Opinion of the European Committee of the Regions on the European Health Data Space

(2023/C 157/10)

Rapporteur:

Daniela CÎMPEAN (EPP/RO), President of Sibiu County Council

Reference document:

Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space

COM(2022) 197 final 2022/0140 (COD)

I. RECOMMENDATIONS FOR AMENDMENTS

Amendment 1

Article 1(2) new letter (a1)

Text proposed by the Commission

CoR amendment

This Regulation:

[…]

This Regulation:

[…]

( a) 1

gives data users access to health data for the purposes set out in Chapter IV of the Regulation.

Reason

The access of data users is an important part of the regulation.

Amendment 2

Article 2(2)(n)

Text proposed by the Commission

CoR amendment

(n)	‘EHR system’ (electronic health record system) means any appliance or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records;

(n)	‘EHR system’ (electronic health record system) means any appliance or software used by the healthcare provider for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records;

Reason

It is the healthcare provider, not the manufacturer, who sets the framework for the use of EHR systems. This is in the interests both of consistency between countries and of patient safety.

Amendment 3

Article 2(2)(y)

Text proposed by the Commission

CoR amendment

‘data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;

‘data holder’ means any natural or legal person, at national or regional level, depending on the health organization of the Member State, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;

Reason

Self-explanatory.

Amendment 4

Article 2(2)(ad)

Text proposed by the Commission	CoR amendment
‘data quality’ means the degree to which characteristics of electronic health data are suitable for secondary use;	‘data quality’ means the degree to which characteristics of health data meet the requirements for use;

Reason

The definition of the quality of information generated in the healthcare sector cannot be based solely on secondary use. The concept of quality should also take into account the aim of providing care. Furthermore, different uses may have different data requirements; the same data can be deemed as having different quality depending on how they are used.

Amendment 5

Article 3(6)

Text proposed by the Commission	CoR amendment
Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative.	Natural persons may , in accordance with the rules of their healthcare provider, insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative.

Reason

To highlight the importance of healthcare providers being able to control which information can be added to the medical record. Otherwise, there is a risk of collecting large volumes of sensitive personal data that is of poor quality.

Amendment 6

Article 3(9)

Text proposed by the Commission

CoR amendment

Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms. These rules and protective measures must not hinder the ability of healthcare services to provide good, safe and equitable and accessible care. Natural persons should be informed of the patient safety risks associated with limiting access to health data.

Reason

The aim of providing care must take precedence over any possibility of restrictions. It should not be possible to block access to certain information, such as warning notices; nor should legal guardians have the right to block children’s data at their own discretion.

Amendment 7

Article 3(10)

Text proposed by the Commission

CoR amendment

Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare. The information shall be provided immediately and free of charge through electronic health data access services.

Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare , unless there are fundamental considerations relating to the health professional’s privacy that militate against it . The information shall be provided immediately and free of charge through electronic health data access services.

Reason

Protecting the privacy of healthcare providers or professionals may be a fundamental consideration. For example, it may be necessary to consider the safety of health professionals who have been threatened by a patient.

Amendment 8

Article 4(1)

Text proposed by the Commission

CoR amendment

Where they process data in an electronic format, health professionals shall:

Where they process data in an electronic format, health professionals shall , in accordance with Regulation (EU) 2016/679 and national law :

(a)	have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;

(a)	have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;

(b)	ensure that the personal electronic health data of the natural persons they treat are updated with information related to the health services provided.

(b)	ensure that the personal electronic health data of the natural persons they treat are updated with information related to the health services provided.

Reason

Clarification of the article with respect to the GDPR (Regulation (EU) 2016/679 (1)), to make it clear that the obligations stem from that Regulation.

Amendment 9

Article 4(2)

Text proposed by the Commission	CoR amendment
In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States may establish rules providing for the categories of personal electronic health data required by different health professions . Such rules shall not be based on the source of electronic health data.	In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States may establish rules providing for the categories of personal electronic health data required in healthcare .

