accessing information, particularly in life-threatening or extreme situations. For that purpose, providers of electronic health records should keep a record of who has accessed data in the previous 36 months and which data they accessed.
|
|
Amendment 20
Proposal for a regulation
Recital 16 a (new)
Text proposed by the Commission
|
Amendment
|
|
(16a)
|
Health professionals are faced with a profound change in the context of digitalisation and implementation of the EHDS. Health professionals need to develop their digital health literacy and digital skills. Therefore, health professionals who qualify as micro enterprises, as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC
(1a)
, should be temporarily exempted from the obligations laid down in this Regulation, in order to avoid a disproportionate administrative burden for micro enterprises. During the period of exemption, Member States should enable health professionals working as micro enterprises to take digital literacy courses to be able to prepare to work in EHR systems.
|
|
Amendment 21
Proposal for a regulation
Recital 17
Text proposed by the Commission
|
Amendment
|
(17)
|
The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded
. The Commission should be empowered to extend the list of priority categories
, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.
|
|
(17)
|
The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.
|
|
Amendment 22
Proposal for a regulation
Recital 19
Text proposed by the Commission
|
Amendment
|
(19)
|
The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format. This would also contribute to the achievement of the target of 100 % of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data
accesible
and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/243 (45) provides the foundations for such a common European electronic health record exchange format. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council (46) recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.
|
|
(19)
|
The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format
as well as for them to have better control over accessing and sharing their personal electronic health data
. This would also contribute to the achievement of the target of 100 % of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data
accessible
and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/243 (45) provides the foundations for such a common European electronic health record exchange format. The
interoperability of the EHDS should contribute to a high quality of European health data sets. The
use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council (46) recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.
|
|
Amendment 23
Proposal for a regulation
Recital 20
Text proposed by the Commission
|
Amendment
|
(20)
|
While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt
implementing
acts for determining
additional aspects related to the registration of electronic health data, such as categories of healthcare providers that are to register health data electronically, categories of data to be registered electronically, or
data quality requirements.
|
|
(20)
|
While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt
delegated
acts for determining data quality requirements.
|
|
Amendment 24
Proposal for a regulation
Recital 20 a (new)
Text proposed by the Commission
|
Amendment
|
|
(20a)
|
In order to support the successful implementation of the EHDS and the creation of effective conditions for European health data cooperation, the Commission and Member States should agree on time-based targets to implement conditions for improved health data interoperability across the Union with a range of objectives and milestones, including in respect of disease-specific registry interoperability, which should be reviewed and assessed in an annual report.
|
|
Amendment 25
Proposal for a regulation
Recital 21
Text proposed by the Commission
|
Amendment
|
(21)
|
Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services
(including telemedicine)
that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.
|
|
(21)
|
Under Article 168 of the Treaty
on the Functioning of the European Union (TFEU),
Member States are responsible for their health policy, in particular for decisions on the services that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.
Telemedicine is becoming an increasingly important tool that can provide patients with access to care and tackle inequities and has the potential to reduce health inequalities and reinforce the free movement of Union citizens across borders. Digital and other technological tools can facilitate the provision of care in remote regions. However, telemedicine should not be viewed as a replacement for in-person medicine, as there are certain conditions and procedures that require in-person physical examination and intervention.
|
|
Amendment 26
Proposal for a regulation
Recital 22
Text proposed by the Commission
|
Amendment
|
(22)
|
Regulation (EU) No 910/2014 of the European Parliament and of the Council (47) lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level.
Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities.
|
|
(22)
|
Regulation (EU) No 910/2014 of the European Parliament and of the Council (47) lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals.
Therefore, natural persons and health professionals should have the right to electronic identification using any recognised electronic identification, including eID schemes where such are offered.
The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’). As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level.
|
|
Amendment 27
Proposal for a regulation
Recital 22 a (new)
Text proposed by the Commission
|
Amendment
|
|
(22a)
|
Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access and transmission and the enforcement of the rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising on the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of currently existing authorities.
|
|
Amendment 28
Proposal for a regulation
Recital 23
Text proposed by the Commission
|
Amendment
|
(23)
|
Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
|
|
(23)
|
Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS.
Member States should ensure that appropriate training initiatives are undertaken. In particular, health professionals should be informed and trained with respect to their rights and obligations under this Regulation.
To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers,
health professionals,
manufacturers of EHR systems and wellness applications, as well as
other
stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
|
|
Amendment 29
Proposal for a regulation
Recital 24
Text proposed by the Commission
|
Amendment
|
(24)
|
Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data.
|
|
(24)
|
Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data
, and funding as well as other means of support at Union level should be considered
.
|
|
Amendment 30
Proposal for a regulation
Recital 25
Text proposed by the Commission
|
Amendment
|
(25)
|
In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities among the Member States, as joint controllers, and prescribe its own obligations, as processor.
|
|
(25)
|
In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities
with time-based targets
among the Member States, as joint controllers, and prescribe its own obligations, as processor.
|
|
Amendment 31
Proposal for a regulation
Recital 26
Text proposed by the Commission
|
Amendment
|
(26)
|
In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases.
Connection of national contact points for digital health of third countries or interoperability with digital systems established at international level should be subject to a check ensuring the compliance of the national contact point with the technical specifications, data protection rules and other requirements of MyHealth@EU. A decision to connect a national contact point of a third country should be taken by data controllers in the joint controllership group for MyHealth@EU.
|
|
(26)
|
In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases.
|
|
Amendment 32
Proposal for a regulation
Recital 34 a (new)
Text proposed by the Commission
|
Amendment
|
|
(34a)
|
EHR systems could qualify as medical devices under Regulation (EU) 2017/745 or in-vitro diagnostic devices under Regulation (EU) 2017/746 of the European Parliament and of the Council
(1a)
. While those EHR systems need to fulfil the requirements under each applicable regulation, Member States should take appropriate measures to ensure that the respective conformity assessment is carried out as a joint or coordinated procedure, as appropriate, inter alia by encouraging the same notified bodies to become responsible for the conformity assessment under each applicable regulation.
|
|
Amendment 33
Proposal for a regulation
Recital 35
Text proposed by the Commission
|
Amendment
|
(35)
|
Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A
voluntary
labelling scheme should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission
may
set out in implementing acts the details regarding the format and content of such label.
|
|
(35)
|
Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A
mandatory
labelling scheme
for wellness applications claiming interoperability with EHR systems
should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission
should
set out in implementing acts the details regarding the format and content of such label.
|
|
Amendment 34
Proposal for a regulation
Recital 36 a (new)
Text proposed by the Commission
|
Amendment
|
|
(36a)
|
The uptake of real-world data and real-world evidence, including patient-reported outcomes, for evidence-based regulatory and policy purposes as well as for research, health technology assessment and clinical objectives should be encouraged. Real-world data and real-world evidence have the potential to complement health data currently made available.
|
|
Amendment 35
Proposal for a regulation
Recital 37
Text proposed by the Commission
|
Amendment
|
(37)
|
For the secondary use of
the clinical
data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis
and
rules and mechanisms
and
providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. This Regulation provides the legal basis in accordance with Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit.
At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV.
More specifically: for processing of electronic health data held by the data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing the data by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected
. This Regulation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679
. This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article
6(1)(e)
of Regulation (EU) 2016/679
to the health data access bodies,
and meets the requirements of Article
9(2)(h),(i),(j)
of the Regulation (EU) 2016/679.
Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which electronic
health data
can be processed. In the case where the user has
access
to electronic health data (for secondary use of data for one of the purposes defined in this Regulation), the data user
should
demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f),
of Regulation (EU) 2016/679
and explain the specific legal basis
on which
it relies as part of the application for access to
electronic health data pursuant to this Regulation
: on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it
should
make reference to another EU or national law, different from
this Regulation
, mandating the user to process personal health data for the compliance of its tasks
.
If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data access bodies are an administrative decision defining the conditions for the access to the data.
|
|
(37)
|
For the secondary use of
personal electronic health
data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis
for
rules and mechanisms providing suitable and specific measures to safeguard the rights and freedoms of the natural persons.
For the purpose of processing electronic health data for secondary use, one of the legal bases set out in Article 6(1), points (a), (c), (e) or (f), of Regulation (EU) 2016/679 combined with Article 9(2) of that Regulation should be required. The most relevant processing condition listed in Article 9(2) of Regulation (EU) 2016/679 in this context is that of substantial public interest, the provision of health or social care, public interest in the area of public health and research. Hence,
this Regulation provides the legal basis in accordance with
Article 6 and
Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. More specifically
,
for processing of electronic health data held by the
health
data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1)
,
point (c)
,
of Regulation (EU) 2016/679 for disclosing the data by the
health
data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article
6(1), point (e),
of Regulation (EU) 2016/679 and meets the requirements of Article
9(2), points (g) to (j),
of the Regulation (EU) 2016/679.
At the same time, the
health data access
body
should
verify the compliance with Article 6
of Regulation (EU) 2016/679
, combined with Article 9(2) thereof, based
on which
they should be able to issue a data permit for the processing of personal
electronic health data pursuant to this Regulation
that
should
fulfil the requirements and conditions set out in Chapter IV of
this Regulation.
|
|
Amendment 36
Proposal for a regulation
Recital 37 a (new)
Text proposed by the Commission
|
Amendment
|
|
(37a)
|
In the case where the health data user has access to electronic health data for secondary use of data for one of the purposes defined in this Regulation, the health data user should demonstrate the specific legal ground on which it relies as part of the application for access to electronic health data pursuant to this Regulation, namely, on the basis of the applicable law, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or Article 6(1), point (f), thereof. If the health data user relies upon the ground provided for in Article 6(1), point (e), it should make reference to another Union or national law, requiring the user to process personal health data for the compliance of its tasks. If the ground for processing by the health data user is Article 6(1), point (f), of Regulation (EU) 2016/679, appropriate and necessary safeguards should be determined in accordance with this Regulation. In this context, the data permits issued by the health data access bodies should be an administrative decision defining the conditions for the access to the data.
|
|
Amendment 37
Proposal for a regulation
Recital 38
Text proposed by the Commission
|
Amendment
|
(38)
|
In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use.
|
|
(38)
|
In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all
health
data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use
provided that such effort is always made through effective and secured processes, such as aggregation and randomisation, and with due respect for professional duties, such as confidentiality duties
.
|
|
Amendment 38
Proposal for a regulation
Recital 39
Text proposed by the Commission
|
Amendment
|
(39)
|
The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances,
homelessness, health insurance, minimum income, professional
status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include person-generated data, such as
data from medical devices,
wellness applications
or other wearables and digital
health
applications. The
data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.
|
|
(39)
|
The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of
health
data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances,
socio-economic
status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include
automatically generated data from medical devices and
person-generated data, such as wellness applications
. The
health data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset
. Health data users should be encouraged to report critical errors in datasets to health data access bodies
. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.
