EUROPEAN COMMISSION

Strasbourg, 3.5.2022

SWD(2022) 131 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Health Data Space

{COM(2022) 197 final} - {SEC(2022) 196 final} - {SWD(2022) 130 final} - {SWD(2022) 132 final}

Table of contents

1Introduction

1.1Technological context

1.2Socio-economic context

1.3Legal context

2Problem definition

2.1Lessons learnt from the evaluation of Article 14 of the Cross Border Health Care Directive (CBHC) Directive

2.2What are the problems?

2.3What are the problem drivers?

2.4How will the problem evolve?

3Why should the EU act?

3.1Legal basis

3.2Subsidiarity and Proportionality

4Objectives: What is to be achieved?

4.1General objective

4.2Specific objectives

4.3Objectives tree/intervention logic

5What are the available policy options?

5.1What is the baseline from which options are assessed?

5.2Description of the policy options

6What are the impacts of the policy options?

6.1Economic impact

6.2Single Market, competitiveness, innovation, SMEs and international aspects

6.3Impacts on fundamental rights

6.4Social and environmental impact

7How do the options compare?

8Preferred option

9How will actual impacts be monitored and evaluated?

End-notes

Glossary

Term or acronym	Meaning or definition
AI	Artificial intelligence
AIA	Artificial Intelligence Act
App	Application
CBHC	Cross-Border Healthcare Directive (2011/24/EU)
CEF	Connecting Europe Facility
DCC	Digital COVID-19 Certificate
DGA	Data Governance Act
DA	Data Act
eIDAS	Electronic identification, authentication and trust services
eHDSI, MyHealth@EU	Cross-border digital infrastructure for the exchange of health data, also known as the eHealth Digital Service Infrastructure (previously referred to as “eHDSI”)
DARWIN	Data Analysis and Real-World Interrogation Network
eHealth Network	Voluntary network established on the basis of Article 14 of Directive 2011/24/EU with EU Member States representatives collaborating on eHealth
EEHRxF	European Electronic Health Record exchange format
EHR	Electronic Health Record
eID	Electronic Identification and Authentication
epSOS	Smart Open Services for European Patients
ECDC	European Centre for Disease Prevention and Control
EMA	European Medicines Agency
ERDF	European Regional Development Fund
EU	European Union
FTE	Fulltime equivalent
GDP	Gross Domestic Product
GDPR	General Data Protection Regulation
GP	General Practitioner
ICT	Information and Communication Technology
MD	Medical Device
MDR	Medical Device Regulation
mHealth	Mobile communication device used in health and well-being services covering various technological solutions, which support self-management and measure vital signs such as heart rate, blood glucose level, blood pressure, body temperature and brain activity.
MWP	Multiannual Work Plan
NCPeHs	National Contact Points for eHealth
OECD	Organisation for Economic Co-operation and Development
R&D	Research & Development
RRF	Recovery and Resilience Facility
RWE	Real World Evidence
RWD	Real World Data
Telehealth	Provision of healthcare services and medical information using innovative technologies, especially ICT, in situations where the health professional and patient (or two health professionals) are not in the same location.
WHO	World Health Organization

11 Introduction

This impact assessment accompanies the legislative proposal on a European Health Data Space (EHDS). EHDS is one of the priorities of the current College in the area of health I and will be an integral part of building a European Health Union II . It will ensure coherence with a number of other EU legislative frameworks, including the General Data Protection Regulation, the Data Governance Act, the AI Act, cybersecurity regulatory framework, the eIDAS regulation, the pharmaceutical regulatory framework and the medical device regulation III .

The COVID-19 pandemic has highlighted the imperative of having timely access to health data for research, innovation, regulatory, policy-making and statistical purposes, and the European Council has recognised the urgency to make progress towards and to give priority to the EHDS IV . Such timely access would have helped, through efficient public health surveillance and monitoring, a more effective management of the pandemic, and ultimately contributing to save lives. In 2020, the Commission adapted urgently its Clinical Patient Management System V (CPMS) to allow Member States share the data of COVID patients when moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and cross-country level. The call for structural approach was further strengthened through Council Conclusions by the ministers of health during the German Presidency VI .

In February 2019, the European Parliament adopted a resolution on the implementation of Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare (hereinafter “CBHC Directive”) VII , where it stressed the need for action in the area of digital health data, personal records, ePrescriptions and telemedicine, while ensuring data protection.

The 2020 European Strategy for Data VIII announced the Commission’s plans for European data spaces, including the EHDS. The initiative on an EHDS builds upon and complements the proposal for a Data Governance Act IX and the proposal for a Data Act X , by providing specific measures for health. It also builds on the provisions of the GDPR for the area of health. The EHDS is a Commission priority XI , as reiterated in the State of the Union of 2020 XII and 2021 XIII , and is included in the 2021 Commission Work Programme (CWP) XIV .

Digital health has been on the agenda of the European Commission for a long time XV , building on the CBHC Directive XVI and eHealth Action Plan 2012-2020 XVII . Prior to the COVID-19 health crisis, in the Communication on enabling digital transformation of health and care in the Digital Single Market (2018) XVIII , the Commission announced its intention to act in three areas: citizens' secure access to and sharing of health data across borders; better data to advance research, disease prevention and personalised health and care; and digital tools for citizen empowerment and person-centred care. Through MyHealth@EU XIX , in 2019, Member States started to provide patients the ability to share their data with healthcare providers (in the language of the healthcare professional) of their choice when traveling abroad. Also, progress was made on the interoperability of electronic health records (EHRs) XX . The COVID-19 crisis strongly anchored the work of the eHealth Network as the main pillar for the development of contact tracing and warning apps XXI and EU Digital COVID Certificates XXII .

At international level, the challenges and opportunities related to the growing digitalisation of data in the health area and to health data sharing have also been discussed. The Council of Europe issued in March 2019 a Recommendation on the protection of health-related data XXIII , providing guidelines on the processing of health-related data in line with the Convention for the Protection of Human Rights and Fundamental Freedoms. The Organisation for Economic Co-operation and Development (OECD) underlined in 2016 XXIV the important and growing opportunities of health data re-use and World Health Organization (WHO) adopted a Global Strategy on digital health 2020-2025 XXV . Moreover, WHO and OECD are looking into the state of play of digital health ecosystems of countries. The WHO has developed State of Digital Health report, which provides the snapshot throughout the world. The report presents data collected from the 22 countries across 6 regions that participate in the Global Digital Health Index (GDHI), analyses regional trends, and sets benchmarks to consider when charting future growth. XXVI . OECD regularly develops reports on the implementation, dissemination and continued relevance of the OECD Recommendation on Health Data Governance XXVII . Several third countries adopted specific legislation on data and interoperability XXVIII . Cooperation with WHO, OECD, G7 continues, as well as bilateral cooperation with different third countries, such as the US.

1.11.1 Technological context

Data concerning health is defined by the GDPR as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. The scope of health data covered by the EHDS includes not only processing of electronic personal data concerning health and social care, but also non-personal data, for example, as anonymised or aggregated data related to health and social care XXIX which may fall outside the scope of the GDPR. It is important to distinguish between primary and secondary uses of health data to understand the challenges of the EHDS. In this context, primary and secondary uses should be understood as follows, unless indicated otherwise:

a)Primary use, or use, of heath data is defined as the use of health data to support or provide direct individual healthcare delivery to the data subject, including for ensuring continuity of care XXX . Such data comprises data stored in electronic health records (including patient summaries, ePrescriptions, images, laboratory results, discharge reports), as well as other types of data (e.g. genetic data, data generated by medical devices or wellness applications). The eHealth Network, the existing voluntary cooperation network established under article 14 of the CBHC Directive, has worked over the past years on the cross-border exchange of health data for primary uses. Key information domains that have been or are being standardised (coded, made interoperability for data exchange etc.) include patient summaries, ePrescriptions/eDispensations, laboratory reports, medical images and reports and hospital discharge reports. While these documents are not the only documents constituting an electronic health record (EHR) XXXI , they are key datasets identified as a baseline for a European Electronic Health Record Exchange Format (EEHRxF) XXXII .

b)Secondary use (or reuse) of health data is defined as the use of individual-level, personal or non-personal health data or aggregated datasets, particularly data generated during healthcare provision with the purpose of supporting research, innovation, policy making, regulatory activities and other uses, such as healthcare delivery to a patient, based on the data concerning other patients (e.g. personalised medicine). The scope of health data for reuse purposes is much wider than in the context of primary use. Such data could include electronic health records, other clinical documents, sickness claims, reimbursement data, diseases registries, but also relevant social data etc. Besides electronic health records and other digital health products and services, reusers may utilise sources such as disease-specific or subdomain-specific data registries (e.g. focused on brain research or communicable diseases, among many others) and networks of registries (such as EUROCAT or ENCR), health-related administrative data (e.g. reimbursement and claims data), as well as other specific datasets containing genetic and genomic data. The current landscape of health data reuse initiatives is characterised by disease-specific or subdomain-specific initiatives and infrastructures XXXIII .

Digital health refers to the use of digital technologies by people and healthcare systems for health. It covers a wide range of services and products, including medical devices XXXIV , such as those used for remote care delivery, health data and information management, patient management (including therapeutic decision-making) and telemonitoring and diagnosis XXXV . The rollout of digital technologies XXXVI is rapidly changing the way in which health and care services are provided, and the scope of health data processing, which has traditionally been limited to electronic health records systems and other IT systems managed by healthcare systems, is becoming more decentralised and more granular, as online and portable electronic devices become more popular. These technologies increasingly rely on health data generation, access, processing and transmission by patients themselves and their reach extends beyond traditional health systems. This decentralisation has also widened the data domains that are relevant for providing health care XXXVII , including, for example, data generated from digital health products such as wearables or mobile health applications XXXVIII (which can also be medical devices), as well as wellness mobile applications XXXIX and patient recorded outcomes.

An overview of user perspectives is available in Figure 1 of Annex 4 on graphical representation of different aspects in the impact assessment.

As defined by the GDPR XL , personal health data is highly sensitive for the repercussions its processing potentially has on the health and wellbeing of individuals, and its processing is therefore characterised by specific standards and protocols for interoperability and cybersecurity. The categories of relevant health data are widening and becoming more diverse and decentralised and are collected in different formats and repositories XLI . While GDPR foresee the right to access and portability of data, its practical implementation is hampered by different structures of data, different coding and different standards for sharing data between data sources. Technologically, the decentralisation has brought new challenges for interoperability beyond the interoperability between electronic health records, particularly regarding the interoperability among digital devices and digital health applications. Due to a lack of interoperability, in many cases, healthcare professionals cannot access the complete medical history of the patient and cannot make optimal medical decisions for the treatment and diagnosis of their patients, which adds considerable costs for both health systems and patients. Researchers and innovators cannot have access to sufficiently large amounts of health data that is necessary for breakthroughs in the medical field. Likewise, policy-makers and regulators lack the relevant health data in order to take efficient decisions and ensure the right surveillance of health issues. The picture below describes the challenges in terms of interoperability. According to eHealth Network’s Refined eHealth European Interoperability Framework XLII , for interoperability to be implemented, one should ensure legal interoperability (same rules), organisational (similar policy and care processes), semantic (similar way of codong the information that feeds into the system) and technical interoperability (for applications and IT infrastructure) XLIII . For more details on the interoperability challenges, including the interoperability framework and the state of play in Member States, see Annex 10.

Figure 2: Interoperability of the health ecosystem (source: MedTech Europe, Cocir, Interoperability standards in digital health. A white paper from the medical technology industry, 06/10/2021, interoperability-white-paper-cover (cocir.org) ).

1.21.2 Socio-economic context

Digital health products and the use and reuse of health data can enable models of care better suited to people and patients’ needs and preferences, by preventing the onset of disease or earlier treatment. The increased use of digital health solutions during the COVID-19 pandemic allowed healthcare systems to expand their support of patients from various socioeconomic backgrounds who would otherwise not seek or be able to access care during this crisis. The use and reuse of health data influences the quality and efficiency of health services received by individuals in many ways. The availability of health data to healthcare professionals is key for ensuring continuity of care and avoiding duplications and errors, and to policy-makers for proper decision-making, for example, regarding the assessment of new health technologies for pricing and reimbursement. The availability of health data to patients is also fundamental for transparency and better disease management. The use and reuse of health data can inform better clinical decisions, contribute to automation in health and accelerate R&D processes, helping close the current productivity gap both in the provision of healthcare and in the research and development of medical breakthroughs.

In order to ensure that the patients can control their health data, for the primary use of health data, one can distinguish three main product markets that can be impacted by the European Health Data Space initiative, as they entail use of data (especially access and portability): electronic health records, medical devices and wellness apps. Telemedicine is also another market (although it often contains a combination of medical devices, electronic health records and communication tools). The market of healthcare providers is also impacted by the proposal, as they need to ensure that data can be shared/made accessible and that the electronic health records, medical devices and other systems are interoperable.

The health services sector, representing approximately 10% of the EU’s GDP XLIV and including both public and private providers, is a fundamental ecosystem both for the wellbeing of Europeans and the economy of the EU. Europe’s healthcare systems are under pressure XLV as health costs increase at a faster rate than GDP due to, among others, structural issues such as ageing population and high development costs of new medicines and treatments XLVI . The COVID-19 pandemic exacerbated this issue. The sharing and reusing of health data, particularly combined with automation and digitalisation, would contribute to increased efficiencies. When all relevant health information is available at the point of care, tests no longer need to be duplicated, the administrative burden on healthcare professionals will be lowered when entering or copying health data between systems and medical errors can be reduced. Studies have estimates that up to 20% of spending in health could be wasteful and that, therefore, this waste could be reduced without hampering the performance of healthcare systems XLVII . Digitalisation and interoperability can contribute to reducing this waste by allowing the data to be shared between healthcare providers thus leading to better, more targeted diagnosis, avoiding duplications and additional unnecessary costs. Overall, studies have shown that the increased use of health data and increased interoperability could generate potential savings valued at EUR 4.6 billion per year for health services and 4.3 billion per year for patients XLVIII . The most recent estimates by the OECD suggest that the combined economic benefits of putting data and digital technology to work in the health sector could amount to 8% of the total health expenditure of all OECD countries XLIX . While the investments in digital health contribute to the competitivennes of Member States’ economies and their future growth, allowing the cost savings and increased efficiency of health systems, detailed estimations are not yet systematically available.

With regards to electronic health records (EHRs), the introduction of electronic health records for medical coding and billing has eased the process as data entering into computerized systems is more convenient than paper-based methods. The size of the global market in 2020 was estimated at USD 26.9 billion and is expected to grow to US 35 billion by 2028 L . While the market is competitive, some big players, such as Cerner Corporation, Allscripts Healthcare LLC, EPIC Corporation are among the major brands in the market, but smaller players are also active. Many providers tend to provide proprietary solutions, which lead to lock-in effects, although governmental initiatives (e.g. 21 Century Cures Act of the US government) can lead to increased interoperability and data unblocking. For instance, in August 2020, Cerner Corp. collaborated with Amazon to integrate its EHR solutions with the latter’s wearables, such as Amazon Halo. This would provide greater interoperability to its customers and strengthen its service portfolio LI . During the COVID-19 crisis, Electronic Health Records (EHR) vendors and organizations have started to help curbing the pandemic by making telehealth a mainstream alternative, enhancing data access through EHRs, and collaborating to develop Covid-19 dashboards in detail. In terms of regional distribution, North America is expected to dominate the global EHR market owing to rising support for the adoption of health information technology by providers and payers, big giants in the market focusing on improving patients’ clinical outcomes, coupled with increasing government initiatives and programmes for population health management. Asia Pacific seems the fastest growing region in this field, especially thanks to governmental initiatives in China. Europe (including Russia) is estimated to have a share of around 27% of the global market LII , which would mean by extrapolation around EUR 3.85 billion. However, this seems to be a conservative estimate, as shown by the estimates of Member States. Based on information received from experts in Member States, the cost of setting up nationally electronic health record systems ranges between few hundred million euros EUR 1.4 billion for mid-sized and large EU countries, depending on the service coverage. Based on Member States declarations, studies LIII and extrapolations, the value of the EHR market can go up to EUR 16 billion, out of which EUR 3-9 billion need to be set up or further developed. Under the Recovery and Resilience Facility, Member States applied for around EUR 12 billion funding for digital health (out of a total of EUR 720 billion) including for investments in electronic health records. In terms of number of EHR products, Finland has registered around 400 electronic health record systems, including 80 connected to the national system (Kanta) and other digital health products processing electronic health data in its current database of certified products. By extrapolation (considering all EU Member States and that some products can overlap between different countries), one could expect around 4,000-5,000 EHR systems on the EU market, as some producers will provide services in several countries.