Reason

Basing rules on data sources and professional categories exceeds EU competences and overlooks national regulatory frameworks. The patient’s privacy may be compromised, in particular if the principles of sharing are changed for existing sources. In particular, the link to the source may undermine the principle of data minimisation.

Amendment 10

Article 4(3)

Text proposed by the Commission

CoR amendment

Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.

Member States and, where appropriate, local or regional authorities shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals , including for cross-border care, through health professional access services. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.

Reason

To take account of regional competences in the field of health in various Member States.

Amendment 11

Article 4(4)

Text proposed by the Commission	CoR amendment
Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior authorisation by the natural person , including where the provider or professional is informed of the existence and nature of the restricted electronic health data.	Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the health data without prior authorisation by the natural person . However, the provider or professional must be able to see that such restricted health data exists .
In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data.	In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person , or a manifest public interest , the healthcare provider or health professional may get access to the restricted electronic health data.
Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.	Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.

Reason

Healthcare professionals and healthcare providers should be able to see that certain information is blocked, even if the content of this information is not available. Providing good care presupposes knowing whether or not all the information is available. ‘Manifest public interest’ has been added to the reasons for providing access to data, in order to protect other interests. This could, for example, relate to infection control.

Amendment 12

Article 5(2)

Text proposed by the Commission

CoR amendment

The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. […]

(c)	international standards exist for the category that have been examined for the possibility of their application in the Union.

The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. […]

(c)	international standards exist for the category that have been examined for the possibility of their application in the Union ;

(d)	the need to share information in the priority categories shall be determined by the Member States.

Reason

The priorities of new categories must be guided by real needs in the Member States. In many countries, the regional and local level is responsible for healthcare and must be involved in the prioritisation process.

Amendment 13

Article 7(1)

Text proposed by the Commission	CoR amendment
Member States shall ensure that, where data is processed in electronic format, health professionals systematically register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.	Member States shall ensure that, where data is processed in electronic format, health professionals systematically register the relevant health data falling under the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.

Reason

The wording ‘at least’ is too vague. The regulation should regulate the categories referred to in Article 5 at any given time. If more categories of electronic health data need to be exchanged for healthcare purposes, the list of priority categories should be expanded.

Amendment 14

Article 9(1)

Text proposed by the Commission

CoR amendment

Where a natural person uses telemedicine services or personal health data access services referred to in Article 3(5), point (a), that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.

Reason

The models already in place in the Member States must be taken into account.

Amendment 15

Article 10(1)

Text proposed by the Commission

CoR amendment

Digital health authority

Each Member State shall designate a digital health authority responsible for the implementation and enforcement of this Chapter at national level. The Member State shall communicate the identity of the digital health authority to the Commission by the date of application of this Regulation. Where a designated digital health authority is an entity consisting of multiple organisations, the Member State shall communicate to the Commission a description of the separation of tasks between the organisations. The Commission shall make this information publicly available.

Digital health authority

Each Member State shall designate a digital health authority responsible for the implementation and enforcement of this Chapter at national level. The Member States may also complement this with regional e-health authorities responsible for implementation and enforcement at regional level . The Member State shall communicate the identity of the digital health authority to the Commission by the date of application of this Regulation. Where a designated digital health authority is an entity consisting of multiple organisations, the Member State shall communicate to the Commission a description of the separation of tasks between the organisations. The Commission shall make this information publicly available.

Reason

To introduce the possibility of designating regional e-health authorities.

Amendment 16

Article 10(2)(h)

Text proposed by the Commission

CoR amendment

Each digital health authority shall be entrusted with the following tasks: […]

(h)

contribute, at Union level, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing interoperability, security, safety or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;

Each digital health authority shall be entrusted with the following tasks: […]

(h)

contribute, at Union level , and in cooperation with the local and regional level within the Member States, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing interoperability, security, safety or fundamental right concerns and interaction patterns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;

Reason

Where the regional and local level is responsible for healthcare within a Member State, it is not sufficient for a State authority to contribute to developing the format.