|
|
Amendment 39
Proposal for a regulation
Recital 39 a (new)
Text proposed by the Commission
|
Amendment
|
|
(39a)
|
In order to guarantee trust in the patient-physician relationship, the principle of professional secrecy and the patient's right to confidentiality should be safeguarded when digitalising healthcare services. A relationship of trust between patients and health professionals and healthcare providers and other holders of personal health data is a paramount element of the provision of health or social care or treatment. It is within that context that the patient or the legal representative of the patient should have a say in the processing of their health data for secondary use in the form of a right to opt-out of the processing of all or parts of their health data for secondary use for some or all purposes. An easily understandable and accessible opt-out mechanism in a user-friendly format should be provided for in this regard. However, due to the sensitive nature of human genetic, genomic and proteomic data, data from biobanks and to the nature of the use of data from wellness applications, it is appropriate to provide that the secondary use of such data can only occur following the consent of the natural person concerned in accordance with Article 4(11) of the Regulation (EU) 2016/679. An opt-in mechanism whereby data subjects explicitly consent or give their permission to the processing of part or all of such data for some or all secondary use purposes should be envisaged. Where data subjects explicitly consent to the use of parts or all of this data for some or all secondary use purposes, they should be made aware of the sensitive nature of the data they are sharing. Moreover, it is imperative to provide natural persons with sufficient information regarding their right to opt-out, including on the possibility of reconsidering their choice of opting-out and agreeing to some or all of their health data being processed for secondary use at a later point.
|
|
Amendment 40
Proposal for a regulation
Recital 40
Text proposed by the Commission
|
Amendment
|
(40)
|
The data holders can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding, should be made available by data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.
|
|
(40)
|
The
health
data holders
in the context of secondary use of electronic health data
can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above
To the extent that they process personal electronic health data, health data holders are controllers within the meaning of Regulation (EU) 2016/679 in the health or care sector
. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS
. Health data access bodies should provide specific support to small enterprises, in particular medical practitioners and pharmacies, in complying with their obligation to make data available for secondary use
. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by
health
data holders with the support of Union or national public funding, should be made available by
health
data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection
and should be made available while taking all necessary measures to protect such rights
. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.
|
|
Amendment 41
Proposal for a regulation
Recital 40 a (new)
Text proposed by the Commission
|
Amendment
|
|
(40a)
|
Different demographic groups have varying degrees of digital literacy, which can affect natural persons’ ability to exercise their rights to control their electronic health data. In addition to the right for natural persons to authorise another natural person of their choice to access or control their electronic health data on their behalf, Member States should create targeted national digital literacy programmes, including programmes to maximise social inclusion and to ensure all natural persons can effectively exercise their rights under this Regulation. Member States should also provide patient-centric guidance to natural persons in relation to the use of electronic health records and primary use of their personal electronic health data. Guidance should be tailored to the patient’s level of digital health literacy, with specific attention to be given to the needs of vulnerable groups.
|
|
Amendment 42
Proposal for a regulation
Recital 40 b (new)
Text proposed by the Commission
|
Amendment
|
|
(40b)
|
Clinical trials and studies are of utmost importance in fostering innovation within the Union for the benefit of Union patients. In order to incentivise continuous Union leadership in this domain, the sharing of the clinical trials data through the EHDS for secondary use should be consistent with the relevant transparency provisions laid down in Union law including Regulation (EU) .../... [proposal for a Regulation on blood, tissue, cells and organs (SoHO) COM(2022)338 final], Regulations (EC) No 726/2004
(1a)
and (EU) 2019/6
(1b)
of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council
(1c)
regarding veterinary and human medicines and establishing the EMA, Regulation (EC) No 141/2000 of the European Parliament and of the Council
(1d)
related to medicinal products for rare diseases (‘orphan medicines’), Regulation (EC) No 1901/2006 of the European Parliament and of the Council
(1e)
on medicinal products for children, Regulation (EC) No 1394/2007 of the European Parliament and of the Council
(1f)
on advanced therapy medicinal products, Regulation (EU) No 536/2014 of the European Parliament and of the Council
(1g)
on clinical trials, Regulation (EU) No 2017/745 and Regulation (EU) No 2017/746.
|
|
Amendment 43
Proposal for a regulation
Recital 41
Text proposed by the Commission
|
Amendment
|
(41)
|
The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of
AI
algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.
|
|
(41)
|
The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers
, with a demonstrated link to the field of public health,
to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society
. In particular, the secondary use of health data for research and development purposes should contribute to a benefit to society in the form of new medicines, medical devices, health care products and services at affordable and fair prices for Union citizens, as well as to enhancing access to and the availability of such products and services in all Member States
. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research, development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of
artificial intelligence
algorithms that could protect the health or care of natural persons). In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments,
to automate individual decision-making, to re-identify natural persons,
or develop harmful products should be prohibited.
|
|
Amendment 44
Proposal for a regulation
Recital 42
Text proposed by the Commission
|
Amendment
|
(42)
|
The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
|
|
(42)
|
The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use
, Members of the governance and decision-making bodies and staff of each health data access body should therefore refrain from any action that is incompatible with their duties and should not engage in any incompatible occupation
. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial
, technical
and human resources
, ethics bodies
, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union
and have separate structures for application processing on the one hand, and anonymisation, pseudonymisation and re-identification on the other hand
. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
Given the central role of the health data access bodies in the context of secondary use of electronic health data, and especially regarding the decision-making on granting or refusing a health data permit and preparing the data to make them available to health data users, the members and staff of such bodies should have the necessary qualifications, experience and skills, including legal and technical expertise as regards the protection of personal data, specifically data concerning health, and expertise in the areas of ethics, healthcare, scientific research, cybersecurity, protection of intellectual property and trade secrets, artificial intelligence and other relevant areas. In addition, the decision-making process regarding the granting or refusal of the health data permit should involve ethical considerations. The staff of health access bodies should not have any conflict of interest that is prejudicial to their independence and the impartiality of their conduct.
|
|
Amendment 45
Proposal for a regulation
Recital 43
Text proposed by the Commission
|
Amendment
|
(43)
|
The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should
be tasked with
enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including
penalties
. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets,
support the development of AI in health
and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for
anonymization
of microdata sets.
|
|
(43)
|
The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations.
The selection procedure for health stakeholders should be transparent, public and free of any conflict of interest.
Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should
remain the only authorities competent for
enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including
administrative fines and enforcement measures
. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, and promote the development of common standards. They should apply tested
state-of-the-art
techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.
In that regard, health data access bodies should cooperate across borders and agree on common definitions and techniques.
Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for
anonymisation
of microdata sets.
|
|
Amendment 46
Proposal for a regulation
Recital 44
Text proposed by the Commission
|
Amendment
|
(44)
|
Considering the administrative burden for
health data access bodies
to
inform the natural persons whose data are used in data projects within a secure processing environment
,
the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679
should
apply.
Therefore
, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the
data subject or his
health professional. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
|
|
(44)
|
Health data access bodies
should comply with the obligations laid down in Article 14 of Regulation (EU) 2016/679 and
inform the natural persons whose data are used in data projects within a secure processing environment. The exceptions provided for in Article 14(5) of Regulation (EU) 2016/679
could
apply.
Where such exceptions are applied
, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed
, enabling natural persons to understand whether their data are being made available for secondary use pursuant to data permits
. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the
health
data user should inform the health data access body, which should inform the
health professional treating the natural person concerned or, in the event that the treating
health professional
is not traceable, the natural person, with due regard for their stated wish not to be informed, while fully respecting the principles of medical confidentiality and professional secrecy
. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
|
|
Amendment 47
Proposal for a regulation
Recital 46
Text proposed by the Commission
|
Amendment
|
(46)
|
In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand, Union institutions, bodies, offices and agencies
, including EMA, ECDC and the Commission
, have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.
|
|
(46)
|
In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand,
public sector bodies and
Union institutions, bodies, offices and agencies
with a legal mandate in the field of public health
, have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.
|
|
Amendment 48
Proposal for a regulation
Recital 47
Text proposed by the Commission
|
Amendment
|
(47)
|
Health data access bodies
and single data holders
should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission
may
adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.
|
|
(47)
|
Health data access bodies should be allowed to charge fees based on the
applicable
provisions
under this
Regulation
and the provisions
of
Regulations (EU) .../... […]
[Data Governance Act COM/2020/767 final]
and (EU) .../... […] [Data Act COM/2022/68 final]
in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies.
Health
data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private
health
data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission
should
adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.
Public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health should not be charged fees.
|
|
Amendment 49
Proposal for a regulation
Recital 48
Text proposed by the Commission
|
Amendment
|
(48)
|
In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to
penalties
or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement.
The imposition of penalties should be subject to appropriate procedural safeguards in accordance with the general principles of law
of the
relevant Member State, including effective judicial protection and due process
.
|
|
(48)
|
In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures
should be envisaged
that can lead to
administrative fines or enforcement measures by health data access bodies
or temporary or definitive exclusions from the EHDS framework of the
health
data users or
health
data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give
health
data users and holders the opportunity to reply to any findings and to remedy any infringement.
When deciding on the amount
of the
administrative fine or enforcement measure for each individual case, health data access bodies should take into account the margins for costs and criteria set out in this Regulation
.
|
|
Amendment 50
Proposal for a regulation
Recital 49
Text proposed by the Commission
|
Amendment
|
(49)
|
Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible
and if the data user asks it
. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users
would
inform the health data access body, which in turn would inform the concerned natural person
(s)
. Moreover,
the
applicant can request the health data access bodies to provide the answer to a data request, including in statistical
form
. In this case, the
data users
would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
|
|
(49)
|
Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore,
common standards for data anonymisation should be further developed and
the use of anonymised electronic health data which is devoid of any personal data should be made available when possible. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity
and the health data access body should determine the validity of that justification
. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body.
When providing access to an anonymised or pseudonymised dataset, a health data access body should use state-of-the-art anonymisation or pseudonymisation technology, ensuring to the maximum extent possible that natural persons cannot be re-identified. Health
data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative
fines and the enforcement measures laid down in this Regulation
or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a
significant
health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the
health
data users
to
inform the health data access body, which in turn would inform the
treating health professional of the
concerned natural person
or, in the event that the treating health professional is not traceable, the natural person, with due regard for any stated wish not to be informed. To that end, the health data user should be guided by ethical principles, and guidelines from EMA and the ECDC as regards what constitutes a significant finding
. Moreover,
a health data
applicant can request the health data access bodies to provide the answer to a
health
data request, including in
an anonymised or aggregated
statistical
format
. In this case, the
health data user
would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the
health
data request.
|
|
Amendment 51
Proposal for a regulation
Recital 50
Text proposed by the Commission
|
Amendment
|
(50)
|
In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide health data access bodies with several information elements that would help the body evaluate the
request
and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information
include
: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data access
bodies
and, where relevant data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical
data
, it should submit a data request application, requiring the health data access body to provide directly the result. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of
data application
, as well as
data request
.
|
|
(50)
|
In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The
health data
applicant should provide health data access bodies with several information elements that would help the body evaluate the
application
and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information
includes
: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used,
the identity of the health data applicant as well as the specific persons who are authorised to have access to the electronic health data in the secure processing environment and how they are qualified vis-à-vis the intended secondary use,
description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed
, a description of the safeguards planned to prevent any other use, misuse or possible re-identification, and an explanation of the expected benefits of the secondary use
. Where data is requested in pseudonymised format, the
health
data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law.
A thorough assessment of
the health data access
applications and documents submitted by the health data applicant should be required and the health data access body should only issue a data permit if all the conditions set out in this Regulation are met. The health data access body
and, where relevant
health
data holders, should assist
health
data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the
health
applicant needs
data in an
anonymised
and aggregated
statistical
format
, it should submit a data request application, requiring the health data access body to provide directly the result.
A refusal of a data permit by the health data body should not preclude the health data applicant from submitting a new data access application.