During the pandemic, faced with the unprecedented need for remote access to care in the context of the imposed social distancing restrictions, the use of digital health, including telemedicine has increased significantly (e.g. reflected in the use of teleconsultations LIV ), thus guaranteeing continuity of care for a large part of the population LV . According to Eurostat, 2% of the population report unmet needs for medical examination and care due to the healthcare service being too expensive or too far to travel. Digital health products and services, including telehealth, are increasingly becoming an intrinsic part of the delivery of care, allowing to reduce some of the inequalities in relation to access and affordability of healthcare. The integration of these digital products and services can positively contribute to improving the cost-effectiveness of healthcare systems, e.g. telemedicine is reported to be cost-effective in 73.3% of the cases covered by the literature LVI . A 2018 market study on telemedicine LVII considered that its market potential was strong and expected to grow in the EU at a compound annual growth rate of 14% in the coming years. Telemedicine is also expected to improve the efficiency of the healthcare systems, including by supporting triage. In fact, OECD estimated that 12% to 56% of emergency department visits are inappropriate LVIII . The COVID crisis has boosted strongly the telemedicine market. In the long run, it is expected that the global market is projected to grow from USD 41.63 in 2019, USD 79.79 billion in 2020 to USD 396.76 billion by 2027 LIX , with North America in the lead, followed by Europe. At the same time, further roll-out of telemedicine requires more mature and interoperable electronic health records and medical devices.

The global digital health market, which comprises various software and hardware solutions (which includes medical devices, but not necessarily) used in the processing of health data, has seen a steady increase in terms of size, and was expected to almost double in size, from EUR 16 billion in 2015 to EUR 31 billion in 2020 LX . For example, industry association COCIR estimates that the size of the European market for medical imaging IT technologies is worth EUR 500 million. The European digital health sector is a very important supplier of products and services for healthcare, but before the pandemic it clearly lagged behind the US both in terms of revenue and number of users per capita LXI . A consultancy considered that by using mHealth solutions to their potential, healthcare systems in the EU can save 99 billion EUR in total annual healthcare spend in 2017 after the cost of extra workforce to support mHealth LXII . According to Eurostat LXIII , in 2019, pharmaceutical goods and other medical non-durable goods made up approximately 14% of total health expenditure in the EU LXIV , or almost EUR 195 billion, while therapeutic appliances and other medical durable goods made up 4%, or around EUR 60 billion. According to the yearly analysis of an industry association LXV , the medical devices industry employs 760,000 workers, consists of 33,000 companies (of which 95% are SMEs), and represents almost 8% of healthcare expenditure. The European medical devices market, with a size of EUR 140 billion and growing steadily since 2017, is the second largest market after the US and represents 28% of the world market for medical devices. This sector contributed to the EU’s economy with a EUR 8.7 billion trade surplus in 2020.

Digital products that are medical devices are another sector impacted by EHDS in several ways: re-use of data is essential to develop some devices, especially those entailing AI. At the same time, these devices produce data that ideally should be ported to electronic health records if the two are interoperable and be consulted by the patient and the healthcare provider. An industry association listed around 500 000 products in the area of medical devices (including all types of devices, from digital to masks and PPE), but the exact numbers of devices that process patients’ data are difficult to identify. Devices processing patients’ data could include: personal (connected) health devices (including imaging and other diagnostic/monitoring devices in clinical settings, digital and robotic surgery equipment, telehealth and remote care/monitoring systems, glucose meters and insulin pens, pulse oximeters, blood pressure cuffs, thermometers, medical grade weight scales, etc.), cardiac implanted electronic devices, health apps ranging from personal monitoring/coaching to advanced clinical decision support software etc. The central database Eudamed LXVI is being set up and only a limited number of medical devices have been included (59 with software and around 1000 using electricity). A search in medical devices database of Italy revealed around 160 medical devices that process information such as images which, by extrapolation to the whole EU (taing into account the overlap on different markets and increased number of products), can lead to around 5,000-20,000 medical devices processing patients’ data.

Other m-health products that may produce relevant health data are wellness applications (which do not fit within the definition of medical device LXVII ). The size of the market is much bigger than for medical devices. A 2019 study published by the Dutch National Institute for Public Health and the Environment analysed the market of mobile health applications in the Netherlands and found that 21% of sampled applications were a medical device (i.e. a mobile health application according to the definition above), while the rest 79% were not (i.e. a wellness mobile application) LXVIII . With regards to the state of the market, over 71,000 health and fitness apps were launched globally in 2020 (24,000 in the Apple App Store and 47,000 in the Google Play Store) LXIX . According to the IQVIA Institute LXX the volume of health-related mobile applications would have surpassed 350,000 globally in 2021. According to industry analysts LXXI , sales in health and fitness apps in Europe accounted for 30% of global spending in the category, up from a 27% share in 2019. Therefore, there could be approximately 100,000 mobile wellness applications in the European market. The COVID-19 crisis boosted the use of such apps, with Europe as a global lead. European spending in health and fitness category mobile applicationss jumped by 70% year-over-year in 2020 to an estimated USD 544 million as consumers looked to keep fit and stay mindful during the COVID-19 pandemic and regional lockdowns. Downloads of Health & Fitness category apps saw a significant surge in Europe during 2020, rising by approximately 46% year-over-year in 2020 to 829 million LXXII .

Figure 3. The patient monitoring continuum (Source: Medtecheurope, Cocir, 2021).

For the secondary use of health data, the main sectors impacted are research and innovation (including on pharma, medical devices, AI), policy making and regulatory aspects, as well as the data market.

The yearly economic value of health data reuse, which can very notably benefit the development and placing in the market of new pharmaceutical products LXXIII , medical devices and other digital health products (e.g. those based on artificial intelligence), is estimated at around EUR 25-30 billion at present, expected to increase to around 50 billion in 10 years LXXIV .

According to a recent retrospective analysis LXXV on the use of real-world evidence (RWE) to support marketing authorisation applications to the EMA for new pharmaceutical products and extensions of indications, 40% of initial marketing authorisation applications and 18% of applications for extension of indication for products currently on the market contained RWE (obtained from the re-use of data from electronic health records, registries etc). Another recent analysis LXXVI on the use of RWE during the pre-authorisation phase concluded that dearly all European Public Assessment Reports submitted in 2018-2019 relied on RWE for the discovery (98.2%) and life-cycle management (100.0%) LXXVII . However, the collection and management of RWE remains costly, particularly when it requires processing of personal health data originating from several national jurisdictions and when such data is being collected by obtaining the explicit consent of each data subject. Reducing the costs of accessing the data (fee to data access body as opposed to contacting data subjects and getting the consent) can stimulate new research, innovation and can facilitate the decision making of health authorities and regulators. For more details concerning the differences in costs, see Annex 5 on methodological approach.

According to the current evaluation of data markets for the countries that developed mapping and quality evaluation of different data sources, Finland has listed in its data catalogue around 450 data sources/datasets and France, 12. Therefore, extrapolating and considering that not all the countries will have from the beginning the same level of maturity and mapping and evaluation of data sources/datasets, one could have at the level of EU, at the end of 10 years between 3500-5000 data sources mapped and benefiting from a quality label (with some countries having more, others less).

Overall, Member States and stakeholders are supportive to the objectives of the EHDS initiative, as gathered in the public consultation and other stakeholder consultations. The most important objectives that respondents said a European framework on the access and exchange of personal health data should aim included: supporting and accelerating research in health (89%); promoting citizens’ control over their own health data, including access to health data and transmission of their health data in electronic format (88%); and facilitating the delivery of healthcare for citizens across borders (83%) (see Annex 2).

1.31.3 Legal context

1.3.11.3.1 Horizontal framework

As shown in Annex 6, the EHDS builds upon legislation such as GDPR, Data Governance Act, Data Act and the Cross-border Healthcare Directive, while ensuring compliance with regulatory frameworks in the areas of sybersecurity, pharma and cross-border health threats.

Considering that a substantive amount of data to be accessed in EHDS are personal health data relating to individuals in the EU, the instrument must be designed in full compliance with the General Data Protection Regulation (GDPR) LXXVIII , but also with EU Data Protection Regulation LXXIX (EUDPR). The instrument should also take account of the EU’s international trade commitments.

The use of data for health and the re-use of health-related data build on the possibilities for processing health data based on EU law, offered by the article 9 of GDPR LXXX for processing special categories of data, including health or genetic data, whereby processing is necessary for:

·healthcare provision (the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services and subject to professional secrecy (Article 9(2)(h));

·for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Article 9(2)(i));

·scientific or historical research, statistical purposes or archiving in the public interest (Article 9(2)(j)).

With regards to processing of data for healthcare (primary use of health data), EHDS is intended to reinforce the control of patients over their health data by establishing clear rules on how the rights of data subjects under chapter III of the GDPR (right to access, portability, information, rectification, erasure, restriction of processing, right to object, with a focus on right to access and port the data) can be implemented in practice. EHDS would task the national digital health authorities with establishing a national framework supporting the implementation of these rights. Such a framework could entail establishing of national patient portal, as well as implementation of requirements that could stengthen the interoperability and allow the data to “flow” between healthcare providers (by certification, using such standards in procurements etc.).

In the context of EHDS, the notion of “control” on the part of the individuals concerning the rights remains the same as in Chapter III and IV of GDPR. More specifically, the EHDS aims at further strengthening the right to access and portability of the data subjects to their health data so that they can provide it to the healthcare professionals of their choice rapidly and in an easy, transparent common format. The need to reinforce the right to access in the field of the healthcare services derives from objective difficulties and obstacles, since, for instance, the data may not be available immediately or in an electronic format (for more details, see Annex 12 on the evaluation of the Cross-Border Healthcare Directive). Moreover, this right is difficult to implement in practice in an electronic format if no patient portal exists and if data is stored in electronic health records of healthcare providers which are not readily accessible to patients. A study LXXXI has shown that, while 26 EU/EEA countries generally provide their citizens with access to EHR data by law, 12 countries indicate that their citizens are not entitled to choose which healthcare professional or other party can access their EHR. Most countries specify conditions for alteration and archiving of electronic health data, but only around one third allow patients to correct data entered intheir EHR by themselves.

Furthermore, one of the major purposes of the EHDS is to facilitate the transfer of health data, upon request of the data subjects, between the healthcare or social providers of their choice. Article 20 GDPR provides the right to portability for data subjects. However, its fragmented implementation across Member States has shown some serious limitations concerning healthcare, as Article 20 GDPR excludes: a) health data that has not been provided by the data subject or observed (e.g. medical reports etc.), b) data that had been processed based on another legal basis other than consent or contract (which in practice excludessome categories of public entities the majority of which processes personal data on the legal basis of public interest). Consequently, on a practical level, patients may not exercise the right to portability of their health data when for example consulting a new doctor (patients need to ask for the data, bring it often in paper format, and the data may be incomplete) since it could be outside the scope of Article 20 of the GDPR. Moreover, the portability right cannot be implemented technically if there is no interoperability between different healthcare providers and with an electronic health record. If the standards and specifications used for different solutions are proprietary and cannot “talk” to each other, if data are kept in silos then even if the various healthcare providers are willing to fulfil the data subject’s demand in relation to their personal health data it will be challenging to do so in practice. Therefore, the EHDS proposal will also support the technical aspects that are necessary to operationalise some of the GDPR rights, as for instance, the electronic right of access and portability cannot be ensured without the necessary technical elements standards and specifications necessary to ensure interoperability between different data sources, authentication of individuals or setting up the national infrastructure for electronic health records.

Whilst consent (Article 6(1)(a) and 9(2)(a) of GDRPR) is one of the main legal bases for health data processing under GDPR, the GDPR also allows the processing of health data under other valid legal basis- ie provision of health or social care, public health, scientific purpose based on Union or national law. Thus, data can be processed as per Articles 9(2)(h), (i) (j) LXXXII of the GDPR, which do not require explicit consent, provided that suitable and specific measures are put in place to safeguard the rights and freedoms of data subjects. Some Member States already use these possibilities under their national law (see Table 1. in section 2.2.).

For secondary use of health data, EHDS would build upon these possibilities offered by GDPR for a specific EU law with particular safeguards. It will develop a European framework, inspired from the actions taken by several Member States that adopted similar national legislation for the secondary use of health data. EHDS, similarly to these national laws, would specify the purposes for which data can be used, as well as limitations LXXXIII in full compliance with the provisions and requirements of the GDPR.

Similarly to national framework built upon GDPR, EHDS would ensure that data is processed in a legal, ethical and secure way by setting up a data access body/data permit authority LXXXIV deciding on every request to access to data, alone or in cooperation with other entities LXXXV . EHDS would provide access to a large array of health data (electronic health records, claims, genetic data etc.), but the technical implementation of the cooperation between the data access bodies and the data holders would be left to the national level.

The request for data access should provide information about the purpose of processing, ethical evaluation, data protection aspects etc LXXXVI which would allow the data access body to analyse and determine whether the request complies with the relevant data protection principles. In line with data minimisation principles under GDPR, data, by default, may be provided in an anonymised/aggregated way or in a pseudonymised way. In order to ensure security of the data, this can be processed in a virtual secure processing environment where the researcher has the necessary IT tools for data processing, but only the aggregated results can be downloaded. EHDS may foresee that data users can process data based on Union law and applicable data protection principles, provided that they comply with the security standards and data is processed in a secure environment. The proposed system will promote the processing of personal health data while maintaining strong legal and technical security safeguards to the rights of the data subjects as required by GDPR.

During the discussions with several Member States which have already set up such data access bodies, it appeared that they have encountered a high demand for such service and are currently facing long delays to satisfy all the requests.

Figure 4. Big picture of the secondary use of health and social data (source: Finland’s Ministry of Health).

The EHDS would build upon the horizontal framework on data access and reuse, including the proposal for a Data Governance Act (DGA) LXXXVII adopted on 25 November 2020 (political agreement in November 2021) and the proposal for a Data Act LXXXVIII , to complement it and provide more specific rules for the health sector. These specific rules would cover standards and specifications for providers of data intermediation services in the health sector, minimum technical requirements for the portability of health data, criteria for security of data for bodies dealing with data altruism).

When providing a framework for data reuse in health, EHDS will build upon the DGA. As a horizontal framework, the DGA cannot address the specificities of sensitive data, such as health or genetic data. The DGA alone does not provide an adequate solution to the current uncoordinated patchwork of national laws arising from the fragmented implementation of the GDPR in the health domain. DGA does not provide a legal base for re-use of sensitive catagories of data, such as health data, whose processing is in principle prohibited, save exceptions listed in article 9(2) of GDPR (including an EU law providing the adequate safeguards). Furthermore, DGA does not impose any obligation to create “data access bodies” which could be empowered to grant access to health data. However, the technical framework set up under DGA (e.g. secure environments) could be used by the data access bodies under EHDS. As concerns data sharing intermediaries and data altruism organisations, the DGA provides for rules which apply regardless of the concerned sectors. However, specific rules are needed for example on security in order to take into account the specificities of personal health data, already outlined in section 1.1. In addition, the DGA regulates data sharing intermediaries mainly from a competition point of view (neutrality of marketplaces for data) and does not lay down rules mitigating specific risks of primary and secondary use of health data, including on technical formats for interoperability. For these reasons, with the EHDS, it should be possible to consolidate the requirements and technical framework needed to achieve a functioning system in the field of primary and secondary use of health data complementing the DGA rules with more detailed or more practical rules considering the specific nature of health data.

With regards to Data Act proposal, EHDS would build on provisions related to portability and access of data linked to devices (medical devices and wellness apps). The Data Act may set a general portability rule for data from such devices, irrespective whether health related or not. For health data, EHDS would extend to electronic health records and medical devices feeding data to EHRs. It would build upon the Data Act and establish the standards and specifications for portability and interoperability, thus making the portability and access technically and practically possible.

With regard to the use of data from entreprises (especially commercial data) by public sector bodies in exceptional circumstances, EHDS would build upon Data Act, by providing a secure framework for processing health data through data access bodies. At the same time, unlike the DA, EHDS would ensure that data held by both public and private healthcare providers can be made available through EHDS.