Amendment 17

Article 10(2)(k)

Text proposed by the Commission

CoR amendment

Each digital health authority shall be entrusted with the following tasks: […]

(k)

offer , in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, do not discriminate and offer the possibility of choosing between in person and digital services;

Each digital health authority shall be entrusted with the following tasks: […]

(k)

where a Member State allows the provision of telemedicine services, in compliance with national legislation, facilitate the provision of telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, do not discriminate and offer the possibility of choosing between in person and digital services;

Reason

Digital health authorities should not provide telemedicine services; Member States which do offer such services should facilitate the provision thereof.

Amendment 18

Article 10(2)(m)

Text proposed by the Commission

CoR amendment

(m)

cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals, industry associations;

(m)

cooperate with other relevant entities and bodies at local, regional, national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals, industry associations;

Reason

To take account of regional competences in the field of health in various Member States.

Amendment 19

Article 23(1)

Text proposed by the Commission

CoR amendment

The Commission shall, by means of implementing acts, adopt common specifications in respect of the essential requirements set out in Annex II, including a time limit for implementing those common specifications. Where relevant, the common specifications shall take into account the specificities of medical devices and high risk AI systems referred to in paragraphs 3 and 4 of Article 14.

Reason

The main purpose of patient records is to support good healthcare. This must be the starting point when developing common specifications with a view to tapping good practices and the experience of Member States which have already developed a system of electronic health records.

Amendment 20

Article 29(4)

Text proposed by the Commission	CoR amendment
Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.	Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.
Such notification shall be made, without prejudice to incident notification requirements under Directive (EU) 2016/1148, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the manufacturer becomes aware of the serious incident involving the EHR system.	Such notification shall be made, without prejudice to incident notification requirements under Directive (EU) 2016/1148, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 7 days after the manufacturer becomes aware of the serious incident involving the EHR system.

Reason

The time limit should not exceed one week. The deadline of 15 days for notification of a serious incident considerably increases the risk of it causing serious harm.

Amendment 21

Article 33(1)

Text proposed by the Commission	CoR amendment
Data holders shall make the following categories of electronic data available for secondary use in accordance with the provisions of this Chapter : (a) […] (o)	The Member States shall , in consultation with the Commission, determine which categories of electronic data data holders shall make available for secondary use in accordance with the provisions of this Chapter . This can be regulated by means of implementing acts adopted in accordance with the advisory procedure referred to in Article 68(2).

Reason

The Regulation should not specify all categories. More work and analysis is needed to determine the types of data to be shared. It would therefore be more appropriate to do this with implementing acts. The list significantly interferes with existing national legislation.

Amendment 22

Article 33(5)

Text proposed by the Commission	CoR amendment
Where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health data.	Where the consent of the natural person is required by national law , including through his or her representative , health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health data.

Reason

Express provision should be made for the case where the natural person wishes or needs to act through a representative.

Amendment 23

Article 35(e)

Text proposed by the Commission

CoR amendment

(e)	developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco products , or goods or services which are designed or modified in such a way that they contravene public order or morality.

(e)	developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages or tobacco products.

(f)	developing products or services that may create discriminations (in terms, of race, gender, age or sexual orientation).

Reason

What constitutes public order and morality is a question of values. It is therefore inappropriate for the EU to introduce rules concerning morality in the EHDS. Where specific goods and services are concerned, they should instead be explicitly specified, possibly by means of an implementing act. The reasons for subparagraph (f) are self-explanatory.

Amendment 24

Article 36(3)

Text proposed by the Commission

CoR amendment

In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. A conflict of interest shall be understood to mean the existence of a direct or indirect formal link with one or more entities that are data holders or beneficiaries. Health data access bodies shall not be bound by any instructions from another external entity , when making their decisions.

Reason

The term ‘conflict of interest’ requires a clearer definition. The wording ‘shall not be bound by any instructions’ needs to be clarified. Internal rules/regulations should not be included in this category.

Amendment 25

Article 38(3)

Text proposed by the Commission

CoR amendment

Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body may inform the natural person and his or her treating health professional about that finding.

Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body shall inform the natural person and his or her treating health professional that a finding has been made, and give the natural person an opportunity to receive or object to receiving information about what the finding means, including through his or her representative;

Reason

It should be mandatory to provide information on the existence of a finding. At the same time, the person should be given the opportunity to consider whether or not to receive more information on the finding.

Amendment 26

Article 43(4)

Text proposed by the Commission

CoR amendment

Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non-compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to revoke the data permit and to exclude the data user from any access to electronic health data for a period of up to 5 years.

Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non-compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to fine (up to 10 % of the data user’s annual turnover for the previous financial year) or to revoke the data permit and to exclude the data user from any access to electronic health data for a period of up to 5 years.

Reason

The sanctions must be reinforced in case of misuse of the Regulation.

Amendment 27

Article 44

Text proposed by the Commission

CoR amendment

1.	The health data access body shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.

1.	The health data access body shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.

2.	The health data access bodies shall provide the electronic health data in an anonymised format, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.

2.	The health data access bodies shall provide the electronic health data in an anonymised format, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.

Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re-identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties.

4.	Health data access bodies may, where necessary, provide personal electronic health data, subject to Regulation (EU) 2016/679 and national law.

Reason

In exceptional circumstances, it may be necessary to provide access to personal electronic health data for secondary use, for example in the context of research in the public interest. Of course, this must be done in compliance with the EU’s General Data Protection Regulation ((EU) 2016/679) and national law.

Amendment 28

Article 46(3)

Text proposed by the Commission

CoR amendment

A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.

A health data access body shall issue or refuse a data permit within 3 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.

Reason

The health data access body might need some time to assess the applications.

Amendment 29

Article 46(9)

Text proposed by the Commission

CoR amendment

A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit , for a period which cannot exceed 5 years . By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.

A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 10 years. This duration may be extended once for a maximum of 2 years , at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 10 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.

Reason

Many research projects will require data to be retained for more than five years. The amendment provides more scope for assessing the ‘necessary duration’, so that the retention period can be up to 10 years. On the other hand, the extension period should be shorter than the proposed five years.

Amendment 30

Article 47(3)

Text proposed by the Commission	CoR amendment
Where an applicant has requested a result in an anonymised form, including statistical format, based on a data request, the health data access body shall assess, within 2 months and, where possible, provide the result to the data user within 2 months.	Where an applicant has requested a result in an anonymised form, including statistical format, based on a data request, the health data access body shall assess, within 2 months and, where possible, provide the result to the data user within 2 months. Where it is not possible to provide the data, the health data access body shall provide the applicant with a reasoned explanation for the refusal.

Reason

The article states that the data is to be provided ‘where possible’. Where it is not possible to provide the data, the applicant should receive a reasoned explanation of why this is not possible.

Amendment 31

Article 49(1)

Text proposed by the Commission

CoR amendment

Where an applicant requests access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies.

Where an applicant requests access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The single data holder shall refuse the data authorisation in the circumstance of which individual cases may be attributed to a specific person despite pseudonymisation. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies.

Reason

Anonymity is key concerning health data.

Amendment 32

Article 50(1)(f)

Text proposed by the Commission

CoR amendment

The health data access bodies shall provide access to electronic health data only through a secure processing environment, with technical and organisational measures and security and interoperability requirements. In particular, they shall take the following security measures:

[…]

(f)	ensure compliance and monitor the security measures referred to in this Article to mitigate potential security threats.

(f)	ensure compliance and monitor the security measures referred to in this Article to minimise potential security threats.

Reason

The aim of security measures should be to minimise potential security threats and not merely mitigate them.