In order to ensure a harmonised approach between health data access bodies
and to limit an unnecessary administrative burden for the health data applicants to the greatest extent possible
, the Commission should support the harmonisation of
health data access applications
, as well as
health data requests, including by establishing, by means of implementing acts, templates for health data access applications and requests
.
|
|
Amendment 52
Proposal for a regulation
Recital 50 a (new)
Text proposed by the Commission
|
Amendment
|
|
(50a)
|
A standard ethics assessment should be carried out by ethics bodies within health data access bodies. Such assessment should be an important part of the process. However, where the health data applicant had previously obtained the approval of the competent ethics committee in accordance with national law for research purposes for which they are requesting data through the EHDS, the health data applicant should make that information available to the health data access body as part of the data access application.
|
|
Amendment 53
Proposal for a regulation
Recital 51
Text proposed by the Commission
|
Amendment
|
(51)
|
As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an
additonal
fee. However, in all the cases, the data permit should reflect theses
additionals
uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
|
|
(51)
|
As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The
health
data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the
health
data permit and may be subject to an
additional
fee. However, in all the cases, the data permit should reflect theses
additional
uses of the dataset. Preferably, the
health
data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
|
|
Amendment 54
Proposal for a regulation
Recital 52
Text proposed by the Commission
|
Amendment
|
(52)
|
As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies, especially the Commission, need access to health data for a longer period and on a recurring basis. This
is
may be the case not only
in
specific circumstances in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.
|
|
(52)
|
As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies
with a legal mandate in the field of public health
, especially the Commission, need access to health data for a longer period and on a recurring basis. This may be the case not only
for
specific circumstances
stipulated by Union or national law
in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.
|
|
Amendment 55
Proposal for a regulation
Recital 53
Text proposed by the Commission
|
Amendment
|
(53)
|
For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data access bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi-country requests and requests requiring combination of datasets from several data holders should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or data requests they provide.
|
|
deleted
|
Amendment 56
Proposal for a regulation
Recital 54
Text proposed by the Commission
|
Amendment
|
(54)
|
Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body
or, where relevant, single data holder
should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
|
|
(54)
|
Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data
, in accordance with the data minimisation principle
. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V
. Nevertheless, in order to ensure the proper supervision and security of personal data, such environments need to be located in the Union if they are used to access personal health data
. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
|
|
Amendment 57
Proposal for a regulation
Recital 55
Text proposed by the Commission
|
Amendment
|
(55)
|
For the processing of electronic health data in the scope of a granted permit, the health data
access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support
health data access bodies and data users
, the Commission
should
, by means of an implementing act, provide a template for the joint
controller
arrangements
health data
access bodies and data users will have to enter into. In order to achieve an inclusive and sustainable framework for multi-country secondary use of
electronic health data
, a cross-border infrastructure
should be
established
. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/2009 (50) or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council (51) .
|
|
(55)
|
For the processing of electronic health data in the scope of a granted permit, the health data
holders, the
health data access bodies and
the health
data users should
each, in turn, be deemed a
controller
for a specific part of the process and according to their respective roles therein. The
health data
holder should be deemed controller for the disclosure of the requested personal
electronic health data
to the health data access body, while the health data access body should in turn be deemed controller for the processing of the personal electronic health data when preparing the data and making them available to the health data user. The health data user
should be
deemed controller for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to its data permit. The health data access body should be deemed a processor for processing carried out by the health data user pursuant to a data permit in the secure processing environment
. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design”
, “privacy by default”,
and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/2009 (50) or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council (51) .
|
|
Amendment 58
Proposal for a regulation
Recital 59
Text proposed by the Commission
|
Amendment
|
(59)
|
Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.
|
|
(59)
|
Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework.
The labels should be subject to the evaluation by the health data access bodies.
Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.
|
|
Amendment 59
Proposal for a regulation
Recital 61
Text proposed by the Commission
|
Amendment
|
(61)
|
Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases, and statistics and shall be taken into account when defining new standards. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare.
|
|
(61)
|
Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases,
cardiovascular and metabolic diseases, risk factor assessment,
and statistics and shall be taken into account when defining new standards
and disease-specific harmonised templates for structured data elements
. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare.
Existing health data infrastructures and registries put in place by institutions and stakeholders can contribute to defining and implementing data standards, to ensuring interoperability and should be leveraged to allow for continuity and build on existing expertise.
|
|
Amendment 60
Proposal for a regulation
Recital 62 a (new)
Text proposed by the Commission
|
Amendment
|
|
(62a)
|
Improving digital health literacy for both natural persons and their health professionals is key in order to achieve trust, safety and appropriate use of health data and thus to achieve successful implementation of this Regulation. Improving digital health literacy is fundamental in order to empower natural persons to have true control over their health data and actively manage their health and care, and understand the implications of the management of such data for both primary and secondary use. Member States, including regional and local authorities, should therefore support digital health literacy and public awareness, while ensuring that the implementation of this Regulation contributes to reducing inequalities and does not discriminate against people lacking digital skills. Particular attention should be given to persons with disabilities and vulnerable groups including migrants and the elderly. Health professionals and IT operators should have sufficient training in working with new digital infrastructures to ensure cybersecurity and ethical management of health data.
|
|
Amendment 61
Proposal for a regulation
Recital 63
Text proposed by the Commission
|
Amendment
|
(63)
|
The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds.
|
|
(63)
|
The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds.
To procure or fund services provided by controllers and processors established in the Union that process personal electronic health data, they should be required to demonstrate that they will store the data in the Union and that they are not subject to third country law that conflicts with Union data protection rules. Union funds should be distributed transparently and sufficiently among the Member States, ensuring it is adequate and taking into account different levels of health system digitalisation and the costs involved in making national data infrastructures interoperable and compatible with the requirements of the EHDS. Making data available for secondary use requires additional resources for healthcare systems, in particular public systems. That additional burden for public entities should be addressed and minimised to the greatest possible extent during the implementation phase of the EHDS.
|
|
Amendment 62
Proposal for a regulation
Recital 63 a (new)
Text proposed by the Commission
|
Amendment
|
|
(63a)
|
The economic costs of implementing this Regulation should be borne at both Member State and Union level, and a fair sharing of that burden between national and Union funds should be found. The initial Union funding to achieve a timely application of the EHDS is limited to what can be mobilised under the 2021-2027 Multiannual Financial Framework (MFF) where EUR 220 million can be made available under the EU4Health and Digital Europe programmes. The successful and coherent application of the EHDS across all Member States will however require higher funding. The implementation of the EHDS requires appropriate investments in capacity building and training and a well-funded commitment to public consultation and engagement. The Commission should therefore mobilise further resources for the EHDS as part of the review of the 2021-2027 MFF and for the forthcoming MFF under the principle that new initiatives should be matched with new funding.
|
|
Amendment 63
Proposal for a regulation
Recital 64 a (new)
Text proposed by the Commission
|
Amendment
|
|
(64a)
|
The functioning of the EHDS involves processing of a large quantity of personal and non-personal health data of a highly sensitive nature. Article 8(3) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) requires control over the processing of such health data by an independent authority. The control of the compliance with the requirements of protection and security by an independent supervisory authority, carried out on the basis of Union law, is an essential component of the protection of individuals with regard to the processing of personal data and cannot be fully ensured in the absence of a requirement to retain the electronic health data in question within the Union. Therefore, taking into account the need to mitigate the risks of unlawful access and ineffective supervision, in compliance with the principle of proportionality, this Regulation should require Member States to store electronic health data within the Union. Such storage requirements should ensure a uniform high level of protection for data subjects across the Union, preserve the proper functioning of the internal market, in line with Article 114 TFEU, which constitutes the legal basis of this Regulation, and serve to enhance citizens’ trust in the EHDS.
|
|
Amendment 64
Proposal for a regulation
Recital 64 b (new)
Text proposed by the Commission
|
Amendment
|
|
(64b)
|
The obligation to store electronic health data in the Union does not preclude transfers of those data to third countries or international organisations by means of granting access to electronic health data. Access to data through the secure processing environment can entail the transfer of personal data, as defined in Chapter V of Regulation (EU) 2016/679. It is possible to reconcile a general requirement to store personal data in the Union with specific transfers being allowed in compliance with Union law on personal data protection, for instance in the context of scientific research, provision of care or international cooperation. In particular, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union under Regulation (EU) 2016/679 should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. Transfers of personal health data to third countries and international organisations can only be carried out in full compliance with Chapter V of Regulation (EU) 2016/679. For instance, controllers and processors processing personal electronic health data remain subject to Article 48 of that Regulation on transfers or disclosures not authorised by Union law and should comply with this provision in the case of an access request stemming from a third country. In accordance with the conditions of Article 9(4) of Regulation (EU) 2016/679, Member States can maintain or introduce further conditions, including limitations, in relation to transfers of personal health data to third countries or international organisations.
|
|
Amendment 65
Proposal for a regulation
Recital 64 c (new)
Text proposed by the Commission
|
Amendment
|
|
(64c)
|
Access to electronic health data for entities from third countries should take place only on the basis of the reciprocity principle. Making available of health data to a third country can take place only where the Commission has established by means of a delegated act that the third country concerned allows for the use of health data by Union entities under the same conditions and with the same safeguards as within the Union. The Commission should monitor that list and provide for a periodic review thereof. Where the Commission finds that a third country no longer ensures access on the same terms, that third country should be removed from that list.
|
|
Amendment 66
Proposal for a regulation
Recital 65
Text proposed by the Commission
|
Amendment
|
(65)
|
In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it.
It
should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].
|
|
(65)
|
In order to promote the consistent application of this Regulation
, including cross-border interoperability of health data, and potential mechanisms of funding support to ensure equal development of data systems across the Union in respect of the primary and secondary use of electronic health data
, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it.
The EHDS Board
should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].
The EHDS Board should operate in line with its Code of Conduct, impartially, independently, in the public interest and transparently, with open publication of meeting dates and minutes of its discussions as well as of an annual report. It is furthermore appropriate to lay down sufficient guarantees to ensure that members of the EHDS Board do not have any conflicts of interest.
|
|
Amendment 67
Proposal for a regulation
Recital 65 a (new)
Text proposed by the Commission
|
Amendment
|
|
(65a)
|
An advisory forum should be set up to advise the EHDS Board in the fulfilment of its tasks by providing stakeholder input on matters pertaining to this Regulation. The advisory forum should be composed of representatives of patients, consumers, health professionals, industry, scientific researchers and academia. It should have a balanced composition and represent the views of different relevant stakeholders. Both commercial and non-commercial interests should be represented.
|
|
Amendment 68
Proposal for a regulation
Recital 66 a (new)
Text proposed by the Commission
|
Amendment
|
|
(66a)
|
Any natural person should have the right to lodge a complaint with a digital health authority or with a health data access body, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the natural person considers that his or her rights under this Regulation have been infringed or where the digital health authority or health data access body does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the natural person. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The digital health authority or health data access body should inform the natural person of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another digital health authority or health data access body, intermediate information should be given to the natural person. In order to facilitate the submission of complaints, each digital health authority and health data access body should take measures such as providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication. Where the complaint concerns the rights of natural persons, the health data access body should inform the supervisory authorities under Regulation (EU) 2016/679 and send them a copy of the complaint .
|
|
Amendment 69
Proposal for a regulation
Recital 66 b (new)
Text proposed by the Commission
|
Amendment
|
|
(66b)
|
Where a natural person considers that his or her rights under this Regulation have been infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data, to lodge a complaint on his or her behalf.