The aim of establishing the EHDS is also to aid all the parties involved in Artificial Intelligence (AI) in healthcare to carry out their tasks and fulfil their legal obligations under the proposal for a regulation laying down harmonised rules on artificial intelligence (Artificial Intelligence Act (AIA)) LXXXIX . The AI Act provides the framework and rules that providers of some type of AI algorithms need to comply with. EHDS can support the providers with the provision of quality health data necessary for these algorithms to perform as intended and be compliant with AIA. Health data play a key role in the training, validation, testing and post-market monitoring of AI in healthcare. The training and use of AI algorithms in health needs to take place in a way that is ethical; discrimination and other adverse effects need to be avoided. The aim of establishing the EHDS is to also aid providers and users of AI as well as notified bodies and market surveillance authorities to carry out their tasks and effectively and efficiently fulfil their legal obligations under the AIA. The possibility to access diverse and a large amount of organized data within the EHDS infrastructure that provide transparency and information concerning the characteristics of these data would lead to the speedy development, upscale and uptake of trustworthy AI in healthcare. For instance, health data within the EHDS could share common standards and/or follow common rules and guidelines on issues like annotation, labelling, prevention of bias and avoidance of errors. Additionally, information might be provided on the characteristics of data within the EHDS infrastructure that would enable the developer of AI systems to use appropriate data to train, test and validate algorithms that reflect the geographical, behavioural or functional setting within which the AI system is intended to be used. In this regard, Health Data Access Bodies and/or national bodies might be involved to develop and oversee common rules.

The Directive on Security of Network and Information Systems (the NIS Directive, 2016/1148/EU) set the first EU-wide rules on cybersecurity. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU and covers operators working in the healthcare sector. By promoting the use of compulsory common security standards and of the integration of electronic identification (eID) for healthcare professionals and patients, the EHDS initiative reinforce and complement the principles and security measures set out in the aforementioned cybersecurity regulatory framework. It is designed to enhance the security and trust in the technical framework designed to facilitate the exchange of health data both for primary and secondary use. The initiative would build on the new framework for eID, including the Digital eID Wallet. This would allow the online identification of patients. A pilot project has been launched in 2021 and aims to support the access of patients to their data, including in the context of MyHealth@EU.

The NIS Directive is being revised (NIS2 proposal XC ) and is currently undergoing negotiations with the co-legislators. It aims to raise the EU common level of ambition of the cybersecurity regulatory framework, through a wider scope, clearer rules and stronger supervision tools. The Commission proposal addresses these issues across three pillars: (1) Member State capabilities; (2) risk management; (3) cooperation and information exchange. Operators in the healthcare system remain under the scope. A proposal for a Cyber Resilience Act is also planned for adoption by the Commission in 2022, with the aim to set out horizontal cybersecurity requirements for digital products and ancillary services. The envisaged set of essential cybersecurity requirements to be laid down by the Cyber Resilience Act will be applied to all sectors and categories of digital products whose producers and vendors shall comply with, before placing the products on the market or, as applicable, when putting them into service and also through the entire product lifecycle. These requirements will be of general nature and technology neutral.

Although the horizontal initiatives affect some common issues that may be encountered in the health data sector, they often lack dedicated provisions addressing the specificities and peculiarities of the health data sector. The common provisions like those encountered in, for instance, the proposal for a Data Act, may in practice negatively impact on different sectors if no sectoral exclusions are allowed (e.g. an obligation for compensation in case of B2B data sharing could hamper the interoperability of medical devices and healthcare providers). If these proposals have provisions on health data, such as the GDPR, they do not always provide the necessary elements to translate these provisions into the expected operational practices or may only respond to some of the sectoral needs. For instance, access to health data is not immediate; the portability article excludes inferred data, such as tests or diagnoses, of data from some public healthcare providers; moreover, the portability right may be limited by the lack of interoperability between healthcare providers or cross-border.

1.3.21.3.2 Sectoral legislation

The current relevant applicable EU legal framework for the cross-border exchange of health data is laid down in the CBHC Directive. The EU supports and facilitates voluntary cooperation and the exchange of information among Member States working within a voluntary network connecting national authorities responsible for eHealth in the Member States (the ‘eHealth Network’), as well as other tasks related to patients access to data, telemedicine, interoperability of prescriptions. The EHDS proposal will repeal the relevant provisions of the CBHC Directive and replace the current article 14 (limited to governance) with completely new set of binding rules on data use and re-use. An evaluation of the key provisions related to digital health in the CBHC Directive (Article 14 and the articles related to patients’ access to their data, telemedicine, interoperability of prescriptions), as well as the national implementation of the European Electronic Health Record Exchange Format and the role of eHealth Network in this respect has been carried.

The current voluntary system to support patients’ access and sharing of health data, to deal with fragmentation and low interoperability of digital health at national and cross-border level has limited effectiveness XCI . The eHealth Network, with its voluntary structure and a decision making based on guidelines, has had a limited impact on supporting individual’s access to and control over their health data (including through the uptake and interoperability of digital health across the EU). The eHealth Network was very ineffective in supporting the re-use of health data for research and policy-making (also because its members often do not have tasks in this area at national level). On the other hand, during the COVID-19 crisis, the eHealth Network set up in a very short time two EU-wide interoperable infrastructures (the European Federation Gateway Services and the gateway for the EU Digital COVID Certificates), also supported in one case by a strong and harmonising legal basis (a regulation for EU Digital COVID Certificates XCII ).

The medical device regulatory framework is composed of the medical devices Regulation (2017/745/EU) and the in vitro diagnostic medical devices Regulation (2017/746/EU). These regulations include provisions related to the assessment and marketing authorisation of medical devices in the Union. While the CE marking of medical devices comprise some elements related to security and interoperability of the device and its platform, it does not entail elements related to the interoperability of medical devices with electronic health records, which is a fundamental aspect for data portability. EHDS aims to tackle this, including by specific mandatory standards and specifications and a certification process for those devices that process data which is core for electronic health records.

Pharmaceutical regulatory framework The EU legal framework for human medicines sets standards to ensure a high level of public health protection and the quality, safety and efficacy of authorised medicines. Additionally, EU legislation provides for common rules for the conduct of clinical trials in the EU XCIII . Various rules have also been adopted to address the particularities of certain types of medicinal products and promote research in specific areas XCIV . The EHDS initiative complements the aims and scopes of the aforementioned Regulations and Directives by providing access to a wide range of health data that could be useful for regulatory purposes and enhance and streamline the collection of the necessary health data required to assess and supervise the introduction and surveillance of pharmaceutical products and devices in the Union. The set-up of the EHDS would be an integral part of building a European Health Union, a process launched by the adoption of a first set of proposals to reinforce preparedness and response during health crisis XCV , which pave the way for the participation of the European Medicines Agency (EMA) and the European Centre for Disease Prevention and Control (ECDC) in the future EHDS infrastructure, along with research institutes, public health bodies, and Health Data Access Bodies in the Member States. The EHDS infrastructure for secondary use of health data could also support the activities of European Health Emergency preparedness and Response Authority (HERA) XCVI and “Europe’s Beating Cancer Plan” XCVII and Horizon Europe EU Mission on Cancer. XCVIII .

The EHDS proposal will ensure coherence with other sectoral regulatory frameworks. It will address the peculiarities and specific legal and securities issues related to the processing of health data both for primary and secondary use.

22 Problem definition

Figure 6 shows the link between the problems identified, their drivers and consequences. The evaluation of the existing framework under the CBHC Directive was used as a starting point for the identification of the problems and drivers.

Figure 5. Problem tree.

2.12.1 Lessons learnt from the evaluation of Article 14 of the Cross Border Health Care Directive (CBHC) Directive

The evalution of the Cross Border Healthcare Directive’s provisions related to eHealth concluded that due to the voluntary nature of the eHealth Network actions its effectiveness and efficiency has been rather limited.

Progress is slow on the use of health data for primary purpose in the context of cross-border healthcare with the MyHealth@EU platform being implemented only in 9 Member States and currently supporting two services only (ePrescriptions and Patient Summaries). The low and slow uptake is partly related to the fact that the Directive, whilst establishing the right of patients to receive a written record of the treatment carried out, does not require this medical record to be provided in electronic form. Patients’ access to their health data remains burdensome, citizens’ control over their own personal health data and the use of data for medical diagnosis and treatment is limited. While the eHealth Network recommended Member States to use the standards and specifications from Electronic Health Record Exchange Format in procurements, in order to build interoperability, their real uptake was limited, resulting in fragmented landscape and uneven access to and portability of health data.

Most Member States are expected to implement the MyHealth@EU platform by 2025. Only when more Member States will implement the MyHealth@EU platform and the developed tools, their use, development, and maintenance will become more efficient across the EU. However, advancements in eHealth in recent years call for a more coordinated action at EU level.

Nevertheless, following the outbreak of the COVID-19 pandemic in Europe, the eHealth Network proved to be very effective and efficient in times of public health crisis and political convergence following the COVID-19 pandemic outbreak.

On secondary use of health data, the eHealth Network activities were very limited and not very effective. The few non-binding documents on big data were not followed up by further specific actions and their implementation in practice remains very limited. At national level, other actors emerged on secondary use of health data than the ones represented in the eHealth Network. Some Member States set up different bodies to deal with the subject and participated in the Joint Action TEHDaS. However, neither the Joint Action TEHDaS, nor the numerous funds provided by the Commission under e.g. Horizon Europe to support the secondary use of health data have sufficiently been realized in coherence with eHN activities.

It can therefore be concluded that the current structure of the eHealth Network does not appear to be appropriate anymore, as it only allows for soft cooperation on primary use of data and interoperability, which did not solve in a systematic manner the problems of access and portability of data at national and cross-border level. Moreover, the eHealth Network is not able to address in particular the needs related to the secondary use of health data in an effective and efficient manner. The legal base for the use of health data for primary and secondary use is not sufficiently strong.

The COVID-19 pandemic has highlighted and emphasised the importance of access to and availability of public health and healthcare data beyond the Member States borders. However, progress on these issues seems to be hindered by the absence of binding or compulsory standards across the EU and consequently limited interoperability. Addressing this issue would not just benefit the patients, but also contribute to the achievement of the Digital Single Market and lowering the barriers to the free movement of digital healthcare products and services.

2.22.2 What are the problems?

As explained above, due to the voluntary measures, the current regulatory framework has shown a limited effectiveness in supporting patients’ control over their health data at national and cross-border level and very low effectiveness on secondary uses of health data. However, the COVID-19 crisis has revealed the need and the high potential for interoperability and harmonisation, building upon existing technical expertise at national level. The figure on Overview of problems in Annex 4 shows the key problems that were identified.

Individuals have difficulties to exercise their right to control their health data, including accessing and porting their data nationally and cross-borders, because of fragmented tools and infrastructures and limited interoperability between them. This hampers their access to health services and cause healthcare system ineffectiveness (reduced continuity of care) and inefficiencies (waste and administrative burden). It can result in medical errors, unnecessary repeated tests XCIX and substantial inefficiencies and costs for patients, healthcare professionals and healthcare systems C .

The problem exists both at the EU, but also at the Member States level, despite the legal provisions of GDPR in this respect. The way the GDPR has been implemented is rather fragmented and made difficult the access and sharing of health data, as shown by the table below. As described in the section 1.3, data may not be available immediately and in electronic format and the portability right does not cover all the needs of the health sector (e.g. portability of images, laboratory results, which are not provided by the data subject, data processed on other legal basis than consent or contract or data from some public entities). The Annex 8 concerning the way the GDPR has been implemented in health sector shows the high legal fragmentation, which makes difficult to harmonise the framework both cross-border and between different healthcare providers at national level.

At the same time, without the technical elements aimed to ensure interoperability, these rights are not effectively implemented. A recent study on interoperability of EHRs CI shows that access to health information for citizens has been facilitated nationwide in seventeen EU/EEA countries, while six countries have ongoing pilot projects, three countries do not offer access to health data for patients, four countries offer mobile access, and two countries still use paper print-outs. In addition, citizens of 12 countries are not entitled to choose which healthcare professional or other party can access their EHR (often, general practitioners act as 'data gatekeepers', allowing additional parties to access a patient's EHR, while in other countries, this is not possible technically). The study also shows that 18 Member States allow the exchange of health data across borders and that almost half of the Member States have devolved powers in digital health to decentralised governments, often further exacerbating the current fragmentation and patchwork of incompatible health data exchange formats and networks. Three Member States do not have rules in place for the identification and authentication of healthcare professionals. Patient Summaries and ePresription exists in two-thirds of the Member States. When it comes to connecting healthcare providers to the national EHRs, general practitioners are largely connected in 20 Member States, pharmacies are connected in 19 Member States and labs are connected in 20 Member States. Several Member States score weak on the connection of different healthcare providers to the national EHR system.

With regards to cross-border data sharing, as part of the evaluation of the CBHC Directive, the volume of patient mobility was studied. The aggregated reported data on the number of requests for reimbursement shows that patient mobility under the Directive remains generally very low. When looking at the total expenditure on cross border healthcare, in those countries that were able to provide information about the amount reimbursed for healthcare subject and/or not subject to prior authorisation in 2019, the total healthcare spending amounted to EUR 882 billion. The share of the amount reimbursed under the Directive on the total government expenditure on healthcare amounted to 0.01% (EUR 92.1 million/EUR 882 billion). Cross-border healthcare in general remains very limited, and most of the healthcare spending occurs domestically. However, it should be noted that the demand for certain cross-border health services for which interoperability is highly relevant is growing rapidly. For example, the assessment of the cross-border prescriptions use case has provided indicative evidence of an estimated increase of approximately 300% for foreign prescriptions presented to pharmacists in the EU between 2012 and 2021 (from 1.46 foreign prescriptions per pharmacy per month in 2012 to 5.87 in 2021).

When travelling or moving to another EU country, few citizens can currently share their health data with foreign healthcare providers in a language understandable to the health professional, which can lead to wrong diagnosis or treatments and impact on free movement. The overall number of cross-border transactions so far remains low compared to potential demand: over 200 million Europeans have a European Health Insurance Card and 4% of employees are nationals of another Member State CII which could benefit from cross-border provision of healthcare. Patient summaries and e-prescription services exist in two-thirds of all Member States and are most frequently accessed via online portal, but only in few countries can have them be sent or received across borders and 11 countries are still using paper printouts for prescriptions CIII . Through MyHealth@EU CIV , 10 out of 27 Member States allow their patients to share their patient summaries and ePrescriptions with healthcare providers in other Member States, in the language of the country of destination. Since 2019 over 21,000 ePrescriptions have been dispensed and over 300 patient summaries have been accessed in other countries and other languages than the country of the origin of the patient. The number of ePrescriptions dispensed remains far from the target number of up to 8 million prescriptions issued in another Member State than the Member State where the patient tries to have them dispensed CV .

In an online stakeholder survey, a broad majority of consulted respondents (>80%) agree that lack of practical data portability driven by strong rules on interoperability drives healthcare costs up through repeated testing and examination, slows down time to diagnosis and treatment and increases the risk of errors CVI . Access and sharing of data are important for stakeholders, particularly the right to access one's health data in electronic format, including those stored by healthcare providers (88%), right to transmit one's health data in electronic format to another professional/entity of one's choice (84%), the right to request healthcare providers to transmit one's health data in one's electronic health record (83%), and the right to request public healthcare providers to share electronically one's health data with other healthcare providers/entities of one's choice (82%). 80% of EU citizens consider that a European framework on the access and exchange of personal health data should aim at facilitating the delivery of healthcare for citizens at national level and 84% abroad. 85% of EU citizens that participated in the public consultation believe that a European framework on the access and exchange of personal health data should aim at promoting citizens’ control over their own health data, including access to health data and transmission of their health data in electronic format. More details concerning the opinion of different stakeholder group can be found in Annex 2.

Due to different standards and limited interoperability, manufacturers of digital health services and products face barriers and additional costs when entering the markets of other Member States, hampering their competitiveness. The digitalisation of health systems is limited and often the health IT solutions, whether they are health apps, medical device software, EHR systems or other health software, are not interoperable amongst each other, causing lock-in situations and inefficiencies in the provision of health and in the reuse of health data. The Commission has adopted the Recommendation on European Electronic Health Record Exchange Format (EEHRxF) CVII and the eHealth Network recommended CVIII all the national and EU procurers to require EEHRxF standards and specifications to ensure national and cross-country interoperability. However, the implementation of these recommendations remains uneven is: four Member States do not have a fully functioning EHR system, six show an overall low level of use across all EHR data types, whilst only four have a very high level of use CIX . The voluntary recommendations on the EEHRxF have had little effect in promoting interoperability amongst health software solutions CX . Annex 10 provide an overview of the interoperability challenges and the opinions concerning the EEHRxF Recommendation.