Amendment 33

Article 65(1)

Text proposed by the Commission

CoR amendment

Tasks of the EHDS Board

1.	The EHDS Board shall have the following tasks relating to the primary use of electronic health data in accordance with Chapters II and III: […]

1.	The EHDS Board shall have the following tasks relating to the primary use of electronic health data in accordance with Chapters II and III: […]

(b)	to issue written contributions and to exchange best practices on matters related to the coordination of the implementation at Member State level of this Regulation and of the delegated and implementing acts adopted pursuant to it, in particular as regards:

[…]

(b)

to issue written contributions and to exchange best practices on matters related to the coordination of the implementation at Member State level of this Regulation and of the delegated and implementing acts adopted pursuant to it, taking into account the regional and local level, in particular as regards:

[…]

Reason

To highlight the importance of including the local and regional level.

II. POLICY RECOMMENDATIONS

THE EUROPEAN COMMITTEE OF THE REGIONS (CoR),

Regarding data security and protection

welcomes the Commission’s proposal for a European Health Data Space (EHDS) and stresses the need for healthcare services to be able to benefit from such infrastructure, while ensuring the security of patients’ privacy and data rights (2);

underlines that citizens’ health-related expectations towards the EU were reflected in the conclusions of the Conference on the Future of Europe, in particular as regards strengthening the resilience and quality of the health systems by ‘creating a European Health Data Space, which would facilitate the exchange of health data; individual health records could be made available — on a voluntary basis — with the help of an individual European electronic health pass that complies with data protection rules’;

welcomes the ambition in the proposal to create new and expanded opportunities for primary and secondary use of health data for the benefit of patients, healthcare, research and society as a whole. Improving access to health data is a prerequisite for developing modern healthcare;

believes that giving patients access to their own health data and enabling them to share it with healthcare services facilitates joined-up care, improves patient safety and gives patients more opportunities to be active co-creators of their own care. Controlled and privacy-proof use of health data for research, policy-making and product development is also an important prerequisite for new medical progress, greater patient safety and better monitoring of health care outcomes;

points out that the overarching purpose of health data, and of sharing it, is to provide patients with the best possible healthcare and to ensure the quality of the healthcare provided. An assessment of the state of the health system would also be recommended, with a special focus on villages and towns, and to develop and organize health systems based on the results of this assessment, with the scope to minimize differences in the quality of care;

considers that the free movement of goods and services should not be prioritised over patients’ access to good healthcare in their home country, and that this needs to be taken into account in ongoing work on the regulation;

highlights the fact that medical records are one of the most important tools for healthcare providers and professionals in organising and providing good healthcare that is safe for patients; it must therefore be possible to develop medical documentation with due regard for both the common standards established by the EHDS and the additional national and regional standards established by each Member State in line with specific local needs;

draws attention to the need to clarify whether or not social services are covered by the new Regulation, as some Member States record both social and health data together, while others make a distinction;

believes that the Regulation will require major development work at European, national, regional and local level, which will take up substantial financial, time and human resources. The cost estimates included in the proposal do not identify local and regional costs clearly enough. While these costs can undoubtedly be partly funded under various EU programmes, it is unclear to what extent Member States’ transition costs will be covered and how the costs incurred by the various stakeholders will be handled;

10.

stresses that, as the digitalisation of health data increases cybersecurity risks, all parties involved must comply with the highest standards of data protection and security. Europeans must be assured that their personal health data will be processed with the utmost care, based on a robust framework and robust data protection and security systems with appropriate safeguards;

11.

stresses that, in seeking to empower individuals to have increased access to and control over their electronic health data, the Regulation needs to ensure that vulnerable groups, and in particular older people with limited digital skills or limited access to digital resources, are not neglected (3);

12.

considers of utmost importance the right to self-determination of natural persons and underlines the importance of including guarantees regarding compliance with the provisions of Regulation (EU) 2016/679 (GDPR);

13.

highlights that the creation of the EHDS is made more difficult by a lack of experts and technical know-how and by a limited number of providers with the necessary expertise to build and maintain health data systems and infrastructure that meet high security and data protection requirements;

14.

calls on the Commission to discuss and present suggestions on how the Union can support the development of additional physical infrastructure for data storage in the Member States, including at local and regional level;

Regarding interoperability

15.

is concerned that, in the absence of clear guidelines, the implementation of the EHDS could lead to a fragmented approach, similar to the GDPR experience, resulting from uneven implementation and different interpretations at national and even regional level across the EU;