|
|
Amendment 70
Proposal for a regulation
Recital 66 c (new)
Text proposed by the Commission
|
Amendment
|
|
(66c)
|
Any natural or legal person has the right to bring an action for annulment of decisions of the EHDS Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the digital health authorities or health data access bodies concerned which wish to challenge them have to bring an action within two months of being notified of them, in accordance with Article 263 TFEU. In accordance with Article 263 TFEU, a health data holder, a health data applicant, a health data user or a complainant can bring an action for annulment against the decisions of the EHDS Board which concern them within two months of their publication on the website of the EHDS Board. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a digital health authority or health data access body which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the health data access body or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by digital health authorities and health data access bodies which are not legally binding, such as opinions issued or advice provided. Proceedings against a digital health authority or health data access body should be brought before the courts of the Member State where the digital health authority or health data access body is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them. Where a complaint has been rejected or dismissed by a digital health authority or health data access body, the complainant can bring proceedings before the courts in the same Member State.
|
|
Amendment 71
Proposal for a regulation
Recital 66 d (new)
Text proposed by the Commission
|
Amendment
|
|
(66d)
|
Where a court seised of proceedings against a decision by a digital health authority or health data access body has reason to believe that proceedings concerning the same access to electronic health data by the same health data user, such as for the same purpose for processing for secondary use, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seised should be able to stay its proceedings or be able to, on request of one of the parties, decline jurisdiction in favour of the court first seised if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings should be deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.
|
|
Amendment 72
Proposal for a regulation
Recital 66 e (new)
Text proposed by the Commission
|
Amendment
|
|
(66e)
|
For proceedings against a health data holder or health data user, the plaintiff should have the choice of bringing the action before the courts of the Member States where the health data holder or health data user has an establishment or where the natural person resides, unless the health data holder is a public authority of a Member State acting in the exercise of its public powers.
|
|
Amendment 73
Proposal for a regulation
Recital 66 f (new)
Text proposed by the Commission
|
Amendment
|
|
(66f)
|
The digital health authority, health data access body, health data holder or health data user should compensate any damage which a person could suffer as a result of processing that infringes this Regulation. The digital health authority, health data access body, health data holder or health data user should be exempt from liability if it proves that it was not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or national law. Processing that infringes this Regulation should also include processing that infringes delegated and implementing acts adopted in accordance with this Regulation and national law specifying rules related to this Regulation. Natural persons should receive full and effective compensation for the damage they have suffered. Where digital health authorities, health data access bodies, health data holders or health data users are involved in the same processing, each actor should be held liable for the entire extent of the damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, it should be possible to apportion compensation according to the responsibility of each digital health authority, health data access body, health data holder or health data user for the damage caused by the processing, provided that full and effective compensation of the natural person who suffered the damage is ensured. Any digital health authority, health data access body, health data holder or health data user which has paid full compensation should be able to subsequently institute recourse proceedings against other digital health authorities, health data access bodies, health data holders or health data users involved in the same processing.
|
|
Amendment 74
Proposal for a regulation
Recital 66 g (new)
Text proposed by the Commission
|
Amendment
|
|
(66g)
|
Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a digital health authority, health data access body, health data holder or health data user, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council
(1a)
should not prejudice the application of such specific rules.
|
|
Amendment 75
Proposal for a regulation
Recital 66 h (new)
Text proposed by the Commission
|
Amendment
|
|
(66h)
|
In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of, appropriate measures imposed by the digital health authority or health data access body pursuant to this Regulation. In the case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden for a natural person, it should be possible to issue a reprimand instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, the degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the digital health authority or health data access body, compliance with measures ordered against the health data holder or health data user, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.
|
|
Amendment 76
Proposal for a regulation
Recital 66 i (new)
Text proposed by the Commission
|
Amendment
|
|
(66i)
|
Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Such criminal penalties could also involve the deprivation of profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
|
|
Amendment 77
Proposal for a regulation
Recital 66 j (new)
Text proposed by the Commission
|
Amendment
|
|
(66j)
|
It is appropriate to lay down provisions enabling health data access bodies to apply administrative fines for certain infringements of this Regulation whereby certain infringements are to be regarded as serious infringements, such as the re-identification of natural persons, downloading personal health data outside of the secure processing environment and processing of data for prohibited uses or outside a data permit. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent health data access body in each individual case, taking into account all the relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the health data access body should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism could also be used to promote the consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the health data access bodies or of other penalties under this Regulation.
|
|
Amendment 78
Proposal for a regulation
Recital 66 k (new)
Text proposed by the Commission
|
Amendment
|
|
(66k)
|
The legal systems of Denmark and Estonia do not provide for administrative fines as set out in this Regulation. It should be possible to apply the rules on administrative fines in a manner such that in Denmark the fine is imposed by competent national courts as a criminal penalty, and that in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the health data access body initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.
|
|
Amendment 79
Proposal for a regulation
Recital 66 l (new)
Text proposed by the Commission
|
Amendment
|
|
(66 l)
|
Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by national law.
|
|
Amendment 80
Proposal for a regulation
Recital 69 a (new)
Text proposed by the Commission
|
Amendment
|
|
(69a)
|
In accordance with Article 42 of Regulation (EU) 2018/1725, the Commission should, when preparing delegated acts or implementing acts, consult the European Data Protection Supervisor where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, and where such an act is of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data, the Commission can also consult the European Data Protection Board. The Commission should moreover consult the European Data Protection Board in the cases specified in Regulation (EU) 2016/679 and when relevant in the context of this Regulation.
|
|
Amendment 81
Proposal for a regulation
Recital 70
Text proposed by the Commission
|
Amendment
|
(70)
|
Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement.
For certain specific infringements,
Member States should take into account the margins and criteria set out in this Regulation.
|
|
(70)
|
Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement.
When deciding on the amount of the penalty for each individual case
Member States should take into account the margins and criteria set out in this Regulation.
Re-identification of natural persons should be considered a particularly serious breach of this Regulation. Member States should be able to consider criminalising re-identification by health data users so that it serves as a deterrent measure.
|
|
Amendment 82
Proposal for a regulation
Recital 71
Text proposed by the Commission
|
Amendment
|
(71)
|
In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force,
on the self-certification of EHR systems,
and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
|
|
(71)
|
In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
|
|
Amendment 83
Proposal for a regulation
Recital 74
Text proposed by the Commission
|
Amendment
|
(74)
|
The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered
an
opinion
on […]
.
|
|
(74)
|
The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered
Joint
opinion
03/2022 on 12 July 2022
.
|
|
Amendment 84
Proposal for a regulation
Recital 76
Text proposed by the Commission
|
Amendment
|
(76)
|
Given the need for technical preparation, this Regulation should apply from [
12
months after entry into force],
|
|
(76)
|
Given the need for technical preparation, this Regulation should apply from [
24
months after entry into force],
|
|
Amendment 85
Proposal for a regulation
Article 1 – paragraph 2 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
strengthens
the rights of natural persons in relation to the availability and control of their electronic health data;
|
|
(a)
|
specifies
the rights of natural persons in relation to the availability
, sharing
and control of their electronic health data;
|
|
Amendment 86
Proposal for a regulation
Article 1 – paragraph 3 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;
|
|
(a)
|
manufacturers and suppliers of EHR systems and wellness applications
, and of products claiming interoperability with EHR systems,
placed on the market and put into service in the Union and the users of such products;
|
|
Amendment 87
Proposal for a regulation
Article 1 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725,
[…] [Data Governance Act COM/2020/767 final]
and […] [Data Act COM/2022/68 final].
|
4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725,
(EU) 2022/868
and […] [Data Act COM/2022/68 final]
and Directive 2002/58/EC of the European Parliament and of the Council
(1a).
|
Amendment 88
Proposal for a regulation
Article 1 – paragraph 4 a (new)
Text proposed by the Commission
|
Amendment
|
|
4a.
References to the provisions of Regulation (EU) 2016/679 shall be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
|
Amendment 89
Proposal for a regulation
Article 1 – paragraph 5 a (new)
Text proposed by the Commission
|
Amendment
|
|
5a.
This Regulation shall be without prejudice to Regulation (EU) No 536/2014 and Directive (EU) 2016/943
(1a)
.
|
Amendment 90
Proposal for a regulation
Article 2 – paragraph 1 – point c
Text proposed by the Commission
|
Amendment
|
(c)
|
the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2 (1), (8), (10), (11) and (14) of
[Data Governance Act COM/2020/767 final]
;
|
|
(c)
|
the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2,
points
(1), (8), (10), (11) and (14) of
Regulation (EU) 2022/868
;
|
|
Amendment 91
Proposal for a regulation
Article 2 – paragraph 2 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679,
as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services,
processed in an electronic form;
|
|
(a)
|
‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679,
that are
processed in an electronic form;
|
|
Amendment 92
Proposal for a regulation
Article 2 – paragraph 2 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;
|
|
(b)
|
‘non-personal electronic health data’ means data concerning health and
aggregated
genetic data in electronic format that falls outside the definition of personal data provided in Article 4
, point
(1)
,
of Regulation (EU) 2016/679;
where personal and non-personal data in a data set are inextricably linked, the entire dataset shall be processed as personal electronic health data;
|
|
Amendment 93
Proposal for a regulation
Article 2 – paragraph 2 – point d
Text proposed by the Commission
|
Amendment
|
(d)
|
‘primary use of electronic health data’ means the processing of
personal
electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;
|
|
(d)
|
‘primary use of electronic health data’ means the processing of electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;
|
|
Amendment 94
Proposal for a regulation
Article 2 – paragraph 2 – point e
Text proposed by the Commission
|
Amendment
|
(e)
|
‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of
the secondary use
;
|
|
(e)
|
‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of
Chapter IV of this Regulation
;
|
|
Amendment 95
Proposal for a regulation
Article 2 – paragraph 2 – point j
Text proposed by the Commission
|
Amendment
|
(j)
|
‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their
treatment
;
|
|
(j)
|
‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their
care
;
|
|
Amendment 96
Proposal for a regulation
Article 2 – paragraph 2 – point k
Text proposed by the Commission
|
Amendment
|
(k)
|
‘data recipient’ means a
natural or legal person that receives data from another controller
in the context of the primary use of electronic health data;
|
|
(k)
|
‘
health
data recipient’ means a
recipient as defined in Article 4, point (9), of Regulation (EU) 2016/679,
in the context of the primary use of electronic health data;
|
|
Amendment 97
Proposal for a regulation
Article 2 – paragraph 2 – point l
Text proposed by the Commission
|
Amendment
|
(l)
|
‘telemedicine’ means the provision of healthcare services, including remote care
and online pharmacies,
through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;
|
|
(l)
|
‘telemedicine’ means the provision of healthcare services, including remote care through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;
|
|
Amendment 98
Proposal for a regulation
Article 2 – paragraph 2 – point m
Text proposed by the Commission
|
Amendment
|
(m)
|
‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for healthcare
purposes
;
|
|
(m)
|
‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for
the purpose of the provision of
healthcare
services
;
|
|
Amendment 99
Proposal for a regulation
Article 2 – paragraph 2 – point n
Text proposed by the Commission
|
Amendment
|
(n)
|
‘EHR system’ (electronic health record system) means any
appliance
or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records;
|
|
(n)
|
‘EHR system’ (electronic health record system) means any
product (hardware
or software
) primarily
intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records
between health professionals or that can be reasonably expected by the manufacturer to be used for those purposes
;
|
|
Amendment 100
Proposal for a regulation
Article 2 – paragraph 2 – point o
Text proposed by the Commission
|
Amendment
|
(o)
|
‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data for other purposes than healthcare, such as well-being and pursuing healthy life-styles;
|
|
deleted
|
Amendment 101
Proposal for a regulation
Article 2 – paragraph 2 – point q – introductory part
Text proposed by the Commission
|
Amendment
|
(q)
|
‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads,
might have
led or
might
lead to any of the following:
|
|
(q)
|
‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads,
has
led or
is likely to
lead to any of the following:
|
|
Amendment 102
Proposal for a regulation
Article 2 – paragraph 2 – point q – point i
Text proposed by the Commission
|
Amendment
|
(i)
|
the death of a natural person or serious damage to a natural person’s health;
|
|
(i)
|
the death of a natural person or serious damage to a natural person’s health
or rights
;
|
|
Amendment 103
Proposal for a regulation
Article 2 – paragraph 2 – point y
Text proposed by the Commission
|
Amendment
|
(y)
|
‘data holder’ means any natural or legal person, which is an entity or a body in the health
or
care sector, or
performing
research in relation to these sectors, as well as Union institutions, bodies, offices and agencies
who
has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law,
or in the case of non-personal data, through control of the technical design of a product and related services,
the ability to make available, including to register, provide, restrict access or exchange
certain data
;
|
|
(y)
|
‘
health
data holder’ means any natural or legal person, which is an entity or a body in the health
, social security or
care sector
or in the reimbursement services sector
, or perform
s
research in relation to these sectors, as well as Union institutions, bodies, offices and agencies
, and which, in accordance with this Regulation, applicable Union law or national legislation implementing Union law:
|
|
|
(i)
|
is a controller as set out in Regulation (EU) 2016/679 and
has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law,
to process personal electronic health data; or
|
|
|
(ii)
|
has
the ability to make available, including to register, provide, restrict access or exchange
non-personal electronic health data, through control of the technical design of a product and related services
;
|
|
Amendment 104
Proposal for a regulation
Article 2 – paragraph 2 – point z
Text proposed by the Commission
|
Amendment
|
(z)
|
‘data user’ means a natural or legal person
who
has lawful access to
personal or non-personal
electronic health data for secondary use;
|
|
(z)
|
‘
health
data user’ means a natural or legal person,
as well as a Union institution, body, office or agency, which
has
been granted
lawful access
, in accordance with this Regulation,
to electronic health data for secondary use
pursuant to a data permit or a health data request
;
|
|
Amendment 105
Proposal for a regulation
Article 2 – paragraph 2 – point z a (new)
Text proposed by the Commission
|
Amendment
|
|
(za)
|
‘health data applicant’ means any natural or legal person with a demonstrable professional link to the areas of health care, public health or medical research and that submits an application for health data;
|
|
Amendment 106
Proposal for a regulation
Article 2 – paragraph 2 – point aa
Text proposed by the Commission
|
Amendment
|
(aa)
|
‘data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
|
|
(aa)
|
‘
health
data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
|
|
Amendment 107
Proposal for a regulation
Article 2 – paragraph 2 – point a ea (new)
Text proposed by the Commission
|
Amendment
|
|
(aea)
|
‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on, managing, maintaining or improving the health of individual persons, or the delivery of care.