The ePrescriptions, another information domain in the Recommendation also shows a mixed picture: in only half of EU Member States, the pharmacy sector in Europe is almost completely connected to national EHR systems and service-related data is being exchanged between pharmacies and EHRs. Five countries do not have an ePrescription system in place. At the same time, the limited use of ePrescriptions come with costs, as ePrescribing reduces medication errors. According to the Estonian Health Information Fund, 80,000 patients (6% of the total) could benefit from error reduction thanks to ePrescribing, while errors in prescription were down by 15% in Sweden CXI . ePrescribing systems can also provide useful data on patients’ adherence to prescribed medications CXII . When it comes to coding and structuring data, in most countries, the amount of clearly structured electronic health data is low and most of them do not maintain any programmes to train healthcare staff or to audit data quality CXIII . Moreover, only half of EU countries implement measures and perform mapping activities to international standards (including those in the EEHRxF Recommendation) to enable interoperability with digital health systems in other countries CXIV . Nine out of 27 Member States and Norway indicate to not refer to EU-level guidelines and documents on the patient summary and ePrescription/eDispensation in national policy documents and 19 do not refer to these resources in legislation documents. Although almost two thirds of EU countries have enacted compulsory technological standards, only half of national digital health authorities promote the use of the EU tools and building blocks of the MyHealth@EU CXV .

While the cooperation at EU level has focused mostly on interoperability of EHRs, some countries have started to implement legislative frameworks on assessment, reimbursement schemes, labelling and certification for the adoption of digital health, such as DiGA framework in Germany CXVI , the mHealth pyramid in Belgium CXVII , ANS eHealth label and HAS mHealth in France, or MAST CIMT in Denmark CXVIII (a more comprehensive overview is available in Annex 7). Some of these systems, such as DiGA take medical devices, analyse them from the perspective of interoperability with electronic health records and impact on health and propose them for prescription or reimbursement by healthcare providers. A similar system is being implemented by Belgium CXIX . France is also working on a law for a similar system. The United States also analyses the interoperability of medical devices with the hospital environment, but also with the electronic health records CXX . This analys is often done by digital health bodies (not notified bodies). However, this approach remains limited, and many Member States requested a mutual recognition of such products. The first technical specification on a quality label for health and wellness apps was published by ISO, CEN and IEC in 2021 CXXI . Although the volume of applications approved for prescription is currently very low, e.g. with only 24 mobile health applications approved for a population with statutory health insurance of over 70 million CXXII , as long as these approaches continue to be implemented without a common framework, there is an increasing risk of fragmentation within the EU. This adversely affects companies wishing to operate across the European digital single market, as their cross-border operations are hindered by differing digital structures, differing data formats and incompatible infrastructures. This is in line with the views of industry representatives who indicate that the European market is fragmented, with significant barriers for operation in more than one country CXXIII CXXIV .

Individuals cannot benefit from innovative treatments and policy-makers cannot react effectively to health crises, due to barriers impeding researchers, innovators, policy-makers and regulators to access health data. The evaluation of the digital aspects of the CBHC Directive shows a very low effectiveness of the eHealth Network in dealing with secondary use of health data, while new entities (such as Health Data Access Bodies) have started to emerge in several Member States. Divergent rules and frameworks, prevent data holders from facilitating reuse of health data CXXV . The over-reliance on consent (which can be difficult CXXVI and costly to obtain) and a lack of specific Member State law has increased the costs for research. The wide variety of GDPR legal bases applied by different data holders in different Member States has made cross-country studies very difficult, as data re-users must comply with different requirements in each jurisdiction CXXVII CXXVIII .

As indicated by experts consulted on pharmaceutical regulatory frameworks, currently, studies which inform regulatory decisions are often performed in a small set of databases clustered in a few EU Member States, limiting geographical and demographic representability. To overcome this fragmentation and the reliance on consent, some Member States started to adopt national law for processing health data for public interest, scientific research and policy making. For instance, 13 Member States have started to put forward more centralised national systems to provide access to data, but there is no link between them at EU level, the system remains fragmented and there ae differeencies between their tasks, even though they share many commonalities. Some Member States support access to data held by the original controller, others act as a Health Data Access Body. The best-known Health Data Access Bodies are Findata, French Data Hub, German Forschungsdatenzentren, Danish and Norwegian Health Data Access Bodies CXXIX (details about the state of play are available in Annex 9).

During the public consultation, several barriers were identified by both the Member States and stakeholders, which include the divergencies in national legal frameworks and practices, which have repercussions on standards adopted and interoperability, as well the different national healthcare systems across Member States. Some Member States mentioned that one of the main issues was the sensitivity of the data which may make it difficult to transfer across countries on an individual level. This is aggravated by different data anonymization procedures across institutes and countries, as well as varying interpretations of GDPR. Other Memebr States stated that the different legal grounds for data sharing across Member States may require the researchers to travel across borders if the data must stay within a country. Furthermore, it was noted that data is currently not organized in one data centre base as various data sources are not linked in a structured way. Some decentralised countries underlined that most data collections for secondary use happen at the local level. Therefore, considerable collaboration between the public and private spheres would be needed. Several Member States underlined the need to ensure adequate financial resources. Moreover, interoperability issues could arise as some countries do not have plans to even introduce patient summaries. Some Member States also admit having difficulties with the legislation allowing for data sharing within the country, which would only be exacerbated at international level.

Table 1. Key characteristics of data governance bodies (‘centralised’ governance bodies) CXXX (for some Member States information is missing, either as the country correspondent did not consider the body as a centralised body or the information was missing).

Exists at national level		13	BG, DK, DE, IE, GR, FR, CY, MT, NL, PT, SI, SK, FI, [UK]
Public sector entity		13	BG, DK, DE, IE, GR, FR, CY, MT, NL, PT, SI, SK, FI
Hosts data		8	FR, BG, DK, DE, GR, NL, FI, SK, [UK]
Provides access to data stored with the original data controller		2	RO, FI, [UK]
Type of data to which access is provided	Primary care electronic health records	5	DE, MT, NL, PT, SI
	Hospital electronic health records	7	DK, DE, FR, MT, NL, PT, SI
	Social or long-term care	4	DK, DE, NL, SI
	Health insurance claims data	5	DK, DE, GR FR, NL
	Prescribing and dispensation records	7	DK, DE, GR, FR, NL, PT, SI
	Disease registries	7	BG, DK, GR, MT, NL, PT, SI
	Bio banks	1	DK
	Genomic data bases	1	DK
	Linked health, social and environmental data	6	BG, DK, DE, MT, NL, SI
	Other	3	IE, CY, FI
Available for research for health system monitoring, manage-ment and evaluation by a public sector entity (Function 2)		12	BG, DK, DE, IE, GR, FR, CY, MT, NL, PT, SI, FI, [UK]
Available for research for medi- cines and device monitoring and evaluation (including pharmaco-vigilance) by public sector organisations (including regulators) (Function 2)		10	BG, DK, DE, IE, FR, CY, MT, NL, SI, FI, [UK]
Available for scientific research by not-for-profit and academic organisations (Function 3)		12	BG, DK, DE, IE, GR, FR, CY, MT, NL, PT, SI, FI, [UK]
Available for scientific research by commercial scientific organisations (including pharmaceutical and medical technology industry) (Function 3)		10	BG, DK, DE, FR, CY, MT, NL, PT, SI, FI, [UK]
	Possible under the same conditions as for public entities	5	BG, FR, MT, NL, FI
	Possible under different conditions	3	DK, DE, SI
Available for scientific research by any commercial organisation (Function 3)		4	BG, DE, SI, FI
Available for data requests from researchers in other EU MSM		5	DK, DE, FR, NL, FI, [UK]
Charges access fees	No	5	GR, FR, CY, MT, PT
	Yes	6	BG, DK, DE, NL, SI, FI
	Same fee for all	4	BG, DK, NL, FI
	Differentiated fees	2	DE, SI

According to a report by Deloitte CXXXI , productivity of research and development in the biopharmaceutical sector has steadily decreased over the last decade, while the cost of bringing of a new product to market has significantly increased CXXXII . If this trend persists, the industry will see less and less incentives to invest in the risky and costly search for health innovations, limiting their future ability to provide innovative health products to tackle current and emerging health needs.

Similarly, the health data reuse ecosystem is characterised by fragmented infrastructures CXXXIII , structured around health-specific subdomains and limited interoperability. The lack of re-use of health data also poses problems for the work of regulators, which rely on Real World Evidence to check for the effectiveness of medicines. This can also stifle innovation and the development of new medicine, which in turn affects patients. Data quality issues play an important role as the data collected must fulfil certain uniform standards to be fit for purpose. The various degrees of data quality and availability across Member States and health subdomains also impacts on the ability to develop and evaluate AI algorithms, as health data that is comparable and representative of the EU’s population becomes difficult to obtain.

2.32.3 What are the problem drivers?

There are fragmented and limited tools for timely access to health data in electronic format and their digital transmission causing cumbersome problems for individuals to access and control their own health data, including in the cross-border setting. Not all the Member States have set up EHR systems and not all of them are interoperable between healthcare providers or with different data sources (e.g. mHealth, telehealth) CXXXIV CXXXV . In a third of EU countries, digital health policy is not integrated into general healthcare policy CXXXVI . Divergent regulations at Member State level CXXXVII do not enable sustainable data-sharing amongst stakeholders and exercising portability of health data, both nationally and in the cross-border context. While the 'right to access one's health data in electronic format, including those stored by healthcare providers (public or private)' was deemed by 88% of the respondents in the public consulation as the most important right, evidence CXXXVIII shows that, while legislation in almost all (93%) Member States enables the electronic storage of health data, support for the access to and sharing of health related data is missing from legislation in almost one third of Member States. In 43% of Member States, legislation and national rules do not allow citizens to choose whom to provide access with to their health data. In 57% of Member States, less than half of Patient Summaries are consulted by a health professional in another medical institution. Imaging reports are predominantly exchanged non-electronically CXXXIX . At cross-border level, half of the EU population has a European Health Insurance Card and could potentially benefit from healthcare abroad, only 7 Member States (less than 10% of EU population) are able to share or consult patient summaries from another Member State through MyHealth@EU, and medical images are not exchanged yet. Preliminary results in the context of the evaluation of the CBHC Directive indicate that almost 8 million cross-border prescriptions are presented for dispensation per year in EU, with a non-dispensation rate CXL of 46% CXLI , which could generate up to EUR 240 million in unnecessary costs yearly CXLII .Verification and language issues and missing information are the key problem drivers for non-dispensation. These could be solved by the full rollout of cross-border services in MyHealth@EU CXLIII .

Limited legal and technical interoperability, including in relation to cybersecurity and data protection aspects, across Member States are barriers for providers of digital health services and products when entering the markets of other Member States. As shown above and in Annex 10, there is low and fragmented implementation of common standards and specifications at national and especially EU level. Many healthcare providers implement un-interoperable/locked in IT systems, which would require significant investment to be upgraded and contribute to perpetuate the lack of interoperability. Over the past 10 years, European cooperation has focused on data domains and interoperability of EHRs. However, with the deployment of other digital health technologies (such as wearable and mobile), Member States have started to develop separate national schemes to support uptake according to national needs, but without a common EU framework for assessing interoperability and cybersecurity, which are fundamental for the secure flow of health data in the single market. This is caused, at least partly, by the fact that by a lack of specific mandate of the EU and the eHealth Network in this area CXLIV . EIT Health analysed several use cases in digital health and concluded that a consolidated European assessment framework for digital health solutions could easy the route to market for small companies CXLV . The Data Act proposal will provide a general obligation to make data accesible and portable for the user of product or related services. But it is limited to tangible item and may not cover purely software or service-based health systems, such as electronic health records. Moreover, it will not impose specific standards and specifications that EHDS would come forward for the health sector.

Fragmented and divergent legal and administrative rules, frameworks, processes, standards and infrastructures for health data reuse restrict the access of researchers and innovators to health data, limiting the availability for individuals of innovative health products and services based on health data use and reuse, and reduce the access of policy-makers and regulators to health data for their tasks and to react to health crises, hampering optimal decision-making and particularly effective crisis management. 89% of respondents to the public consultation from all stakeholder groups completely agree that the European framework on access and exchange of personal health data should support and accelerate health research. Annex 10 shows the current fragmentation, at Member State level, of the legal basis available to researchers for the reuse of health data initially collected for healthcare purposes. Almost half of the Member States do not have any specific legislation for such reuse and rely on the provisions of the GDPR. Other Member States provide a legal basis based on public interest outside the traditional requirement of consent and rely on an independent public body for this (i.e. a Health Data Access Body CXLVI ). Not all the Member States have a Data Access Body, but where such a body exists, the demand is very high (the Finnish Health Data Access Body, Findata, has an average queueing time for data permits of around 7-9 months CXLVII , while the Danish counterpart has an average processing time of over 100 working days). There is also a need for cross-country cooperation between existing data access bodies. Data quality issues, such as lack of accurate metadata, divergent data collection procedures or unstructured data, pose a key challenge for extensive data-sharing, use and reuse in health. Most health data is unstructured CXLVIII , often fragmented, which becomes a barrier for the use and reuse of health data due to low technical and semantic interoperability CXLIX CL CLI . These challenges have become even more apparent during the COVID-19 pandemic, as researchers, innovators and policy-makers have struggled to gain access to comparable health datasets in a timely manner CLII .

2.42.4 How will the problem evolve?

Several problems will persist if no EU action is taken. The cross-border exchange of health data will remain limited, the expansion of MyHealth@EU will progress at a slow pace on a voluntary basis only and the barriers to a single digital health market will equally persist. With a slower uptake of digital health, patients will continue to experience disruption to continuity of care and healthcare providers will continue to struggle with accessing medical information timely in the provision of care, causing inefficiencies and ineffective healthcare and avoidable medical errors. Health software providers and researchers too will struggle to provide services that serve the interests of people and healthcare providers. Health software solutions will not sufficiently take into account the needs and preferences of end users, which will impede uptake from and value for the latter. Given the lack of adequate incentives for interoperability and health data exchanges, the digital health market will continue to cope with vendor lock-in situations, as there will be no common interoperability requirements facilitating provider changes and market entry. Such a situation will favour incumbents and prevent a level playing field. If the single digital health market is insufficiently supported, the uptake of digital health innovations will be slower and more expensive. Producers of digital health services will not market their products in other Member States or will incur additional costs stemming from the adaptation to the national standards. Policy makers will have insufficient access to evidence to support their regulatory activities. Citizens will continue to have limited digital access to and control over their health data in digital format, which will limit their empowerment and may weaken their trust in health technology. The limited reuse of health data for research, innovation, policy-making and regulatory purposes would hamper the introduction of more efficient and effective healthcare and public health policy.

With insufficient action taken, there will be untapped potential of digital health services and products for people and healthcare systems. Potential benefits for patients, through greater availability of health innovations, would not materialise. For example, telemonitoring can facilitate access to healthcare in medical deserts CLIII , and AI-based medical decision support systems can facilitate diagnosis and treatment, but both require extensive research and development based on health data and proper interoperability with healthcare IT systems. Lack of trust of the public in health technology tools would frustrate the potential benefits for health. In the case of a new pandemic, Europe will continue to struggle to provide data for policy making, regulatory purposes and support scientific research, statistics and innovation for the general interest.

33 Why should the EU act?

3.13.1 Legal basis

The possible legal bases for the proposed initiative are Articles 16 (personal data protection) and 114 (internal market) of the Treaty on the Functioning of the European Union (TFEU).

The initiative will build on the possibilities offered by articles 9(2)(h), 9(2)(i) and 9(2)(j) of GDPR to use the data for healthcare and re-use it for public interest and for scientific research. Therefore, the initiative has two purposes: to further strengthen the rights of individuals in relation to control of their personal health data, building upon the rights already provided by the GDPR; to promote the exchange of health data for healthcare provision, to facilitating access to health and relevant social data for further processing for research, innovation, policy-making and regulatory decision. Health data are particularly sensitive data and their treatment is already strictly regulated by GDPR, which stipulated that national or EU law making use of e.g. Articles 9(2)(i) and 9(2)(j) must lay down suitable and specific safeguards The GDPR provides important safeguards in relation to rights of individuals over their health data (even though some additional requirements are needed for health sector CLIV ). However, as outlined in section 1, in practice, in the field of health data, limited harmonisation of requirements and technical standards implemented at national and EU level do not allow to implement these provisions in practice for every individual. Therefore, there is a need to introduce additional legally binding provisions and safeguards, as well as design specific requirements and standards in order to fully implement the rights provided in the GDPR in the field of the processing of health data and take advantage of the value of health data for the public interest. Hence, to the extent that Article 16 TFEU prescribes the purposes of both the protection of personal data and the free movement of such data, it is deduced that Article 16 TFEU is a relevant legal basis for the proposed initiative.