16.

considers that common specific rules, operating models and solutions are therefore needed if the Regulation is to be implemented uniformly across all Member States and to ensure that the cross-border use of health data respects Europeans’ right to privacy; in this regard, is pleased that the current proposal makes it mandatory to use the electronic health record exchange format;

Regarding data quality

17.

points out that the data used for research or policy-making, as well as for the provision of healthcare, must be reliable, in uniform format, consistent, fit for purpose, representative and measurable; welcomes the requirements set out in the proposal — specifying the types and main characteristics of the health data — but considers that the quality requirements warrant greater attention;

18.

notes, however, that several Member States are already working at national and decentralised level to find digital solutions for the exchange of data across sectors, and for many of the other elements contained in the Regulation. Therefore, the experience acquired through this type of initiative should be harnessed and tapped in future through the EHDS;

19.

further points out that the development of the framework for exchanging data between Member States must be based on international standards such as FHIR profiling and SNOMED CT standards. This will make European work relevant to any non-EU countries that are already looking towards and collaborating with a number of Member States on the fluid exchange of data across systems, etc.;

20.

considers that giving individuals the right and option to modify and enter data in their personal electronic health records might lead to problems with the quality of those records, and suggests that more detailed consideration be given to how these issues could be addressed;

Regarding governance

21.

stresses that the success of the EHDS requires a multi-level governance approach and solutions not only at EU and national level, but also at regional and local level;

22.

believes that one of the challenges involved in rolling out the EHDS will be providing sufficient resources and infrastructure, including physical infrastructure at national, regional and local level, to cover the storage of, access to and exchange of health data for healthcare provision, research, policy-making and regulatory activities;

23.

stresses the need to further clarify the role and powers of the EHDS Board. While the board is to be composed of representatives of the digital health authorities and health data access bodies from all of the Member States, the role of the observers, experts, stakeholders and other third parties, and the arrangements for their participation in the work of the board, are unclear;

24.

notes that the proposal requires the standardisation of data across Member States in order for data to be exchanged. This could have significant administrative and financial implications for local and regional authorities, as any new data standards would need to be integrated into authorities’ existing IT systems and staff would need to be given training to work with these new standards;

25.

calls for the CoR, as the representative of local and regional authorities, to be represented on the EHDS Board;

26.

highlights that, as the current proposal provides leeway for implementing many of its practical aspects through implementing acts, it is currently difficult to get an overview of what the Regulation will mean in practice for patients, healthcare systems, research, innovators and other users of health data;

Regarding subsidiarity

27.

in its current form, the proposal for a regulation does not appear to pose any problems as regards its compliance with the principle of subsidiarity in terms of the proposed objectives of portability and interoperability of data, as these cannot be properly regulated by Member States/regions and/or local authorities acting alone. Furthermore, the EHDS has a number of benefits which contribute to closing the gap between EU regions and to providing reliable information used to devise health policies geared to local needs. Another aspect which must not be overlooked is the scientific benefits regarding the positive or negative (adverse) effects of the various medical technologies used, the findings of which can be rapidly put to use in the most far flung or disadvantaged regions. However, care must be taken to ensure that the proposed Regulation does not exceed the EU’s competences and that it does uphold the rights of Member States and/or regional or local authorities with regard to the organisation of healthcare, given that a number of countries have chosen to devolve various responsibilities for healthcare to regional or local authorities, allowing decisions to be taken as closely as possible to citizens.

Brussels, 8 February 2023.

The President of the European Committee of the Regions

Vasco ALVES CORDEIRO

(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(2) CoR opinion on A pharmaceutical strategy for Europe and legislative proposal for changing the mandate of the European Medicines Agency (EMA) (OJ C 300, 27.7.2021, p. 87).

(3) Directive (EU) 2016/2102 of the European Parliament and of the Council of 26 October 2016 on the accessibility of the websites and mobile applications of public sector bodies (OJ L 327, 2.12.2016, p. 1).