|
|
Amendment 108
Proposal for a regulation
Article 3 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. Natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format referred to in Article 6, of at least their electronic health data
in the priority categories referred to in
Article
5
.
|
2. Natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format referred to in Article 6, of at least their electronic health data
, or at the request of the natural person, a printed copy thereof, in accordance with
Article
15(3) of Regulation (EU) 2016/679
.
|
Amendment 109
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Text proposed by the Commission
|
Amendment
|
|
2a.
The rights referred to in paragraphs 1 and 2 shall be deemed complementary to and be without prejudice to the rights and obligations established by Article 15 of Regulation (EU) 2016/679.
|
Amendment 110
Proposal for a regulation
Article 3 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3. In accordance with Article 23 of Regulation (EU) 2016/679, Member States may restrict the scope of
this right
whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on
his or her health
.
|
3. In accordance with Article 23(1)
, point (i),
of Regulation (EU) 2016/679, Member States may restrict the scope of
rights referred to in this Article
whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on
him or her
.
|
Amendment 111
Proposal for a regulation
Article 3 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4.
Where the personal health data have not been registered electronically prior to the application of this Regulation, Member States may require that such data is made available in electronic format pursuant to this Article. This shall not affect the obligation to make personal electronic health data registered after the application of this Regulation available in electronic format pursuant to this Article.
|
deleted
|
Amendment 112
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in
paragraphs 1 and 2
;
|
|
(a)
|
establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in
this Article
;
|
|
Amendment 113
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
establish one or more proxy services enabling a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf.
|
|
(b)
|
establish one or more proxy services enabling a natural person to
legally
authorise other natural persons of their choice to access their electronic health data on their behalf
for a specified or indeterminate period and if needed, for a specific purpose only, or enabling legal representatives of patients to access electronic health data of the natural persons whose affairs they administer, in accordance with national law
.
|
|
Amendment 114
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 2
Text proposed by the Commission
|
Amendment
|
The proxy services shall provide authorisations free of charge, electronically or on paper.
They
shall enable
guardians or other
representatives to be authorised, either automatically or upon request, to access electronic health data of the natural persons whose affairs they administer. Member States may provide that authorisations do not apply whenever necessary for reasons related to the protection of the natural person, and in particular based on patient safety and ethics. The proxy services shall be interoperable among Member States.
|
The proxy services shall provide authorisations
in a transparent and easily understandable way,
free of charge, electronically or on paper.
Natural persons and those acting on their behalf shall be informed about their authorisation rights, how to exercise them, and what they can expect from the authorisation process.
|
|
The electronic health data access services as well as the proxy services shall be easily accessible for persons with disabilities, vulnerable groups or persons with low digital literacy.
|
|
The proxy services
shall enable
legal
representatives
of patients
to be authorised, either automatically or upon request, to access electronic health data of the natural persons whose affairs they administer
either for a specific purpose and time period or without limitation for the purpose of such administration
. Member States may provide that authorisations do not apply whenever necessary for reasons related to the protection of the natural person, and in particular based on patient safety and ethics. The proxy services shall be interoperable among Member States.
|
|
The proxy services shall provide an easy complaint mechanism with a contact point designated to inform individuals of a way to seek redress or remedy if they believe that their authorisation rights have been violated.
|
Amendment 115
Proposal for a regulation
Article 3 – paragraph 5 a (new)
Text proposed by the Commission
|
Amendment
|
|
5a.
In addition to the electronic services referred to in this Article, Member States shall also establish easily accessible support services for natural persons with adequately trained staff dedicated to assisting them with exercising their rights referred to in this Article.
|
Amendment 116
Proposal for a regulation
Article 3 – paragraph 6
Text proposed by the Commission
|
Amendment
|
6. Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services
or
applications linked to these services. That information shall be marked as inserted by the natural person or by
his or her
representative.
|
6. Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services
and
applications linked to these services. That information shall be marked as inserted by the natural person or by
their legal
representative
and as non-validated
.
That information shall only be considered as a clinical fact if validated by a health professional. Without prejudice to the right to insert data, health professionals shall not be obliged to validate any inserted data in the EHR.
|
Amendment 117
Proposal for a regulation
Article 3 – paragraph 6 a (new)
Text proposed by the Commission
|
Amendment
|
|
6a.
Natural persons shall have the right to download their electronic health data from their own EHR or the data of natural persons whose health information they can access through electronic health data access services and applications linked to these services.
|
Amendment 118
Proposal for a regulation
Article 3 – paragraph 7
Text proposed by the Commission
|
Amendment
|
7. Member States shall ensure that
, when exercising the
right to rectification under Article 16 of Regulation (EU) 2016/679
,
natural persons
can easily request
rectification
online through the electronic health data access services referred to in paragraph 5, point (a), of this Article
.
|
7. Member States shall ensure that
electronic health data services referred to in paragraph 5, point (a), of this Article allow for the possibility for natural persons to easily request rectification of their personal data online as a way to exercise their
right to rectification under Article 16 of Regulation (EU) 2016/679. Natural persons
shall not have the possibility of directly changing data inserted by health professionals. Such rectifications of clinical facts shall be validated, without undue delay, by a registered healthcare professional with a relevant specialisation who is responsible for the natural person’s treatment. The original data holder shall be responsible for the
rectification.
|
Amendment 119
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1
Text proposed by the Commission
|
Amendment
|
Natural persons shall have the right to
give access to or
request a data holder from the health or social security sector to transmit their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder.
|
Natural persons shall have the right to request a
health
data holder from the health or social security sector
or reimbursement services,
to transmit
all or part of
their electronic health data to a
health
data recipient of their choice from the health or social security sector
or reimbursement services
, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder.
The health data recipient shall be clearly identified by the natural persons to the health data holder and their affiliation to the health or social security sector shall be demonstrated. Health data holders and their processors shall comply with the request and shall transmit the data in the format provided for in Article 5.
|
Amendment 120
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 2
Text proposed by the Commission
|
Amendment
|
Natural persons shall have the right that, where the data holder and the data recipient are located in different Member States and such electronic health data belongs to the categories referred to in Article 5, the data holder shall transmit the data in the European electronic health record exchange format referred to in Article 6 and the data recipient shall read and accept it.
|
Natural persons shall have the right that, where the
health
data holder and the
health
data recipient are located in different Member States and such electronic health data belongs to the categories referred to in Article 5, the
health
data holder shall transmit the data in the European electronic health record exchange format referred to in Article 6 and the
health
data recipient shall read and accept it.
|
Amendment 121
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 3
Text proposed by the Commission
|
Amendment
|
By way of derogation from Article 9 of Regulation […] [Data Act COM/2022/68 final], the data recipient shall not be required to compensate the data holder for making electronic
heath
data available.
|
By way of derogation from Article 9 of Regulation […] [Data Act COM/2022/68 final], the
health
data recipient shall not be required to compensate the
health
data holder for making electronic
health
data available.
A health data holder, a health data recipient or a third party shall not directly or indirectly charge data subjects a fee, compensation or costs for sharing data or accessing it.
|
Amendment 122
Proposal for a regulation
Article 3 – paragraph 9
Text proposed by the Commission
|
Amendment
|
9.
Notwithstanding
Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms.
|
9.
Without prejudice to
Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of
specific health professionals or categories of
health professionals to all or part of their electronic health data.
When restricting the information, natural persons shall be made aware that restricting access may impact the provision of healthcare provided to them. Such restrictions shall apply also for cross-border transfers of electronic health data. The fact that a restriction has been made by the natural person shall not be visible to healthcare providers.
|
|
Member States shall establish the rules and specific safeguards regarding such restriction mechanisms.
Those rules shall include the possibility of modifying restrictions and of restricting access to anyone except the health professional who inserted the electronic health data. Those rules shall also establish the conditions of medical liability as a consequence of applying restrictions to electronic health data. The Commission shall establish guidelines regarding the implementation of this paragraph.
|
Amendment 123
Proposal for a regulation
Article 3 – paragraph 10
Text proposed by the Commission
|
Amendment
|
10. Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data
in the context of healthcare
. The information shall be provided immediately and free of charge through electronic health data access services.
|
10. Natural persons shall have the right to obtain information
, including through automatic notifications,
on the healthcare providers and health professionals that have accessed their electronic health data
, including access provided in accordance with Article 4(4), and on the substance of the accessed data. Natural persons shall have the possibility of disabling those notifications. In order to demonstrate compliance with this right, all relevant entities shall maintain a system of automated recording for at least three years showing who and when has accessed electronic health data
. The information shall be provided immediately and free of charge through electronic health data access services.
Member States may provide for restrictions to this right in exceptional circumstances, where there are factual indications that disclosure would endanger the vital interests or rights of the health professional or the care of the natural person.
|
Amendment 124
Proposal for a regulation
Article 3 – paragraph 11
Text proposed by the Commission
|
Amendment
|
11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679.