Digitalisation and data are transforming the way of healthcare is provided, in many cases offering an alternative to traditional physical interactions, which has a particularly beneficial impact for remote and rural areas. However, the growing diversity of national laws, regulations and administrative actions lead to obstacles to the free movement of data, which has a substantial impact on the free movement of digital technologies in healthcare that contact such data (including AI systems), the free movement of persons, as well as creating distortions to competition. Some Member States, for example, have already developed often different national or regional rules for the standards related to development and recognition of new digital health services and products, but others have not. This will likely lead to a further fragmentation of the internal market, as providers of these digital health products and services will need to adapt to these different rules when marketing and competing on digital health products and services.

The obstacles to free movement and distortions of competition have a detrimental impact on the functioning of the internal market. EU action on the basis of Article 114 of the TFEU can be taken for the purposes of the approximation of the provisions laid down by law, regulations or administrative actions in the Member States when it has as its object the establishment and functioning of the internal market. The measures assessed in this impact assessment for creation of an EHDS aim to improve the conditions for the establishment and functioning of the internal market for digital health and data and actually contribute to eliminating the obstacles to the free movement of healthcare goods and services.While a smoother flow of health data could eventually contribute to the protection of human health (through better, more efficient and targeted healthcare, more powered research and better tailored public health policies), the main drivers of this initiative are the free movement and protection of (non-)personal data and the internal market, which will reflect the selection of legal basis for the legal proposal. The EHDS is a tool aimed to improve access to quality health data for both primary and secondary use. It will be the task of data users to implement uses that could improve the health outcome of data subjects. Thus, Article 168 was not selected as a potential legal basis since the effect of such a tool on health outcomes is a secondary effect of the main aims of the initiative. Moreover, Article 168 of the TFEU provides for a more limited scope for Union intervention, which would not allow to tackle the problems that have been identified in the problem definition, such as supporting control of patients over their health data by improving interoperability, allowing the digital health products and services to circulate freely within the EU and re-using health data.

3.23.2 Subsidiarity and Proportionality

Even though the GDPR provides some extensive rights concerning individuals’ access to and transmission of their health data, their practical implementation is limited by low interoperability, which has been addressed so far mainly through soft law instruments. Such difference in national standards and specifications can also prevent producers of digital health services and products to enter new markets, where they need to adapt to new standards. Evidence from the public consultation shows, there is support for being able to transmit data from mHealth into the EHR systems (77%) and for the introduction of a certification scheme to assess interoperability of digital health products and services (52%). As the evaluation of Article 14 of the CBHC Directive shows, the approaches taken so far, consisting of low intensity/soft instruments, such as guidelines and recommendations aimed to support interoperability, have not produced the desired results. Moreover, national approaches in addressing the problems have only limited scope and do not fully address the EU-wide issue.

A true internal market of digital health products and services is promoted when people can take their health data with them and when health data can be accessed cross-border, while respecting data protection rules and a high level of security. The COVID-19 pandemic and EU Digital COVID Certificates shows that a strong legal basis and a common EU approach to use of health data for specific purposes, as well as EU efforts to ensure legal, semantic and technical interoperability, can significantly support the free movement of people and can transform the EU into a global standard setter. Therefore, EU-wide action in the content and form indicated is required to promote cross-border flow of health data and such action does not exceed what is necessary to achieve the Treaty objectives.

The extensive use of facultative specification clauses under the GDPR at national level CLV created fragmentation and difficulties for accessing data, both at national level and between Member States, impacting on the possibility of researchers, policy makers and regulators to carry out their tasks or to do research or innovation, with negative effects on the European economy. Moreover, Member States’ health datasets often lack the diversity or size required to detect weak health pattern or to being suitable for machine learning. Accessing EU-wide health datasets is a necessity, for actors in this domain can develop more accurate and inclusive AI-based devices solutions and AI algorithms.

The current situation of fragmentation, differences and barriers to access and use health data, shows that action by Member States alone is not sufficient and may hamper the rapid development and deployment of digital health products and services and of AI. Moreover, GDPR foresees the possibility of an EU law as the legal basis for processing health data for research, innovation, policy making, regulatory purposes and statistics. As analysed in section 6, concerted actions by all Member States will reduce the economic and administrative burden to access health data, supporting single market. The detailed analysis on the proposal’s financial impacts indicates that action at EU level complies with both the principle of subsidiarity and proportionality. Furthermore, the analysis on the impacts of different policy options, including economic, social and environmental, international impacts as well as impacts on fundamental rights, single market, competitiveness and SMEs show in both qualitative and quantitative terms that the Union objectives in question can be better achieved at Union level. Additionally, the detailed analysis of the different possible options in pursuing the Union objectives indicate the content and form of Union action that does not exceed what is necessary to achieve the objectives of the Treaties.

44 Objectives: What is to be achieved?

4.14.1 General objective

The general objective of the intervention is to establish a genuine single market for digital health and to ensure that individuals have access to and control over their own health data, can benefit from a wealth of innovative health products and services based on health data use and reuse, and that researchers, innovators, policy-makers and regulators can make the most of the available health data for their work, while preserving trust and security.

4.24.2 Specific objectives

4.2.14.2.1 Empower citizens through increased control of their personal health data and support their free movement by ensuring that health data follows them (SO1)

The EHDS would aim at empowering citizens through increased digital control of their personal health data and support their free movement by ensuring that health data follows them. The Public Consultation findings show that there is wide support for EHDS to promote citizens’ control over their own health data, with 85% of EU citizens, 83% of public authorities and 94% of industry supporting this objective. With measures strengthening the control of individuals over their own health data, the EHDS would allow health data to be used when and where individuals need it, regardless of the data source (e.g. EHR systems, medical devices, or wellness applications) or type of data controller (public or private), promoting continuity of care and patient safety. This empowerment of individuals will also help build confidence of society in the use and reuse of health data. The availability of the necessary health data when receiving health services, combined with a faster digitalisation in healthcare, would contribute to mitigate some of the inefficiencies in the health sector.

4.2.24.2.2 Unleash the data economy by fostering a genuine single market for digital health services and products (SO2)

The EHDS would aim at unleashing the data economy by fostering a genuine single market for digital health services and products. It will tackle issues related to interoperability, security and other related aspects in the exchange, use and reuse of health data for the provision of healthcare, research and innovation, policy-making and regulatory activities. The Public Consultation findings show that there is wide support for the EU to establish interoperability standards for secondary use of health data, with 88% support from public authorities and 91% support from industry. By addressing interoperability discrepancies within the single market, the EHDS would reduce obstacles to the free movement of goods and services, as well as distortions of competition within internal market, thus increasing efficiencies, the societal and economic welfare of individuals, manufacturers and healthcare providers.

4.2.34.2.3 Ensure a consistent and efficient framework for the reuse of individuals’ health data for research, innovation, policy-making and regulatory activities (SO3)

The EHDS would aim at ensuring a consistent and efficient framework for the reuse of health data in the EU, particularly regarding the handling of health data requests, access procedures and secure infrastructures, and common governance mechanisms. The Public Consultation findings show that there is great support for EU coordination to bring together national bodies on secondary use of health data on a range of issues, with 59% support from public authorities, 73% from EU citizens and 75% from industry. Reuse, or cases for secondary uses of health (including electronic health records, registries and networks of registries, genetic data etc.) and social data (including claims registries and other relevant information), on the basis of public/general interest are defined broadly as falling under four five categories, both for public or private entities: covering research, innovation, policy-making and regulatory activities and personalised medicine. This should enable trustful reuse of health and relevant social data for the public good, producing value for society, under strict control and safeguards to ensure respect for high standards of data protection and security and privacy, regardless the nature of the reuser (public or private entity). It would also impact on the data quality, as well as on the capacity of producing more effective policies and more research and innovation, by making data cheaper. Such a change would be possible by progressively shifting from a situation where data is obtained almost exclusively based on consent, which is very costly or not feasible in case of big cohorts to a situation where access to data can be done against a fee, which may often be cheaper (for more details, see the economic analysis of options 2 and 3 on secondary use of data and Annex 5 on methodological approach). The high demand towards the existing data access bodies reveals this situation.

4.34.3 Objectives tree/intervention logic

Figure 6. Intervention Logic.

Figure 6 shows the intervention logic based on the presented general and specific objectives, problem drivers and problems.

55 What are the available policy options?

Three policy options, with increasing degrees of intensity, are presented in Table 2 and 3. The policy options build upon horizontal and sectorial existing and planned legislative frameworks, particularly on the Data Governance Act (DGA), Data Act and the GDPR, as explained in the Introduction and Annex 6. All three options benefit from a horizontal set of safety and security measures to ensure individuals trustworthiness on the European Health Data Space. These measures include:

Primary use of health data: health data is collected, stored, and in many cases also exchanged already now. The exchange is done through point-to-point encrypted connections, or in some Member States through national systems. The goal is to enable more Europeans to benefit from the availability of their data for a seamless diagnostic and treatment, also building on the Data Act. Under options 2 and 3, information blocking by healthcare providers and digital health services would be prohibited. Minimum requirements for data security will be defined and digital health products would show compliance with these requirements. Cross-border exchange of health data in MyHealth@EU is performed through National Contact Points for eHealth that have undergone audits/compliance checks. The audits include criteria related to information security, but also data protection, including Data Protection Impact Assessment. Similar mechanisms are envisaged for the infrastructure on secondary use of health data. With regards to data being shared with third country healthcare professionals, this may be done by the patient on a smart device. Online sharing/access of health data between systems is politically very sensitive and requires careful assessment from data protection and security perspective, as third countries need to meet the EU criteria.

Table 2. Overview for primary uses of health data (covering mainly SO1 and SO2).

Measure/ dimension	Baseline: Voluntary cooperation	Policy Option 1: Strengthened EU coordination & soft regulatory measures	Policy Option 2: Regulatory intervention with medium intensity	Policy Option 3: Regulatory intervention with high intensity
Individuals’ and health professionals’ access and control over health data (SO1)	General provisions in the GDPR and Data Act, no specificities for health	Guidelines for control over health data	Right of patients’ control over health data in electronic format established at EU level	Same as Option 2
Scope of data domains (SO1, SO2)	Guidelines on interoperability of data domains in the European electronic health record exchange format (EEHRxF) CLVI	Guidelines on EEHRxF and other data domains (e.g. mobile heath)	Implementing/delegated acts on interoperability, security, data protection for data domains covered in the EEHRxF; adding other data domains in digital health through tertiary legislation	Same as in Option 2
Quality and interoperability requirements	-Requirements established nationally - Guidelines/recommedations focusing on interoperability of data domains for EEHRxF, and on identity management	-Same as in Baseline -Guidelines on interoperability of data domains for EEHRxF and other digital health domains, and identity management -Voluntary quality label for interoperability of EHR systems, digital health products and mobile wellness applications	-Minimum EU mandatory requirements for EHR systems and medical devices that can input data in EHRs; Mandatory self-declared quality label scheme. -EU recommended specifications for wellness applications; Voluntary self-declared quality label Option 2+: Minimum EU mandatory requirements for EHR systems and medical devices that can input data in EHRs. - Mandatory third-party certification for EHR systems and medical devices entailing EHR data domains; progressive adding new devices, as standardisation advances. - Recommended EU specifications for wellness applications. Voluntary self-declared quality label - Enrollment of the certified and labelled products in an EU database.	- Minimum EU mandatory requirements for EHR systems, digital health products that are medical devices and certain wellness applications - Mandatory third-party certification scheme for EHR systems, digital health products that are medical devices and wellness applications
Cross-border health data sharing (SO1, SO2)	Voluntary deployment of MyHealth@EU; Guidelines	Same as in Baseline	Mandatory deployment of MyHealth@EU with a timeline for different existing services and possibility of new services	Same as in Option 2, stricter timeline for existing services
Governance and EU cooperation (SO1, SO2)	Voluntary cooperation of national digital health authorities (eHealth Network)	Mandatory network of national digital health authorities (strengthened eHealth Network)	Designation of national digital health authorities for the implementation/ enforcement of rights and requirements EU coordination: expert group on primary use; cooperation with other groups (cybersecurity, eID, data protection etc); binding decision-making through implementing/delegated acts	As for option 2 (national authorities&tertiary legislation) EU coordination : existing EU body (European Digital Health Body) Option 3+: A new EU body

Table 3. Overview for secondary use of health data (covering mainly SO2 and SO3).

Measure/ dimension	Baseline: No EU cooperation framework	Policy Option 1: Strengthened EU coordination & soft regulatory measures	Policy Option 2: Regulatory intervention with medium intensity	Policy Option 3: Regulatory intervention with high intensity
Reusers’ access to health data (researchers, innovators, policy-makers and regulators) (SO3)	Multitute of regimes: national legislation or consent; EDPB guidelines on research	Same as in Baseline Guidelines on reuse of health data	Common European legal basis for reuse (public and private reusers and data holders) with safeguards (health data access bodies/DAB, secure environments)	Same as Option 2
Types of data in scope for reuse (SO3)	Defined in separate national legal bases; GDPR and Data Act	Same as in Baseline Guidelines on types of data for reuse and on voluntary sharing	Specific categories of data defined in the European legal basis (clinical, administrative, social, enriched data); Data Act obligations for commercial data	Same as Option 2
Data altruism (SO3)	Data Governance Act (DGA) applies	Same as in Baseline	Supervision of data altruism by Health Data Access Bodies (cooperating with DGAbodies)	Same as Option 2
Digital infrastructure for secondary uses (SO3)	- Possible disease-specific infrastructures; - No common EU infrastructure	Extend (MyHealth@EU) to secondary uses of health data; Guidelines for voluntary participation in infrastructure	Mandatory participation in a new decentralised EU- infrastructure for secondary use (data access bodies, research infrastructures, EMA, ECDC, HERA); -Access to EU held data may be provided by respective institutions, including through EHDS infrastructure -Implementing/delegated acts	Mandatory participation in a new centralised EU- infrastructure. The European Health Data Access Body (EHDAB) intermediates communication in infrastrucrure, provides access to cross-country registries and EU level data
Data quality (SO3)	No common data quality standards and labels	Voluntary label Codes of conduct	Mandatory self-declared data quality label, describing the location and attributes of datasets provided by data access bodies; no minimum quality requirements	Certification, setting minimum mandatory requirements to be listed by Data Access Bodies and enter EHDS for data reuse
Support for AI development and verification (SO3)	Access to health data for development of AI technology based on separate national legal bases	Codes of conduct, in line with Article 69 of AIA	Health Data Access Bodies supporting providers on developing AI technologies and regulators on verification of AI technologies DABs collaborate with AIA bodies on data standardisation for AI in healthcare	Same as in Option 2, with an additional obligation to structure all health data on the EHDS according to semantics interoperability requirements
Governance and EU cooperation (SO2, SO3)	-Separate governance frameworks focused on specific initiatives -Health Data Access Bodies in some Member States as national governance bodies for health data reuse	Voluntary cooperation network of national Health Data Access Bodies (Health Data Access Network)	Designation of national digital health authorities for access to data at national level; access to cross country data: by the DAB where controller is located - Access to EU held data may be provided by respective institutions -EU coordination: expert group on health data access and reuse, data altruism, AI and data quality (Expert Group on Health Data Reuse)	Same as option 2, but an existing EU body/agency coordinates all national bodies and provides access to cross country and EU data (European Health Data Access Body) Option 3+: A new EU body tasked with the coordination of all national bodies and providing access to cross-country and EU data

Secondary use of health data: Jointly with the DGA, the EHDS would establish requirements and supervision duties, to ensure the secure and privacy preserving re-use of health data through a combination of measures. The legislative proposal will:

·Establish legal safeguards as specific data categories, suitable purposes and general conditions for the reuse of health data;

·Establish rules concerning data minimisation, pseudonymisation, ethical requirements;

·Require the use of secure processing environments when processing (reuse) sensitive personal health data, with security gates at entry (e.g. reliable identification, authentication and authorisation of users, belonging organisation and background); and security gates at exit (e.g. data export, to ensure that no re-identifiable data is exported. The pseudonymised data should be processed in the secure environment);

All three policy options are also framed according to the limitations of health data transfers and access to/from third countries as in the DGA. Third country stakeholders may access data via data access bodies, although a mechanism for identifying the requesters is needed. However, given the sensitivity of health data, the Commission could be empowered to adopt delegated acts in order to set specific conditions applicable for transfers to third-countries for certain non-personal health data categories, as per the DGA. For personal health data, the controller would need to take all reasonable technical, legal and organisational measures in order to prevent transfers or access to personal data held in the EU where appropriate safeguards for the use of data are not provided, and such transfer or access would create a conflict with EU law or the law of the relevant Member State. Specific standards and specifications could be set out for the security of the clouds/infrastructures where health data is being stored. Member States could use article 9(4) of GDPR for imposing more stringent conditions/restrictions.

The policy options build upon horizontal and sectorial existing and planned legislative frameworks, particularly on the Data Governance Act (DGA), Data Act and the GDPR, as explained in the Introduction and Annex 6.

All three options benefit from a horizontal set of safety and security measures to ensure individuals trustworthiness on the European Health Data Space. These measures include:

5.15.1 What is the baseline from which options are assessed?

The baseline is a “no policy change” scenario. Member States would continue implementing Article 14 of the CBHC Directive, supported by the eHealth Network. The baseline also takes into account the creation of common European data spaces, through the horizontal legislative framework DGA, without specific health provisions. It would also include the impact of the Data Act upon its approval which provides for limited requirements (mostly for emergency health threat) of the access/sharing of health data generated by use of smart, connected products and related services.

For the exchange of patient data for health care (primary use) this would mean that the data exchange would continue between healthcare professionals pursuant to CBHC Directive, for specific use cases and on a voluntary basis (via MyHealth@EU infrastructure). The work of the eHealth Network would continue to focus mainly EHR-relevant data domains. Individuals would continue to exercise their rights in relation to their health data granted in the GDPR, meaning the right to access their own data under Article 15 GDPR and data portability under Article 20 GDPR, where it applies. However, due to the limitations due to the fragmented implementation of Article 20 of the GDPR, they would not be able to obtain all health data related to them (including medical examination results), from all data sources (as some of them may process the data on legal bases regarding which the GDPR portability right does not apply), in a digital interoperable format. The lack of a requirement of a digital interoperable format would continue to make it difficult for citizens and healthcare providers to share data digitally with another organisation, perpetuating healthcare system inefficiencies. The COVID pandemic showed even stronger the problems related to lack of interoperability and access to health data. For instance, in order to deal with the COVID-19 patients moved between healthcare providers, the Commission modified the Clinical Patient Management System (CPMS) to allow for upload and download of the data. Meanwhile, the COVID-19 crisis also accelerated the progress in digitalisation at national level and common work at EU level (e.g. EU-Digital COVID Certificates, contact tracing apps, etc.).

Under the baseline scenario, the rules for the provision of digital health services and products, including telemedicine, would remain fragmented. Whilst important investments in digital health are foreseen under the Recovery and Resilience Facility (RRF) and European Regional Development Fund (ERDF) (around 13 billion), the standards and specifications will remain fragmented and the interoperability between countries and at national level will remain limited. The lack of interoperability would hamper the free flow of health data across the EU.

For the access to and exchange of health data for research, innovation, public health, policy-making, statistics, regulatory activities and other uses like personalised medicine (secondary use), access to data would be based on consent of the data subject, which remains expensive or Member States would continue to develop their own national policies and legislation; however, they would do so in an uncoordinated manner, as this is an area that is not properly covered by the CBHC Directive. Member States actions would be guided and framed to a certain extent by the proposal for Data Governance Act. Thematic or disease specific infrastructures would continue to be developed in an uncoordinated and non-interoperable manner undermining the possibility of big data analytics. The COVID-19 pandemic also showed the difficulties to obtain quickly reliable and comparable data on healthcare for public health and healthcare. However, COVID-19 pandemic accelerated scientific research efforts in the fight against the SARS-CoV-2 in order to produce research results as fast as possible.

The economic benefit of the baseline includes potential savings for patients due to higher uptake of telemedicine (EUR 2,478 billion), potential savings for healthcare providers due to more efficient and effective health care services and contributions to the digital health single market, and the contribution of health data sharing to R&D and data-driven innovation in health research (EUR 1.5 billion in 10 years).

5.25.2 Description of the policy options

Policy Option 1 consists of soft-law measures, supporting coordination and voluntary mechanisms (e.g. guidance) among Member States, and expands the work on interoperability of data domains in the Commission Recommendation on a European Electronic Health Record exchange format (EEHRxF) CLVII from the baseline to cover other relevant data domains in digital health (e.g. mobile health) and extends the scope to secondary uses of health data.

Policy Option 2 (and 2+) is a medium intensity legislative intervention, moving from the purely voluntary scheme of Option 1 to a regulatory framework that establishes a system of joint decision-making at European level on requirements on interoperability, security and other related aspects on Member States and market operators in the Single Market, supported by national implementation. It strengthens the rights of citizens to access and control their health data and an EU framework for re-use of health data. The governance relies on national bodies brought at EU level in expert groups that would implement and enforce nationally EU-level mandatory requirements.

Policy Option 3 (and 3+) consists of a high intensity legislative intervention, whereby an EU body, together with competent national authorities, is tasked with the implementation and enforcement of requirements on interoperability and cybersecurity. It also goes beyond Option 2 by designating a body at EU level as a European Health Data Access Body (EHDAB) for the reuse of health data held by EU bodies and for the coordination of multi-country data access requests. Here, option 3 foresees the re-use of an existing body or setting up of a new one (option 3+).

5.2.15.2.1 Primary use

5.2.1.15.2.1.1 Individuals’ and health professionals’ access and control over health data

Under Policy Option 1, the strengthened eHealth Network would issue guidance on implementing the right of citizens to access and transmit their health data and enable access to it. This will include standards and specifications.

Under Policy Option 2, the right of citizens to control their health data in electronic format, irrespective of data holder (public or private), type of data concerned, and data source (e.g. EHR systems, mHealth, telehealth, personal health data spaces or other health software solutions), will be strengthened. This would mean the rights under GDPR, such as access to data, CLVIII and portability of data CLIX between different data sources under the GDPR. The right of access would entail immediate electronic access and the portability would entail also inferred data (images, test, diagnosis), irrespective of the GDPR legal basis for processing. In order to minimise the impact on people with low digital skills, access to health data should also be provided on smart phones CLX and individuals could also request access to data in paper format. Healthcare providers and manufacturers of digital health products would be obliged to share health data with user-selected third parties from the health/social sector or with other authorities, upon user’s request and could be fined if they would not comply. This would be based on the ground of EU law as provided by Article 9(2)(h) of the GDPR (processing is necessary for purposes such as medical diagnosis, provision of health, treatment or social care services). Applicable mandatory interoperability standards and specifications necessary to implement individuals’ rights (especially access and portability) would be defined through implementing/delegated acts, with the support of the Expert Group on Digital Health. The Public Consultation findings show large support for this Policy Option, with 85% support from EU citizens, 94% support from industry and 83% support from public authorities.

Under Policy Option 3, the same rights would be established. As in Policy Option 2, there would no distinction between public and private actors when sharing of data between healthcare providers. Neither private healthcare providers nor manufacturers would be allowed to block or restrict the individuals’ rights to access and control their health-related data.

5.2.1.25.2.1.2 Scope of data

Under Policy Option 1, the scope of data covered by the European framework for primary use of health data would continue to cover interoperability of data domains in the European electronic health record exchange format (EEHRxF) (that is, patient summaries, ePrescriptions/eDispensations, laboratory reports, medical images and reports and hospital discharge reports), as in the baseline, but it would be extended to cover other data domains in the area of digital health, such as the domain of data streams generated by wearable health devices, mobile health applications or personal health data storages/data intermediation services.

Under Policy Option 2 and Policy Option 3, the scope of data domains would also be extended to other digital health areas beyond the data domains under the EEHRxF, but aspects related to security and other quality aspects would also be covered, beyond interoperability, in relation to the flows generated by these data domains. These policy options would foresee the introduction of additional data domains through delegated acts once the standardisation work has advanced. Such data domains could include rare disease data for which work has been carried out concerning minimum datasets (for example, in the context of the European Reference Networks), genomic data and data streams from medical devices and mobile health applications or other types of data, to be defined in delegated acts.

5.2.1.35.2.1.3 Quality and interoperability requirements

Under Policy Option 1, non-compulsory guidelines by the eHealth Network and soft-law mechanisms are the main policy tool to advance in the removal of barriers hampering the free movement of digital health services and products. These guidelines would codify a common EU assessment framework under the strengthened eHealth Network. The scope of Commission Recommendation on a European Electronic Health Record exchange format (EEHRxF) CLXI would be broadened to cover interoperability between EHRs, providers of data intermediation services providing electronic health records (as defined in the DGA) and other software in health, such as medical devices feeding data into electronic health records. The developments should use, as much as possible, international standards. A voluntary quality label would aim at assisting procurers of software and digital infrastructure in health with their purchase decisions through clear information on the level of interoperability, cybersecurity and other key quality aspects, taking into account and building upon the existing framework (MDR, AIA, cybersecurity). For mobile health products that are not medical devices or are not covered by the AI Act, such as wellness applications, a common EU assessment framework would be developed by the eHealth Network, building on existing international standards CLXII and another voluntary label would be developed to provide transparency to the users.

Under Policy Option 2, the guidelines would be replaced by common EU minimum mandatory requirements for the digital products mentioned above (e.g. EHR systems, data intermediation services providing electronic health records, and medical devices that can provide data into the electronic health records) that would become binding through implementing acts by the Commission, and would be prepared with the support of the Expert Group on Digital Health in consultation with relevant bodies (Expert Group on Health Data Reuse, competent bodies dealing with cybersecurity, etc.), building on existing international standards and taking into account and building upon existing tasks and legislation (MDR, AIA, etc.). When the requirements touch upon medical devices, cooperation with Medical Device Coordination Group may be envisaged. Mandatory requirements through a certification scheme granted by third parties was supported by 52% of respondents to the Public Consultation, with most support coming from EU citizens (61%) and less support from public authorities (47%) and industry (39%). For wellness apps not classified as medical devices, the standards and specifications would be recommended. Such minimum requirements could include an obligation for market operators of such products to implement interoperability requirements and specific standards and specifications (e.g. specific Application Programming Interfaces (APIs)), building upon the domains of the EEHRxF for interoperability with the digital health ecosystem, but also covering other data domains. The requirements, adopted through implementing/delegated acts, may cover additional quality aspects, including (cyber) security, technical criteria for processing sensitive personal data or data protection. The mandatory requirements may be complemented by guidance and/or codes of conduct.

Compliance with these requirements would be monitored and enforced by national digital health authorities or notified bodies (in the case of medical devices) through a mandatory label, and would be complemented by an obligation of technology providers to share health data with user-selected third parties from the health sector upon user request. Under this option, although they would remain self-declared andvoluntary for wellness apps, the quality labels would become mandatory for digital products services and products such as EHR systems, data intermediation services providing electronic health records or medical devices feeding health information domains in the electronic health records, to ensure comparability of digital health products and services across the European digital single market.

For post-market surveillance, the enforcement would be done by national digital health authorities /market surveillance authorities through ex post measures, such as fines.

Rules on conditionality of public funding on the respect of EU level standards and specifications would be introduced whenever possible, as well as conditions for using the standards in procurements. Cross-border provision and reimbursement of such services would be done in accordance with rules on social security coordination and cross-border healthcare directive. These labels would be supported by a European database of certified/labelled products that would allow for verification by consumers, procurers and other stakeholders.

Under Policy Option 2+, most elements would remain like in option 2 (including mandatory requirements for EHRs, data intermediation services providing electronic health records and medical devices that feed health information domains into EHRs and medical devices and voluntary recommended standads for wellness apps), but the mandatory label for EHR systems based on a self-declaration would be replaced by a third-party certification. For medical devices having information feeding into EHR and where the manufacturers claim interoperability with EHR systems, this would in principle be part of the performance assessment carried out by notified bodies under MDR. It may entail the cooperation with national digital health authorities to support notified bodies to check the compliance with these requirements before the device is put on the market. This is relevant to medical devices, whose components store/transfer/process data in EHR systems (images, laboratory results, structured patient data, for instance related to patient summaries, ePrescriptions, discharge reports). Other devices including other types of datasets may be added later, once the technical requirements are finalised. For wellness applications, no changes would be introduced. An EU database to record the certified and labelled products and ensure transparency would be set up. Under Policy Option 3, the measures to strengthen the digital single market in health would become more stringent. The quality labels would be replaced by third party certification schemes and would also cover certain wellness applications besides EHR systems and digital health products that are medical devices and feed information in electronic health records. The criteria for wellness applications within the scope of third-party certification would be further clarified in implementing/delegated acts (e.g. applications that, even though not pursuing a medical use, process personal data that is relevant for disease prevention or monitoring).

Overall, respondents in the public consultation believed either an authorisation scheme managed by national bodies (a mandatory prior approval by a national authority) or a certification scheme granted by third parties (a mandatory independent assessment of the interoperability level) would be appropriate (respectively 39% and 37%). The option of using a voluntary labelling scheme was the least popular (10%). There were some differences across stakeholder types. For instance, business associations were the most likely type of stakeholders to believe standards and technical requirements should be made applicable through a labelling scheme (34%, compared with only 1% of NGOs for instance), and the least likely to believe they should be made applicable by authorisation scheme (14% only, compared with 42% of NGOs and 47% of public authorities for instance).

5.2.1.45.2.1.4 Cross-border health data sharing

Under Policy Option 1, MyHealth@EU would remain a voluntary infrastructure, which is expanded to new services (laboratory results, medical images, discharge letters) and provides services enabling citizens to access their translated patient data. The identification of patients and health professionals would be based on the European Digital Identity Framework. In order to provide more specific instructions on its application in healthcare, the strengthened eHealth Network will develop voluntary guidelines for the use of eID by patients at points of care or in pharmacies, and for the identification of health professionals. In addition, it would provide guidelines on the interoperability of healthcare professionals’ registries.

Under Policy Option 2, MyHealth@EU becomes a mandatory infrastructure to cover all Member States, which would need to implement basic cross-border digital health services, covering the data sets as per above. It would also be expanded to provide access for citizens to data in the language of the country of destination and other services in relation to telehealth, mHealth, vaccination card etc. The target would be that MyHealth@EU could cover all accredited healthcare providers. The Public Consultation shows varying support for an EU infrastructure, with 71% support from EU citizens, 67% from industry and 43% from public authorities. The architecture for the implementation of specific services would be set out in implementing acts. Additional services, including advanced cross-border digital health services, or ways of implementing data access and sharing at national and cross-border level may be developed through implementing and delegated acts.

The identification of patients and health professionals would also be based on the European Digital Identity Framework. The Expert Group for Digital Health would contribute to the development of additional requirements and a minimum level of security for the electronic identification of health professionals. Additional compulsory requirements to accept eID for patient identification in points of care would be developed, building on the European Digital Identity Framework. There could also be voluntary cross-border digital services enabling the interoperability and mutual recognition of health professionals’ registries.

Under Policy Option 3, the same applies as under Policy Option 2, but would be complemented with a mandatory cross-border digital service ensuring the interoperability and mutual recognition of health professionals’ registries.

5.2.1.55.2.1.5 National governance and EU cooperation

Under Policy Option 1, Member States would be required to designate national digital health authorities. These bodies would convene at EU level in a compulsory eHealth Network, to which membership would be mandatory for all Member States. The Network will continue to issue guidelines and decision-making processes remain at national level. Collaboration with stakeholders, particularly health care professionals, would be sought as relevant, to strengthen co-creation of solutions.

Under Policy Option 2, at national level, Member States would be required to designate a national digital health authorities, supporting the implementation of the tasks below (individuals’ access to health data and sharing/providing access to the data to healthcare providers of their choice; implementation of standards, specifications and labels). Currently, such authorities exist in all the Member States and have tasks related to digitalisation, legislation on interoperability and standards etc. CLXIII Collaboration with Data Protection Authorities should be sought, to ensure treatment of non implementation of rights of individuals. Also, collaboration with notified bodies, cybersecurity authorities is necessary, especially for labels/certification. At EU level, these bodies would be brought into an expert group - the Expert Group on Digital Health, consisting of experts from national digital health authorities, which could be part of a wider governance body that would include secondary use of health data. The expert group (and its subgroups) would contribute to preparing the technical standards and specifications that would be adopted as implementing and delegated acts through comitology procedures. These standards and specifications would be implemented nationally by the digital health authorities, including through labels/certification. Additional services and ways of implementing data access and sharing at national and cross-border level (including through infrastructures, apps etc.) may be developed through implementing and delegated acts. The Expert Group on Digital Health would collaborate with the Expert Group on Health Data Reuse (5.2.1.3). Similar involvement of stakeholders as for Policy Option 1.