They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences.
|
11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679.
|
Amendment 125
Proposal for a regulation
Article 3 – paragraph 12
Text proposed by the Commission
|
Amendment
|
12. The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article. Those implementing acts shall be adopted in accordance with the
advisory
procedure referred to in Article
68(2)
.
|
12. The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article
, including technical and organisational measures to ensure the process of authentication of the authorised person referred to in paragraph 5, point (b), of this Article
. Those implementing acts shall be adopted in accordance with the
examination
procedure referred to in Article
68(2a)
.
|
Amendment 126
Proposal for a regulation
Article 3 – paragraph 12 a (new)
Text proposed by the Commission
|
Amendment
|
|
12a.
Member States, including regional and local authorities, shall provide easily understandable information to natural persons in relation to the use of the electronic health records and primary use of their personal electronic health data laid down in this Article. Such guidance shall take into account different user groups, including persons with disabilities and vulnerable groups, without compromising the quality and the scope of the information.
|
Amendment 127
Proposal for a regulation
Article 4 – paragraph -1 (new)
Text proposed by the Commission
|
Amendment
|
|
-1.
Access to EHR for primary use shall be strictly limited to healthcare providers.
|
Amendment 128
Proposal for a regulation
Article 4 – paragraph 1 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
|
|
(a)
|
have access
, based on the data minimisation and purpose limitation principles,
to the electronic health data of natural persons under their treatment
and exclusively for the purpose of that treatment, including relevant administration
, irrespective of the Member State of affiliation and the Member State of treatment
, in accordance with Article 9(2), point (h), of Regulation 2016/679
;
|
|
Amendment 129
Proposal for a regulation
Article 4 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. In line with the data minimisation
principle
provided for in Regulation (EU) 2016/679, Member States
may
establish rules providing for the categories of personal electronic health data required by different health professions. Such rules shall not be based on the source of electronic health data.
|
2. In line with the data minimisation
and purpose limitation principles
provided for in Regulation (EU) 2016/679, Member States
shall
establish rules providing for the categories of personal electronic health data required by different
categories of
health professions
or different healthcare tasks
. Such rules shall not be based on the source of electronic health data.
|
Amendment 130
Proposal for a regulation
Article 4 – paragraph 2 a (new)
Text proposed by the Commission
|
Amendment
|
|
2a.
In the case of treatment in a Member State other than the Member State of affiliation, the rules referred to in paragraphs 1a and 2 of the Member States of treatment shall apply.
|
Amendment 131
Proposal for a regulation
Article 4 – paragraph 2 b (new)
Text proposed by the Commission
|
Amendment
|
|
2b.
The Commission shall issue guidelines for the implementation of paragraphs 1, 2 and 2a, including time limitations for the access by health professionals to electronic health data of natural persons.
|
Amendment 132
Proposal for a regulation
Article 4 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3. Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.
|
3. Member States
and, where appropriate, local or regional authorities
shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals
, including for cross-border care,
through health professional access services
, where the processing of health data is necessary and for the purposes of Article 9(2), point (h), of Regulation 2016/679
. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.
|
|
The electronic health data in the electronic health records shall be structured in a user-friendly manner to allow for easy use by health professionals.
|
Amendment 133
Proposal for a regulation
Article 4 – paragraph 3 a (new)
Text proposed by the Commission
|
Amendment
|
|
3a.
Member States shall establish policies aimed at providing health professionals with the digital skills, competences, infrastructures and tools required to fulfil the obligations set out in paragraph 1.
|
Amendment 134
Proposal for a regulation
Article 4 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4. Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior
authorisation
by the natural person
, including where the provider or professional is informed of the existence and nature of the restricted electronic health data
. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
|
4. Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the
restricted
content of the electronic health data without prior
explicit consent pursuant to Article 9(2), point (a), of Regulation (EU) 2016/679
by the natural person. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
|
Amendment 135
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – introductory part
Text proposed by the Commission
|
Amendment
|
Where data is processed in electronic format, Member States shall implement access to and exchange of personal electronic health data for primary use fully or partially falling under the following categories:
|
1. Where data is processed in electronic format, Member States shall implement access to and exchange of personal electronic health data for primary use fully or partially falling under the following categories
making use of the International Classification of Diseases (ICD) codes, where applicable
:
|
Amendment 136
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point e
Text proposed by the Commission
|
Amendment
|
|
(e)
|
laboratory results
, medical test results and other complementary and diagnostic results
;
|
|
Amendment 137
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f
Text proposed by the Commission
|
Amendment
|
|
(f)
|
patient
discharge reports;
|
|
Amendment 138
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f a (new)
Text proposed by the Commission
|
Amendment
|
|
(fa)
|
medical directives of the natural persons and information about consent for substances of human origin and organ donations.
|
|
Amendment 139
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 2
Text proposed by the Commission
|
Amendment
|
The main characteristics of the categories of electronic health data in the first subparagraph shall be as set out in Annex I.
|
The main characteristics of the categories of electronic health data in the first subparagraph shall be as set out in Annex I
and limited to those categories
.
|
Amendment 140
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Text proposed by the Commission
|
Amendment
|
Access to and exchange of electronic health data for primary use
may be enabled
for other categories of personal electronic health data available in the EHR of natural persons.
|
Member States may provide for
access to and exchange of electronic health data for primary use for other categories of personal electronic health data available in the EHR of natural persons.
|
Amendment 141
Proposal for a regulation
Article 5 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. The Commission is empowered to adopt delegated acts in accordance with Article 67 to
amend the list of priority categories of electronic health data in paragraph 1. Such delegated acts may also
amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data
and indicating, where relevant, deferred application date. The categories of electronic health data added through such delegated acts shall satisfy the following criteria:
|
2. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data
, as laid down in paragraph 1.
|
(a)
|
the category is relevant for health services provided to natural persons;
|
|
|
(b)
|
according to the most recent information, the category is used in a significant number of EHR systems used in Member States;
|
|
|
(c)
|
international standards exist for the category that have been examined for the possibility of their application in the Union.
|
|
|
Amendment 142
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Text proposed by the Commission
|
Amendment
|
1. The Commission shall, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format. The format shall include the following elements:
|
1. The Commission shall, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format
, taking into account its Recommendation (EU) 2019/243
. The format shall include the following elements:
|
Amendment 143
Proposal for a regulation
Article 6 – paragraph 1 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
datasets containing electronic health data and defining structures, such as data fields and data groups for the content representation of clinical content and other parts of the electronic health data;
|
|
(a)
|
harmonised
datasets containing electronic health data and defining structures, such as
minimum
data fields and data groups for the content representation of clinical content and other parts of the electronic health data
, which can be enlarged to include disease-specific data
;
|
|
Amendment 144
Proposal for a regulation
Article 6 – paragraph 1 – point c
Text proposed by the Commission
|
Amendment
|
(c)
|
technical specifications for the exchange of electronic health data, including its content representation, standards and profiles.
|
|
(c)
|
technical
interoperability
specifications for the exchange of electronic health data, including its content representation, standards and profiles
, and for the translation of electronic health data
.
|
|
Amendment 145
Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 1 (new)
Text proposed by the Commission
|
Amendment
|
|
The Commission shall ensure that those implementing acts contain the latest versions of healthcare coding systems and nomenclatures and that they are updated regularly in order to keep up with the revisions of the healthcare coding systems and nomenclatures.
|
Amendment 146
Proposal for a regulation
Article 6 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. Those implementing acts shall be adopted in accordance with the
advisory
procedure referred to in Article
68(2)
.
Member States shall ensure that where the priority categories of personal electronic health data referred to in Article 5 are provided by a natural person directly or transmitted to a healthcare provider by automatic means in the format referred to in paragraph 1, such data shall be read and accepted by the data recipient.
|
2. Those implementing acts shall be adopted in accordance with the
examination
procedure referred to in Article
68(2a)
.
|
Amendment 147
Proposal for a regulation
Article 6 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3. Member States shall ensure that the priority categories of personal electronic health data referred to in Article 5 are issued in the format referred to in paragraph 1 and such data shall be read and accepted by the data recipient.
|
3. Member States shall ensure that the priority categories of personal electronic health data referred to in Article 5 are issued in the format referred to in paragraph 1
across the continuum of care
and such data shall be read and accepted by the data recipient.
|
Amendment 148
Proposal for a regulation
Article 7 – paragraph 1
Text proposed by the Commission
|
Amendment
|
1. Member States shall ensure that, where data is processed
in electronic format
, health professionals
systematically
register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.
|
1. Member States shall ensure that, where
health
data is processed, health professionals register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.
|
Amendment 555
Proposal for a regulation
Article 7 – paragraph 1 a (new)
Text proposed by the Commission
|
Amendment
|
|
1a.
Member States may provide for natural persons to have the right to object to the registration of their personal health data in an EHR system.
|
|
If a Member State provides for such a right, it shall establish the rules and specific safeguards regarding such objection mechanisms.
|
Amendment 149
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1
Text proposed by the Commission
|
Amendment
|
3. The Commission shall
, by means of implementing acts,
determine the requirements for the registration of
electronic
health data by healthcare providers and natural persons, as relevant.
Those implementing acts shall establish the following:
|
3. The Commission shall
adopt delegated acts in accordance with Article 67 to supplement this Regulation by
determining the
data quality
requirements for the
electronic
registration of health data by healthcare providers and natural persons, as relevant.
|
(a)
|
categories of healthcare providers that are to register health data electronically;
|
|
|
(b)
|
categories of health data that are to be registered systematically in electronic format by healthcare providers referred to in point (a);
|
|
|
(c)
|
data quality requirements pertaining to the electronic registration of health data.
|
|
|
Amendment 150
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 2
Text proposed by the Commission
|
Amendment
|
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2)
.
|
When health data are registered or updated, electronic health records shall identify the health professional, time and health care provider that carried out the registration or the update. Member States may provide for other aspects of data registration to be recorded
.
|
Amendment 151
Proposal for a regulation
Article 7 – paragraph 3 a (new)
Text proposed by the Commission
|
Amendment
|
|
3a.
Where the personal health data have not been registered electronically prior to the application of this Regulation, Member States may require that such data be made available in electronic format pursuant to this Article. This shall not affect the obligation to make personal electronic health data, registered after the application of this Regulation, available in electronic format, pursuant to this Article.
|
Amendment 152
Proposal for a regulation
Article 8 – paragraph 1
Text proposed by the Commission
|
Amendment
|
Where a Member State accepts the provision of telemedicine services, it shall, under the same conditions, accept the provision of the services of the same type by healthcare providers located in other Member States.
|
Where a Member State accepts the provision of telemedicine services, it shall, under the same conditions
and in a non-discriminatory manner
, accept the provision of the services of the same type by healthcare providers located in other Member States
, without prejudice to the same rights and obligations to access and register electronic health data
.
|
Amendment 153
Proposal for a regulation
Article 9 – paragraph 1
Text proposed by the Commission
|
Amendment
|
1. Where a natural person
uses
telemedicine services or personal health data access services referred to in Article 3(5), point (a), that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.
|
1. Where a natural person
or a health professional uses,
telemedicine services or personal health data access services referred to in Article 3(5), point (a),
Article 4(3) and where applicable, Article 8
that natural person
or health professional
shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014
, including eID schemes where such systems are offered
.
|
Amendment 154
Proposal for a regulation
Article 9 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. The Commission shall
, by means of implementing acts, determine
the requirements for the interoperable, cross-border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014
as amended by [COM(2021) 281 final]
. The mechanism shall facilitate the transferability of electronic health data in a cross-border context.