Under Policy Option 3, an EU body (European Digital Health Body) would be tasked with the implementation/enforcement of EU-wide requirements. Such body could be an existing one or a new one. The representatives of national digital health authorities would be brought at EU level for the supervision of such EU body. The European Digital Health Body would be in charge of the implementation of measures to ensure the fulfilment of requirements on interoperability and cybersecurity.

In all options, governance mechanisms for primary and secondary uses would collaborate closely on issues relating to data use.

5.2.25.2.2 Secondary use

5.2.2.15.2.2.1 Reusers’ access to health data (including researchers, innovators, policy-makers, regulators, but also healthcare providers for treating similar patients)

Under Policy Option 1, the European governance framework would provide guidelines on the reuse of health data, with Member States being free to implement separate laws for processing of health data or continue to process it based on consent.

Under Policy Option 2 and Policy Option 3, EHDS framework would provide a common European legal basis establishing the purposes of processing for health data reuse by third parties, with no distinction between public or private reusers or data holders, based on public interest, statistics or scientific research, alongside with the provision of the GDPR on the processing of health data based on consent. The secure provision of health data by Health Data Access Bodies, or other similarly empowered bodies CLXIV , would take place on the basis of such common EU legal basis, as possible in the GDPR on grounds of:

a)processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 9(2)(g) of the GDPR);

b)processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 (Article 9(2)(h) of the GDPR);

c)public interest in the area of public health such as the protecting against serious cross-border threats to health, ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Article 9(2)(i) of the GDPR);

d)archiving purposes in the public interest, or scientific or historical research purposes (Article 9(2)(j) of the GDPR).

Such legal basis would include specific purposes such as scientific research, development and innovation activities, national and European policy making and regulatory activities, safety of medicinal products and medical devices, combating health threats, knowledge management, steering and supervision of healthcare by authorities, planning and reporting activities, national and European statistics, education, information to healthcare professionals concerning the condition of similar patients, in order to treat another patient (e.g. for personalised medicine, identify genomic mutations that provoke certain diseases, rare diseases symptoms and treatments etc.). It would ensure that the same conditions apply throughout the EU, including common minimum requirements and safeguards (e.g. the lawful purposes of reuse, ethical and data protection safeguards, security measures, contractual commitments). It would not allow the use of data for purposes, such as marketing towards healthcare providers/professionals or change of insurance premiums for a person or group of persons.

As safeguards for processing, the conditions would mention the approval of requests for accessing the data by data access body, as well as processing in secure environments. In exceptional cases (e.g. data from one data holder), the access can be granted by the data holder respecting the conditions set out in the EHDS legislation and provided that the data is processed in a secure environment.

Policy Option 2 and Option 3 would enforce the compulsory access to and possibility of sharing of health data via Health Data Access Bodies. The provisions of the Data Governance Act on this domain would provide the technical support for the implementation of this requirement. However, the data access bodies would decide on each request, upon criteria established in EHDS law. While the processing of data would not be based on the consent of the data subjects, the policy option 2 and 3 would establish the safeguards that allow a high level of trust and security for the secondary use of data. For instance: data can only be processed for the purpose set in the law and it would be illegal to use the information against the data subject – for insurance, publicity etc; the data can be processed under EHDS framework only if the data access body provides a permit, taking into account the application submitted by the user and provided that the request meets the criteria set out in EHDS legislation; the data can only be processed in a secure environment, where the applicant has at its disposal the necessary IT tools; the data is pseudonymised by the data access body and the applicant does not have the decryption key. A compensation mechanism could also be implemented in order to determine a reasonable fee for the work of data access bodies and for the data holders in order to compensate them for the costs of access to the datasets held by them.

5.2.2.25.2.2.2 Data altruism

Under Policy Option 1, only the mechanisms for data altruism set up under the proposal for a DGA would apply and there would be no sector specific measures.

Under Policy Option 2, as lex specialis to the proposal for a Data Governance Act (DGA) and in compliance with GDPR requirements, data altruism is an opt-in system where individuals need to formally express their consent, being an active system, which requires the participation of the individual. Where data altruism is managed in the health sector by non-for profit/non-public entities, these would be supervised by the Health Data Access Bodies, in cooperation with bodies established under the DGA. Moreover, given the sensitivity of health data, specific additional requirements may be added through implementing/delegated acts under EHDS, to avoid fragmentation (e.g. processing in secure environments that need to comply with the standards and specifications set out at EU level). Where some categories of data have been processed based on consent according to national law, their further processing can be done using the EHDS mechanisms, without an additional consent being necessary. Given the absence of explicit consent of individual in such case, the data access body would monitor the implementation of such mechanism and ensure a strong protection of the rights and freedoms of the affected individual by implementing strong organisational and security safeguards.

Policy Option 3 would be the same as Option 2.

5.2.2.35.2.2.3 Types of data in scope for reuse

Under Policy Option 1, there would be guidelines on types of health-related data that could be made available for secondary use and on common modalities to facilitate access to health data for secondary use would be adopted by the EU network on secondary use of health data. This option also foresees guidelines concerning the provision for reuse (for free or against a nominal fee, covering the costs) of data that has been obtained in the framework of EHDS and has subsequently been enriched (e.g. annotated).

Under Policy option 2, the legislative framework would define the categories of health data that would be made accessible for secondary use in the EHDS and by Health Data Access Bodies. Available data could cover electronic health records, genomic data, administrative data, health research data, statistical data, claims/insurance data, relevant social data and other health-related data (from both public and private data holders/healthcare providers), data from disease registries and networks of registries. The data, including raw data or statistical data, obtained through public funding (national or EU), such as data from registries or research projects should be made available for reuse for free or against a nominal fee covering costs to make this data available. This option also foresees an obligation that data that has been obtained in the framework of EHDS and has been enriched by the user (e.g. annotated) is to be provided for reuse for free or against a nominal fee, covering the costs. Other data covered and managed by Data Access Bodies also include the data obtained from entreprises under the Data Act.

Policy Option 3 is the same as Policy Option 2.

5.2.2.45.2.2.4 Digital infrastructure for secondary uses

Under Policy Option 1, the EHDS infrastructure ecosystem would extend the current service for cross-border sharing of patients’ data (MyHealth@EU) to secondary uses of health data. The participation in the infrastructure would be voluntary. Each Member State may designate a national Health Data Access Body that would be connected to the infrastructure. Other EU bodies may also be connected to this infrastructure (such as the EMA, ECDC, HERA, etc.). Guidelines will set out the criteria for voluntary participation Also research infrastructures may connect to the EHDS infrastructure for secondary use of health data. The infrastructure, built as a peer-to-peer network, would offer the necessary means to know what institutions are connected, what data are available, and to allow the communication between the nodes of the infrastructure. The data consumer would need to submit a data access/permit application to each country’s access body and the different parties of the infrastructure will support access based on voluntary guidelines.

Under Policy Option 2, the participation in a Union-wide infrastructure for reuse of health data would be mandatory. The EHDS infrastructure ecosystem would be enhanced with new capabilities for secondary use of health data, based on a decentralised architecture (i.e. peer to peer network topology). Each Member State will need to designate a National Health Data Access Body that would be connected to the infrastructure. Criteria would be set out in the legislation for authorising the participation in the infrastructure by other stakeholders (e.g. research infrastructures, EMA, ECDC, European Health Emergency Preparedness and Response Authority (HERA)). The data consumer would have information about datasources through an EU catalogue of data and would submit only one application that is delivered to all nodes identified in the application. The approval of a data request remains an autonomous decision from each Health Data Access Body. EU institutions and agencies would provide access to relevant data they are holding, including through the infrastructure for secondary use of health data. Due to the highly technical nature of this infrastructure, Implementing and Delegated Acts would be envisaged to detail information about the infrastructure and its architecture, what and how data will be searched/accessed/exchanged, how interoperability and security will be achieved, as well as for additional services. In addition to services mentioned under Option 1, Option 2 could also support, as part of the central services, some secure environment services for pulling and analysis of data (e.g. by the Commission or by an IT provider for the Commission). Additional services and ways of accessing data may be set out in implementing/delegated acts.

Under Policy Option 3, as in Option 2, participation would be mandatory. However, the infrastructure would be based on a centralised architecture (i.e. star network topology). Under this infrastructure, a European Health Data Access Body (EHDAB) would act and work as an orchestrator, intermediating the communications between all participants in the infrastructure. Multi-country application requests would be submitted through the EHDAB. The data consumer will only need to submit one application. EHDAB would articulate with the necessary Health Data Access Bodies and the EHDAB’s access would include all underlying approvals and rejections from each Health Data Access Body. One option is that all multi-country data analysis would need to be performed in the EHDAB’s secure environment services. In addition, the EHDAB would host and provide access to transnational registries. Only certified partners would be able to join the infrastructure and EDHAB would orchestrate the implementation of the certification mechanism.

For all options, the request from data consumer must reach the relevant Health Data Access Body and, therefore, there is the need for an agreement on how an application process should look like. Without it, a data consumer may face a different process in each access body. For all options, there would be the need for central IT services to support the infrastructure. The type and range of IT services being provided at central level varies according to the policy option.

5.2.2.55.2.2.5 Data quality

Under Policy Option 1, voluntary data quality label would help to evaluate, according to a common data quality assessment framework, the quality of data (data source). The common assessment framework would be jointly prepared by the network dealing with primary and secondary use of health data, considering the interrelation between primary and secondary uses of health data regarding data quality, in collaboration with relevant stakeholders.

Under Policy Option 2, self-declared mandatory data quality label would ensure the evaluation, according to a common data quality assessment framework, of the quality of data (data source). The data quality assessment framework would provide transparency for data consumers and data access bodies about the quality of the data at source, without setting minimum data quality requirements for the data to be accessed by Data Access Bodies and would support reaching certain data-related requirements from AIA such as annotation, labelling, prevention of bias and avoidance of error. The framework would be jointly prepared by the Expert Group on Health Data Reuse and the Expert Group on Digital Health in collaboration with other relevant bodies, such as the ones in the AIA, and implemented through Implementing/Delegated acts and labels, to facilitate the reuse of health data. Pre-prepared data packages, provided by data access bodies, could support reserachers and innovators. The Public Consultation findings show there is varied support for a data quality label, with 41% support from industry and 30% support from public authorities.

Under Policy Option 3, mandatory data quality certification to ensure that only datasets that fulfil minimum mandatory data quality requirements are made available in the EHDS. These data quality certification would be prepared by an existing institution or agency would act as a European Health Data Access Body, in collaboration with the European Body for Digital Health, supporting the Commission adopting rules (through implementing/delegated acts) to facilitate the reuse of health data. EDHAB can orchestrate the implementation of the certification mechanism.Under option 3+, a new institution would fulfil these functions.

5.2.2.65.2.2.6 Support for artificial intelligence development and verification

An appropriate use of data plays a fundamental role in ensuring the trustworthiness and creating trust in AI systems. The representativeness and quality of data used for training, validation and testing of AI applications that rely on machine learning could have an important impact on the resulting algorithm’s performance including, with regard to reducing bias and ensuring that the datasets are representative for Europe. The EHDS should be coherent with the Regulation on AIA.

Under Policy Option 1, codes of conduct, in line with Article 69 of AIA would be drawn up by individual manufacturers or by organisations representing them (or by both) on quality criteria for data used in development of AI in healthcare. The quality and representativeness of a data set always needs to be assessed in view of the purpose that it will be used for and each developer of AI systems needs to ensure that training, validation and testing data sets meet the appropriate quality criteria referred to in the AIA.

Under Policy Option 2, standards and/or common specifications would be adopted under the AIA to indicate how the essential requirements under the AI Act for health data could be fulfilled. In this regard, the Health Data Access Bodies, in addition to bodies under the AI Act, would aid in developing such standards/common specifications. Additionally, Health Data Access Bodies, along with Testing and Experimentation Facilities and regulatory sandboxes as foreseen under the AIA, would aid in the implementation of the AIA. The EHDS, including through the infrastructure for secondary uses, will provide high quality data for training, validation and testing of AI systems. Moreover, it would aid regulators in terms of data to scrutinise AI algorithms (e.g. control datasets, labelling, annotation, synthetic data etc.). Following the adoption of such data standards/common specifications, suitable information would be provided on data used in the EHDS infrastructure to support developers and other interested parties (e.g. regulators) in assessing the appropriateness of those data for the development/compliance checks of AI systems. One way to facilitate this is the development of common data catalogues and/or labelling of data in a uniform manner and/or other systems to provide this information in a clear, concise and comprehensive manner to researchers, developers, start-ups etc., but also control datasets.

Policy Option 3 strengthens Policy Option 2 with an obligation to structure all health data on the EHDS according to semantic interoperability requirements. Health Data Access Bodies would ensure that data on the EHDS fulfil these requirements.

5.2.2.75.2.2.7 Governance and EU cooperation

Under Policy Option 1, there would be no specific sectoral governance mechanism established at national level other than what is indicated in the DGA (i.e. a single point of information and a support function for public bodies). Member States would be encouraged to task national bodies to have a role in facilitating access to health data for secondary use. In parallel to the eHealth Network established on primary use of health data, a voluntary network on secondary use of health data would be established with relevant representatives from Member States to promote cooperation and guidance on this distinct topic.

Under Policy Option 2, all Member States would be required to ensure that there is a national body entrusted with decision-making powers and tasks in relation to health data access by third parties for secondary use. These Health Data Access Bodies would have as primary functions to: (a) handle requests for access to health data from different sources and act as a data controller (as specified in national law); (b) to grant a licence/permit for access when conditions set out in the basic act are met and to provide the secure physical infrastructure to enable access to health data for secondary purposes, including for the training and testing of AI algorithms. The tasks of these bodies and modalities for granting access would be harmonised. Access to cross-country registries will be provided by the Health Data Access Body of the country where the controller is located. The Health Data Access Bodies designated in all Member States would support manufacturers to datasets to train AI algorithms. It would support public institutions, including EMA, ECDC and HERA, as well as private entities, to have access to health data in a secure and trusted way. They could also support the notified bodies, Testing and Experimentation Facilities under the Digital Europe Programme and medicine agencies with controlled datasets for testing the AI algorithms. These bodies would also be involved in defining the quality framework for labels on data quality. An EU expert group to the Commission (Expert Group on Health Data Reuse), which could be part of a bigger body, entailing also the primary use of health data, would support the Commission in adopting further rules (through Implementing/ Delegated legislation) to facilitate the secondary use of health data, would be created. It would also be involved in defining the rules for the infrastructure on secondary use of health data, including with regards to security rules for the secure processing environments. It would also contribute to defining the rules on data quality, in collaboration with relevant stakeholders from respective fields. Various stakeholders participating in EHDS, such as researchers or industry would also collaborate with the EU expert group, as well as civil society and patients’ organisations. Collaboration and/or representation in European Data Innovation Board (under DGA) would be ensured. Health Data Access Bodies could serve both EU and international data users (under the condition that the data is being processed on the secure data space of the DAB). The Public Consultation findings show there is great support for EU coordination of national bodies dealing with secondary use of health data, with 73% support from EU citizens, 75% from industry and 59% from public authorities.

Under Policy Option 3, going further than Option 2, an existing EU regulatory body or agency could be tasked to act as a European Data Access Body (EHDAB) to grant access to health data held in transnational databases and registries (under the same conditions than those applying for Health Data Access Bodies). This would also coordinate the work of the national Health Data Access Bodies. In the context of cross-border research, it would facilitate cross-border access to health data held by national Health Data Access Bodies or by other infrastructures participating in the EHDS infrastructure (e.g. by centralising requests for cross-border research and coordinating the approval process with national authorities, issuing guidance on data access forms and data access agreement templates, etc.). Under option 3+, a new institution would fulfil these functions and would support the work on secondary use of health data.

In all options, governance mechanisms for primary and secondary uses would collaborate closely on issues relating to data use.

5.2.35.2.3 Stakeholders’ views on different Policy Options

There is overall widespread support for the different policy options (particularly policy Options 2 and 3), perceived from the outcomes of the Public Consultation on stakeholder views.