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
|
2. The Commission shall
adopt delegated acts in accordance with Article 67 to supplement this Regulation by determining
the requirements for the interoperable, cross-border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014. The mechanism shall facilitate the transferability of electronic health data in a cross-border context.
|
Amendment 155
Proposal for a regulation
Article 9 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3. The Commission shall implement services required by the interoperable, cross-border identification and authentication mechanism referred to in paragraph 2 of this Article at Union level, as part of the cross-border digital health infrastructure referred to in Article 12(3).
|
3. The Commission
, in cooperation with Member States,
shall implement services required by the interoperable, cross-border identification and authentication mechanism referred to in paragraph 2 of this Article at Union level, as part of the cross-border digital health infrastructure referred to in Article 12(3).
|
Amendment 156
Proposal for a regulation
Article 9 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4.
The digital health
authorities and the Commission shall implement the cross-border identification and authentication mechanism at Union and Member States’ level, respectively.
|
4.
Member States’ competent
authorities and the Commission shall implement the cross-border identification and authentication mechanism at Union and Member States’ level, respectively
, in accordance with Regulation (EU) No 910/2014
.
|
Amendment 157
Proposal for a regulation
Article 10 – paragraph 2 – introductory part
Text proposed by the Commission
|
Amendment
|
2. Each digital health authority shall be entrusted with the following tasks:
|
2. Each digital health authority shall be entrusted with the following tasks
and powers
:
|
Amendment 158
Proposal for a regulation
Article 10 – paragraph 2 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers;
|
|
(b)
|
ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers
and that appropriate training initiatives are undertaken at the local, regional and national level
;
|
|
Amendment 159
Proposal for a regulation
Article 10 – paragraph 2 – point h
Text proposed by the Commission
|
Amendment
|
(h)
|
contribute, at Union level, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing interoperability, security, safety or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;
|
|
(h)
|
contribute, at Union level
, and, where relevant, in cooperation at local and regional level within the Member States
, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing
quality,
interoperability, security, safety
, ease of use, accessibility, non-discrimination
or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;
|
|
Amendment 160
Proposal for a regulation
Article 10 – paragraph 2 – point k
Text proposed by the Commission
|
Amendment
|
(k)
|
offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities,
do not discriminate
and offer the possibility of choosing between in person and digital services;
|
|
(k)
|
offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible
and equitable
to different groups of natural persons and health professionals, including natural persons with disabilities,
under the same non-discriminatory conditions
and offer the possibility of choosing between in person and digital services;
|
|
Amendment 161
Proposal for a regulation
Article 10 – paragraph 2 – point m
Text proposed by the Commission
|
Amendment
|
(m)
|
cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data
, as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals, industry associations
;
|
|
(m)
|
cooperate with other relevant entities and bodies at
local, regional,
national or Union level, to ensure interoperability, data portability and security of electronic health data;
|
|
Amendment 162
Proposal for a regulation
Article 10 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3.
The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.
|
deleted
|
Amendment 163
Proposal for a regulation
Article 10 – paragraph 3 a (new)
Text proposed by the Commission
|
Amendment
|
|
3a.
The digital health authorities and the data protection authorities shall consult each other and cooperate in the enforcement of this Regulation, within the remit of their respective competences.
|
Amendment 164
Proposal for a regulation
Article 10 – paragraph 5
Text proposed by the Commission
|
Amendment
|
5.
In the performance of its tasks, the digital health authority shall actively cooperate with stakeholders’ representatives, including patients’ representatives.
Members of the digital health authority shall avoid any conflicts of interest.
|
5. Members of the digital health authority shall avoid any conflicts of interest.
Members shall not have financial or other interests in industries or economic activities which could affect their impartiality. They shall undertake to act in the public interest and in an independent manner, and shall make an annual declaration of their financial interests. All indirect interests which could relate to such industries or economic activities shall be entered in a register available to the public, upon request. The Commission may adopt guidance on what is likely to constitute a conflict of interest together with the procedure to be followed in such cases.
|
Amendment 165
Proposal for a regulation
Article 10 – paragraph 5 a (new)
Text proposed by the Commission
|
Amendment
|
|
5a.
In the performance of their tasks, the digital health authorities shall actively cooperate and consult with relevant stakeholders’ representatives, including patients’ representatives, health care providers and health professionals’ representatives, including health professional associations, consumer organisations and industry associations. Stakeholders shall declare any conflict of interest.
|
Amendment 166
Proposal for a regulation
Article 11 – paragraph 1
Text proposed by the Commission
|
Amendment
|
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall
inform the
supervisory authorities under Regulation (EU) 2016/679.
|
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority
, where their rights laid down in this Regulation are affected
. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation
or Regulation (EU) 2016/679
, the digital health authority shall
send a copy of the complaint to and consult with the competent
supervisory
authority under Regulation (EU) 2016/679 in order to facilitate its assessment and investigation. The decision of the digital health authority shall not prejudice any measures taken by the data protection
authorities
, which shall be competent to treat the complaint in separate proceedings, pursuant to their tasks and powers
under Regulation (EU) 2016/679.
|
Amendment 167
Proposal for a regulation
Article 11 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. The digital health authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken.
|
2. The digital health authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken
, including, where applicable, that the complaint was referred to the relevant supervisory authority under Regulation (EU) 2016/679, and that the supervisory authority will, from that moment on, be the sole point of contact for the complainant in that matter
.
|
Amendment 168
Proposal for a regulation
Article 11 – paragraph 3 a (new)
Text proposed by the Commission
|
Amendment
|
|
3a.
Each digital health authority shall facilitate submitting complaints, in particular by providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication.
|
Amendment 169
Proposal for a regulation
Article 11 a (new)
Text proposed by the Commission
|
Amendment
|
|
Article 11a
|
|
Right to an effective judicial remedy against a digital health authority
|
|
1.
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a digital health authority concerning them.
|
|
2.
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the digital health authority which is competent pursuant to Article 10 does not handle a complaint or does not inform the natural or legal person within three months about the progress or outcome of the complaint lodged pursuant to Article 11.
|
|
3.
Proceedings against a digital health authority shall be brought before the courts of the Member States where the digital health authority is established.
|
Amendment 170
Proposal for a regulation
Article 12 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the
advisory
procedure referred to in Article
68(2)
.
|
4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the
examination
procedure referred to in Article
68(2a)
.
The implementing act shall include the target implementation dates, including for cross border health data interoperability, in consultation with the EHDS board. The European Union Agency for Cyber Security (ENISA) shall be consulted and closely involved in all steps of the examination procedure. Any measures adopted shall meet the highest technical standards in terms of security, confidentiality and protection of electronic health data.
|
Amendment 171
Proposal for a regulation
Article 12 – paragraph 6
Text proposed by the Commission
|
Amendment
|
6. Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.
|
6. Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU
, provided that the requirements in Article 11 of Directive 2011/24/EU are fulfilled
. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.
|
Amendment 172
Proposal for a regulation
Article 12 – paragraph 8
Text proposed by the Commission
|
Amendment
|
8. The Commission shall, by means of implementing acts, allocate responsibilities among controllers and as regards the processor referred to in paragraph 7 of this Article, in accordance with Chapter IV of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
|
8. The Commission shall, by means of implementing acts, allocate responsibilities among controllers and as regards the processor referred to in paragraph 7 of this Article, in accordance with Chapter IV of Regulations (EU) 2016/679
and 2018/1725
. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
|
Amendment 173
Proposal for a regulation
Article 13 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3.
Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing act, a compliance check of the national contact point of the third country or of the system established at an international level shall be performed under the control of the Commission.
|
deleted
|
The implementing acts referred to in the first subparagraph of this paragraph shall be adopted in accordance with the procedure referred to in Article 68. The connection of the national contact point of the third country or of the system established at an international level to the central platform for digital health, as well as the decision to be disconnected shall be subject to a decision of the joint controllership group for MyHealth@EU referred to in Article 66.
|
|
The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
|
|
Amendment 174
Proposal for a regulation
Article 14 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. This Chapter shall not apply to general software used in a healthcare environment.
|
2. This Chapter shall not apply to general software used in a healthcare environment
that it is not interoperable with EHR systems
.
|
Amendment 175
Proposal for a regulation
Article 14 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4. Providers of high-risk AI systems as defined in Article 6 of Regulation […] [AI act COM/2021/206 final], which
does
not fall within the scope of Regulation (EU) 2017/745, that claim interoperability of those AI systems with EHR systems will need to prove compliance with the essential requirements on interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those high-risk AI systems.
|
4.
Notwithstanding the obligations laid down in Regulation [AI act COM/2021/206 final],
providers of high-risk AI systems as defined in Article 6 of Regulation […] [AI act COM/2021/206 final], which
do
not fall within the scope of Regulation (EU) 2017/745, that claim interoperability of those AI systems with EHR systems will need to prove compliance with the essential requirements on interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those high-risk AI systems.
|
Amendment 176
Proposal for a regulation
Article 15 – paragraph 1
Text proposed by the Commission
|
Amendment
|
1. EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in this Chapter.
|
1. EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in
Section 3 of
this Chapter
and in Annex II
.
|
Amendment 177
Proposal for a regulation
Article 16 – paragraph 1 – introductory part
Text proposed by the Commission
|
Amendment
|
In the information sheet, instructions for use or other information accompanying EHR systems, and in the advertising of EHR systems, it shall be prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the
user
with regard to its intended purpose, interoperability and security by:
|
In the information sheet, instructions for use or other information accompanying EHR systems, and in the advertising of EHR systems, it shall be prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the
professional user as defined under Regulation (EU) 2018/1807
with regard to its intended purpose, interoperability and security by:
|
Amendment 178
Proposal for a regulation
Article 16 – paragraph 1 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
failing to inform the user of likely limitations related to interoperability or security features of the EHR system in relation to its intended purpose;
|
|
(b)
|
failing to inform the
professional
user of likely limitations related to interoperability or security features of the EHR system in relation to its intended purpose;
|
|
Amendment 179
Proposal for a regulation
Article 17 – paragraph 1 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
ensure that
their EHR systems
are in
conformity with the essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;
|
|
(a)
|
obtain for
their EHR systems
a certificate of compliance from an independent third-party body to attest their
conformity with the essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;
|
|
Amendment 180
Proposal for a regulation
Article 17 – paragraph 1 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
draw up the technical documentation of their EHR systems in accordance with Article 24;
|
|
(b)
|
draw up the technical documentation of their EHR systems in accordance with Article 24
before placing their systems on the market, and subsequently keep them up to date
;
|
|
Amendment 181
Proposal for a regulation
Article 17 – paragraph 1 – point c
Text proposed by the Commission
|
Amendment
|
(c)
|
ensure that their EHR systems are accompanied, free of charge for the user, by the information sheet provided for in Article 25 and clear and complete instructions for use;
|
|
(c)
|
ensure that their EHR systems are accompanied, free of charge for the user, by the information sheet provided for in Article 25 and clear and complete instructions for use
including in accessible formats for vulnerable groups and persons with disabilities
;
|
|
Amendment 182
Proposal for a regulation
Article 17 – paragraph 1 – point d
Text proposed by the Commission
|
Amendment
|
(d)
|
draw up an EU declaration of
conformity as referred to in Article
26
;
|
|
(d)
|
carry out the relevant
conformity
assessment procedures
as referred to in Article
27a and Annex IVa
;
|
|
Amendment 183
Proposal for a regulation
Article 17 – paragraph 1 – point d a (new)
Text proposed by the Commission
|
Amendment
|
|
(da)
|
draw up the EU declaration of conformity in accordance with Article 26;
|
|
Amendment 184
Proposal for a regulation
Article 17 – paragraph 1 – point e
Text proposed by the Commission
|
Amendment
|
(e)
|
affix the CE marking in accordance with Article 27;
|
|
(e)
|
affix the CE marking in accordance with Article 27
after the conformity assessment procedure has been completed
;
|
|
Amendment 185
Proposal for a regulation
Article 17 – paragraph 1 – point e a (new)
Text proposed by the Commission
|
Amendment
|
|
(ea)
|
indicate the name, registered trade name or registered trade mark, and the postal address and website, e-mail address or other digital contact at which they can be contacted, on the front office of the EHR system; the address shall indicate a single point at which the manufacturer can be contacted and. the contact details shall be in a language that is easily understood by users and market surveillance authorities;
|
|
Amendment 186
Proposal for a regulation
Article 17 – paragraph 1 – point g
Text proposed by the Commission
|
Amendment
|
(g)
|
take
without undue delay
any necessary corrective action in respect of their EHR systems
which
are not in conformity with the essential requirements laid down in Annex II, or recall or withdraw such systems;
|
|
(g)
|
take any necessary corrective action in respect of their EHR systems
immediately, where manufacturers consider or have reasons to believe that such systems
are not
or no longer
in conformity with the essential requirements laid down in Annex II, or recall or withdraw such systems
; the manufacturers shall then inform the national authorities of the Member States in which they made their EHR systems available or put them into service of the non-conformity and of any corrective action taken
;
|
|
Amendment 187
Proposal for a regulation
Article 17 – paragraph 1 – point h
Text proposed by the Commission
|
Amendment
|
(h)
|
inform the distributors of their EHR systems and, where applicable, the authorised representative and importers of any corrective action, recall or withdrawal;
|
|
(h)
|
immediately
inform the distributors of their EHR systems and, where applicable, the authorised representative and importers of
the non-conformity and of
any corrective action, recall or withdrawal
of that system
;
|
|
Amendment 188
Proposal for a regulation
Article 17 – paragraph 1 – point i
Text proposed by the Commission
|
Amendment
|
(i)
|
inform the market surveillance authorities of the Member States in which they made their EHR systems available or put them into service of the non-conformity and of any corrective action taken;
|
|
deleted
|
Amendment 189
Proposal for a regulation
Article 17 – paragraph 1 – point j
Text proposed by the Commission
|
Amendment
|
(j)
|
upon request
of a
market surveillance
authority, provide it
with all the information and documentation necessary to demonstrate the conformity of
their
EHR system with the essential requirements laid down in Annex II.
|
|
(j)
|
upon request
provide
market surveillance
authorities in the Member States
with all the information and documentation
in paper or digital format,
necessary to demonstrate the conformity of
the
EHR system
which they have placed on the market or put into service
with the essential requirements laid down in Annex II
and Article 27a in the official language of the Member State
.
|
|
Amendment 190
Proposal for a regulation
Article 17 – paragraph 1 – point k
Text proposed by the Commission
|
Amendment
|
(k)
|
cooperate with market surveillance authorities, at their request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.
|
|
(k)
|
cooperate with market surveillance authorities, at their request, on any action taken to bring their EHR systems
which they have placed on the market or put into service
in conformity with the essential requirements laid down in Annex II
and Article 27a in the official language of the Member State
.
|
|
Amendment 191
Proposal for a regulation
Article 17 – paragraph 1 – point k a (new)
Text proposed by the Commission
|
Amendment
|
|
(ka)
|
establish channels of complaint and keep a register of complaints, of non-conforming EHR systems, and keep distributors informed of any such monitoring.
|
|
Amendment 192
Proposal for a regulation
Article 17 – paragraph 2
Text proposed by the Commission
|
Amendment
|
2. Manufacturers of EHR systems shall ensure that procedures are in place to ensure that the design, development and deployment of an EHR system continues to comply with the essential requirements laid down in Annex II and the common specifications referred to in Article 23. Changes in EHR system design or characteristics shall be adequately taken into account and reflected in the technical documentation.
|
2. Manufacturers of EHR systems shall ensure that procedures are in place to ensure that the design, development and deployment of an EHR system continues to comply with the essential requirements laid down in Annex II and the common specifications referred to in Article 23
for EHR systems to remain in conformity with this Regulation
. Changes in EHR system design or characteristics
and changes in the technical standards and the technical specifications referred to in Annex II and III by reference to which the conformity of the EHR system is declared
shall be adequately taken into account and reflected in the technical documentation.
|
|
Manufacturers shall establish reporting channels and ensure their accessibility to allow users to submit complaints, and shall keep a register of complaints, of non-conforming EHR systems and EHR system recalls.
|
Amendment 193
Proposal for a regulation
Article 17 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3. Manufacturers of EHR systems shall keep the technical documentation and the EU declaration of conformity
for
10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market.
|
3. Manufacturers of EHR systems shall keep the technical documentation and the EU declaration of conformity
at the disposal of the market surveillance authorities for at least
10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market.
The source code or the programming logic included in the technical documentation shall, upon a reasoned request, be made available to the competent national authorities, if that source code or programming logic is necessary in order for them to be able to check compliance with the essential requirements set out in Annex II. The personnel of competent national authorities shall observe professional secrecy with regard to all information obtained in carrying out the conformity assessment activities in accordance with Annexes IVa, except in relation to the competent authorities of the Member State in which their activities are carried out. Proprietary rights, intellectual property rights and trade secrets shall be protected. Manufacturers shall establish reporting channels and ensure their accessibility to allow users to submit complaints, keep a register of complaints, of non-conforming EHR systems and EHR systems recalls.
|
Amendment 194
Proposal for a regulation
Article 17 – paragraph 3 a (new)
Text proposed by the Commission
|
Amendment
|
|
3a.
A manufacturer of EHR systems established outside the Union shall ensure that its authorised representative has the necessary documentation readily available in order to fulfil the tasks referred to in Article 18(2).
|
Amendment 195
Proposal for a regulation
Article 17 – paragraph 3 b (new)
Text proposed by the Commission
|
Amendment
|
|
3b.
Manufacturers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the EHR system with the essential requirements set out in Annex II and the common specifications referred to in Article 23, in a language which can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the risks posed by the EHR system, which they have placed on the market or put into service.
|
Amendment 196
Proposal for a regulation
Article 17 – paragraph 3 c (new)
Text proposed by the Commission
|
Amendment
|
|
3c.
Liability rules under Directive 85/374/EEC, shall apply to manufacturers of EHR systems without prejudice to more protective measures under national law.
|
Amendment 197
Proposal for a regulation
Article 18 – paragraph 2 – introductory part
Text proposed by the Commission
|
Amendment
|
2. An authorised representative shall perform the tasks specified in the mandate
received from
the manufacturer. The mandate shall allow the authorised representative to do at least the following:
|
2. An authorised representative shall perform the tasks specified in the mandate
agreed with
the manufacturer. The mandate shall allow the authorised representative to do at least the following:
|
Amendment 198
Proposal for a regulation
Article 18 – paragraph 2 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
keep the EU declaration of conformity and the technical documentation at the disposal of market surveillance authorities for the period referred to in Article 17(3);
|
|
(a)
|
keep the EU declaration of conformity and the technical documentation at the disposal of
the Member State
market surveillance authorities for the period referred to in Article 17(3);
|
|
Amendment 199
Proposal for a regulation
Article 18 – paragraph 2 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
further to a reasoned request from a market surveillance
authority,
provide
that authority
with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II;
|
|
(b)
|
further to a reasoned request from a market surveillance provide
authorities of the Member States concerned a copy of the mandate
with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II;
|
|
Amendment 200
Proposal for a regulation
Article 18 – paragraph 2 – point b a (new)
Text proposed by the Commission
|
Amendment
|
|
(ba)
|
immediately inform the manufacturer if the authorised representative has a reason to believe that an EHR system is no longer in conformity with the essential requirements laid down in Annex II;
|
|
Amendment 201
Proposal for a regulation
Article 18 – paragraph 2 – point b b (new)
Text proposed by the Commission
|
Amendment
|
|
(bb)
|
immediately inform the manufacturer about complaints received by consumers and professional users;
|
|
Amendment 202
Proposal for a regulation
Article 18 – paragraph 2 – point c
Text proposed by the Commission
|
Amendment
|
(c)
|
cooperate with the market surveillance authorities, at their request, on any corrective action taken in relation to the EHR systems covered by their mandate.
|
|
(c)
|
cooperate with the market surveillance authorities
in the Member State
, at their request, on any corrective action taken in relation to the EHR systems covered by their mandate.
|
|
Amendment 203
Proposal for a regulation
Article 18 – paragraph 2 a (new)
Text proposed by the Commission
|
Amendment
|
|
2a.
In the event of a change of the authorised representative, the detailed arrangements for the change shall address at least the following aspects:
|
|
(a)
|
the date of termination of the mandate of the outgoing authorised representative and the date of the beginning of the mandate of the incoming authorised representative;
|
|
|
(b)
|
the transfer of documents, including confidentiality aspects and property rights.
|
|
Amendment 204
Proposal for a regulation
Article 19 – paragraph 2 – point a
Text proposed by the Commission
|
Amendment
|
(a)
|
the manufacturer has drawn up the technical documentation
and the EU declaration of conformity
;
|
|
(a)
|
the manufacturer has
obtained a certificate of compliance from an independent third body to attest to the relevant conformity assessment procedure referred to in Article 27a and drawn up the EU declaration of conformity in accordance with Article 26; and
drawn up the technical documentation
, in accordance with Article 24, before placing their system on the market
;
|
|
Amendment 205
Proposal for a regulation
Article 19 – paragraph 2 – point a a (new)
Text proposed by the Commission
|
Amendment
|
|
(aa)
|
the manufacturer is identified and an authorised representative in accordance with Article 18 has been appointed;
|
|
Amendment 206
Proposal for a regulation
Article 19 – paragraph 2 – point b
Text proposed by the Commission
|
Amendment
|
(b)
|
the EHR system bears the CE marking of conformity;
|
|
(b)
|
the EHR system bears the CE marking of conformity
referred to in Article 27 after the conformity assessment procedure has been completed
;
|
|
Amendment 207
Proposal for a regulation
Article 19 – paragraph 2 – point c
Text proposed by the Commission
|
Amendment
|
(c)
|
the EHR system is accompanied by the information sheet referred to in Article 25
and appropriate
instructions for use.
|
|
(c)
|
the EHR system is accompanied by the information sheet referred to in Article 25
with clear and complete
instructions for use
including in accessible formats
.
|
|
Amendment 208
Proposal for a regulation
Article 19 – paragraph 3
Text proposed by the Commission
|
Amendment
|
3. Importers shall indicate their name, registered trade name or registered trade mark and the address at which they can be contacted in a document accompanying the EHR system.
|
3. Importers shall indicate their name, registered trade name or registered trade mark and the
postal
address
and website, e-mail address or other digital contact
at which they can be contacted in a document accompanying the EHR system.
The address shall indicate a single point at which the manufacturer can be contacted. The contact details shall be in a language easily understood by users and the market surveillance authorities. They shall ensure that any additional label does not obscure any information on the label provided by the manufacturer.
|
Amendment 209
Proposal for a regulation
Article 19 – paragraph 4
Text proposed by the Commission
|
Amendment
|
4. Importers shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II is jeopardised.
|
4. Importers shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II
and Article 27a
is jeopardised.
|
Amendment 210
Proposal for a regulation
Article 19