On primary use, there is large support for the strengthening of patients’ rights to control their health data in an electronic format. 88% of respondents think EHDS should promote citizens’ control over their own health data, including access to health data and transmission of their health data in electronic format. 83% of respondents say that EHDS whould facilitate delivery of healthcare for citizens across borders. 84% of respondents say that citizens should have the right to transmit one’s health data in electronic format to another professional or entity of their choice and 82% feel that they should have the right to request public healthcare providers to share electronically one's health data with other healthcare providers/entities of one's choice. 72% of the respondents support accessing one’s health data that is exchanged between health professionals or with other entities via a digital infrastructure and 69% support this exchange to take place via an EU electronic infrastructure. 77% of respondents said it would be useful if citizens were able to transmit the data from mHealth and telehealth into their electronic health records. Respondents believed a certification scheme granted by third parties (a mandatory independent assessment of the interoperability level) would be most appropriate to foster the uptake of digital health producrs and services (52% support).On secondary use, 89% of respondents said that EHDS should support and accelerate research in health. There is support from 55% of respondents for the mandatory appointment of a national body that authorises access to health data by third parties to facilitate access to health data for research, innovation, policy-making and regulatory decisions.

The two options that respondents said were most appropriate in facilitating access to health data held by private stakeholders was to have access to health data granted by a national body (rather than by the data holder), either subject to the agreement of data subjects (most support from industry (57%), least support from public authorities (24%), or in accordance with national law (most support from public authorities (65%), least support from industry (21%)). Only a small proportion of respondents said a fee would facilitate the sharing of health data held by private stakeholders (20%), while many highlighted the limitations of using this incentive (e.g. difficult to manage, not stimulating enough to share data etc.) and a few said it would have a negative impact (e.g. potentially endangering patient interest by commercialising health data). Many respondents said that other types of incentives would facilitate the sharing of health data held by private stakeholders, such as: legal/mandatory obligations, and greater interoperability between systems, databases and registries or a more transparent system for sharing data.

A large majority of respondents said an EU body could facilitate access to health data for research, innovation, policy making and regulatory decisions if it had a number of functions, the most important ones being: setting standards on interoperability together with national bodies dealing with secondary use of health data (87% support); bringing together the national bodies dealing with secondary use of health data, for decisions in this area (79% support); and facilitating cross-border queries to locate relevant datasets in collaboration with national bodies dealing with secondary use of health data (78% support).

Overall, 67% of respondents believed the mandatory use of specific technical requirements and standards would be most useful to address interoperability and data quality issues for facilitating cross-border access to health data for research, innovation, policy-making and regulatory decision, which is in line with the policy options.

Also in line with the policy options, 65% of respondents recommended allowing access to health data by AI manufacturers for the development and testing of AI systems in a secure way (including compliance with GDPR rules), by bodies established within the EHDS, to facilitate the sharing and use of data sets for the development and testing of AI in healthcare. For more information on stakeholders’ views and different positions, please consult Annex 2.

66 What are the impacts of the policy options?

6.16.1 Economic impact CLXV

6.1.16.1.1 Baseline scenario

With regard to the costs of governance for primary use of health data, the baseline would see a continuation of current efforts in the eHealth Network. These efforts are supported and funded partially through Joint Actions, with an approximate cost of EUR 16 million over ten years. The total cost over 10 years for this governance framework, including potentially two joint actions, is expected to be approximately EUR 20 million, for the Commission and the Member States CLXVI .

With the current voluntary framework, there is no clear prospect for the completion of MyHealth@EU in terms of full geographical coverage of the EU/EEA, full deployment of data exchange services and use of common electronic identification CLXVII . Although the deployment of the National Contact Points for eHealth (NCPeHs) could be completed across 27 EU Member States, Norway and Iceland by 2027, based on the estimates from Member States, less than two thirds are expected to deploy the full portfolio of data exchange services. The costs for the partial completion of MyHealth@EU, including investments and maintenance costs over 10 years, range between EUR 165-414 million CLXVIII (assuming a costs per service between EUR 0.3-2.5 million).

At national level, depending on the existing degree of digitalisation and willingness to invest in this area, the effort to support national digitalisation and introduce nationally the digital services for the exchange of data domains in the EEHRxF could vary between EUR 3-9 billion. However, around half of Member States already have systems allowing to share patients’ data between healthcare providers, whilst several others are in the process of strengthening the level of digitalisation supported by national and EU funds. For instance, under the Multi-annual Financial Framework 2014-2020, around EUR 1 billion were allocated for digital health from the European Regional Development Fund (ERDF) and almost EUR 12 billion have been negotiated by the Commission and Member States under Recovery and Resilience Facility (RRF) in this area. Therefore, the EU funding is expected to cover most (if not fully) the national effort for digitalisation that would be needed to support patients’ control over their own health data. However, without clear efforts on standardisation and interoperability at EU level, these digitalisation efforts risk perpetuating the fragmented landscape that currently exists.

The benefits of automatic data sharing could lead to a direct financial impact is as high as 15% of hospital expenditure CLXIX , stemming from avoidance of costs associated with paper data capture, and minimisation of errors that occur from transcription of information. It can also have overall positive effects on healthcare expenditure. For instance, during the financial crisis years, digitalisation was one of the main actions taken for the countries in crisis (although the positive effect is difficult to demonstrate systematically, as the digitalisation of health and social care was part of the policy mix applied during the financial crisis in countries like Greece, Portugal, Romania that contributed to important savings and positive effects, but was not monitored separately).

For instance, according to experts knowledgeable of the digital transformation of healthcare in Portugal, the project of ePrescriptions is estimated to have cost about EUR 8 mil (EUR 2 million investment in 2013-2015, and an annual maintenance cost of about EUR 1 mil/year during 2016-2020. The cost recovery for the project was in 2 years after roll-out, the following years entailing benefits (billing costs, changes in prescription patterns etc). If Portugal had not done this project, it would have lost EUR 20 mil euros (EUR 5 mil/year for 2017-2020) (cost of not doing the project) and many other intangible savings (e.g. fraud prevention, but also winning fraud cases in court, inducement of better prescription paterns with associated healthcare gains etc). Overall, it was estimated that an annual investment/maintenance of about EUR 30-45 mil/year, Portugal created savings (on top of costs) for the NHS of over EUR 20 mil/year just in IT costs, billing and efficiencies in management (recovery of debts, better vaccination management, better procurement of medicinal products etc.). One could estimate that, between 2012-2020, the benefits may have reached EUR 160 mil (EUR 20 mil x8years (2013-2020) as direct financial benefits, for instance via nationwide available allergy records, interoperable with nationwide ePrescription and not counting harmonising practices, better control, error avoidance.

Overall, regarding the benefits for primary use of data, it is expected that the economic impact stemming from potential savings for patients due to higher use of telemedicine, more efficient and effective healthcare systems and contribution to the digital health single market would amount to EUR 2.5 billion. To this, one could add the cost of not duplicating tests. Ensuring interoperability at national level could contribute to reduce duplicated medical imaging, which is estimated at EUR 14 billion CLXX in the EU over ten years (calculated as 10% average of duplicated tests for a total of EUR 14 billion per year for examinations requiring Computed Tomography, Magnetic Resonance Imaging and PET scans). It is estimated that MyHealth@EU, in the cross-border context, could result in EUR 1.9-2.8 billion in savings through the services of electronic cross-border prescriptions (corresponding to EUR 37-52 million additional dispensations over 10 years) CLXXI and could save additional EUR 19-75 million through the exchange of medical images alone. For ePrescriptions, the estimate is based on the evaluation of the CBHC Directive, indicating that around 7.8 million cross-border prescriptions are presented for dispensation per year in EU, with an approximate non-dispensation rate of 46%, down from 55% in 2012. The lower bound assumes a 10% yearly growth in cross-border prescriptions, while the upper bound assumes a 20% yearly growth. This is expected to be a conservative estimate, given that the growth between 2012-2021 was estimated at 400%. Such benefits would recoup to a large extent the investments that would be made to set up MyHealth@EU.

Regarding secondary uses of health data, some Member States would establish national Health Data Access Bodies CLXXII to address the specific needs of health data access without a common European framework in health (the baseline assumes 16 data access bodies to be operational within 10 years, buidling upon the existing ones). The costs could vary greatly depending on national choices, e.g. whether to designate an existing body with the functions of health access bodies or whether to create an independent body such as the French Health Data Hub or Findata, but it is estimated that the establishment and functioning costs (for personnel) range between EUR 33 and 117 million over 10 years (assuming a 4 FTE team per Member State as a lower bound, and a combination of organisational arrangements across the EU -ranging between 4-FTE and 50-FTE entities, for the upper bound). In addition, there would be costs estimated at EUR 445 million for the set-up and maintenance of secure environments for data processing as infrastructure, which are included already in the framework of Article 7 bodies of the Data Governance Act (considers, as per the Data Governance Act, a set up cost of EUR 10.6 million and a maintenance cost of EUR 0.6 million yearly). The costs of data altruism authorisation framework would be aligned with Data Governance Act CLXXIII . Should access to health data continue to be organised under the current fragmented framework, the overall costs incurred by data re-users in health for cross-country researches could reach at least EUR 2.7 billion over 10 years, steming mainly from costs related to getting the consent as opposed to paying a fee to data access body (this estimate is calculated based on the monetary costs incurred by researchers or research institutions to gather the consent of data subjects (assuming 30 min required for contacting and getting the consent of the data subjects. The cost depends on the size of the cohort).

For secondary use of health data, the benefits, registerd in the value of health data could increase from the estimated EUR 25 billion to EUR 43 billion in 2028 (based on the baseline of the impact assessment of the Data Governance Act - EUR 306 billion as overall value of data in 2020, its growth by 2028 - EUR 533 billion- and the share of health in the overall value of data as proportional to the EU’s health expenditure share of the GDP- 8.3%). The investments in data access bodies could be recuperated, at least partially, through the fees charged by these bodies. Assuming a yearly growth of 5% in requests, it is estimated that these fees could amount to EUR 92-166 million (based on Findata prices, for more details, see Annex 5). The reuse of health data in the existing framework could yield additional EUR 0.8 billion in savings through information transparency for policy-makers and regulators, with initiatives such as the Data Analysis and Real World Interrogation Network (DARWIN) led by the EMA supporting regulators’ to health data CLXXIV CLXXV and contributing to more efficient regulatory and policy-making processes and improved negotiation power.

The economic contribution of the framework under Article 14 of the CBHC Directive, to the growth of the single market for digital health, as shown by the evaluation of this Article, is expected to be limited beyond MyHealth@EU, given that it does not include specific actions targeting the single market for digital health products and services. On secondary use of health data, as shown by the evaluation of the directive, the actions taken under the eHealth Network are expected to be limited, even though the Joint Action TEHDaS is expected to provide a form of cooperation. The DGA foresees a support to data holders through Article 7 bodies of DGA, which can also provide a secure processing environment. However, it is difficult to separate the impact of DGA from the impact of national law in countries that set up a data access body and it is not clear what the impact of DGA would be in the absence of a mandate to provide access to health data.

6.1.26.1.2 Policy Option 1

6.1.2.16.1.2.1 Impact of actions on primary uses of health data

This policy option is expected to have a limited economic impact, modestly above the baseline, given the voluntary nature of the considered actions. At the same time, this policy option does not provide a strong incentive to overcome the fragmentation of the internal market for digital health products and services, nor the competitiveness of the EU digital health sector. However, there is potential for savings from using telehealth services (more cost-effective) CLXXVI , as well as for a reduction of duplications and errors, direct time savings across healthcare systems, reduced hospitalisation or deterioration of health stemming from continuous monitoring of some patients, as well as a more efficient functioning of the single market for digital health services and products in the EU. The efficiency gains in healthcare are expected to result in savings for partients and healthcare providers with a net present value of EUR 0.4 billion within the first 10 years (this amount is expected to be relatively small, only 1% above the baseline, given that Option 1 continues with a voluntary framework, as in the baseline).

In Policy Option 1, the governance framework will continue to be based on a network of Member States’ authorities, including digital health authorities, which would make decisions to build and strengthen current systems for accessing and sharing health data for healthcare delivery purposes. Given the new areas of cooperation, more meetings would be necessary (as it was the case during COVID-19 crisis), generating potential additional costs (participation in meetings, mostly online, but also travel, accommodation for some physical meetings during the year, etc.). These costs, estimated at EUR 8 million above the baseline, are expected to be borne by the Commission and Member States (for the Commission and Member States, taking as a reference the current costs for the eHealth Network and the potential physical and virtual meeting needs for the upcoming 10 years).

Member States will be able to develop and deploy their national and cross-border digital infrastructures on a voluntary basis, including those linked to electronic identification in health, in a similar way to the baseline, and the services under MyHealth@EU would be extended to provide services to citizens. The strengthened mandate of the eHealth Network on the cross-border exchange of health falling within the scope of the EEHRxF is expected to promote the gradual completion of MyHealth@EU, but requiring at least 10 additional years. The investment requirements and maintenance costs for Member States and the Commission for MyHealth@EU are estimated at EUR 38-106 million above the baseline over 10 years. A faster deployment of MyHealth@EU would also yield additional savings for patients and healthcare systems, estimated at EUR 89-115 million, thanks to a reduction on the non-dispensation rate of cross-border prescriptions.

The costs for the implementation (already included in the costs of governance) and adoption of voluntary quality labels for digital health products (e.g. EHR systems, personal health data storages, mHealth products falling under MDR), and mHealth products not falling under MDR (e.g. wellness apps), based on a self-declaration, are expected to be relatively limited, between EUR 42 and 227 million. This includes the cost for internal preparations by manufacturers for the self-declaration, but not the costs of adaptation of existing products. The costs for labels are between EUR 9,000-32,000. The volume of EHRs labelled, about 1,840-3,000 over 10 years, for digital health products labelled, 1,400-2,800 and for wellness apps labelled, 1,200-2,200 over 10 years. It is assumed that labels will have to be renewed after 5 years. Moreover, given the low costs of self-declaration in combination with measures on reimbursement and compensation, it is expected that the volume of labelled applications will increase steadily across the EU and will provide further incentives for digital health developers and market operators to adopt interoperable formats and to support control of patients over their data. This is expected to contribute to a faster growth of the digital health market (5% to 10% per year), both at the EU and Member State level.

6.1.2.26.1.2.2 Impact of actions on secondary uses of health data

A voluntary basis intervention on secondary use of health data matters is expected to result in an economic impact of EUR 2.8 billion in total, over 10 years and above the baseline. Such benefits for reusers, including researchers, innovators, regulators and policy-makers, would stem from a more efficient and less costly access to health data for reusers (EUR 1.7 billion) and an increased value of health data thanks to sharing (EUR 1.1 billion) (for more details on methodology, see annex 5).

The actions on governance through the voluntary network of Health Data Access Bodies are expected to cost EUR 8-9 million for the Commission and Member States. The actions on data quality CLXXVII and interoperability are estimated to have a cost of approximately EUR 144-313 million over 10 years for the Commission and Member States (extrapolating from the current situation, the total number of data sets made available by Health Data Access Bodies that adhere to a voluntary label along for the 10 years period in all MS is expected to be 2 900-3 800 datasets). The establishment of a voluntary self-assessment data quality label will make some contribution to the consistency of a common framework. The costs of the voluntary mechanism for manufacturers are expected to be overall low, especially in the case of self-assessment (around EUR 7,000-17,500 in internal preparation costs). The creation of a European network of national Health Data Access Bodies could promote the establishment of new Health Data Access Bodies above the baseline scenario, so the costs related to such bodies for the Member States and the Commission should be expected to increase slightly, between EUR 7 and 28 million above the baseline (assumes 3 additional health data access bodies could be established in the first 10 years).

The extension of the current infrastructure MyHealth@EU to secondary uses could simplify processes to access and share health data only to a certain extent, particularly for multi-country requests. Given that the national institutions dealing with primary and secondary use of data are different, such an infrastructure would require substantial change to ensure that both primary and secondary use can be served through the same infrastructure without compromising interoperability, security and reliability CLXXVIII . The deployment and operation of the European network of Health Data Access Bodies, and corresponding infrastructure for national and cross-country data access requests, is estimated to have implementation and maintenance costs of EUR 136-183 million for the Commission and Member States (including costs for the extension of central services as part of MyHealth@EU, implementation of new central and generic services across Member States, deployment of connections for EU bodies and overall maintenance), but it is expected to only lead to a partial coverage, given the voluntary participation. However, it is not expected to lead to the achievement of a full standardisation of practices, given that the establishment of a consistent framework across Member States will largely depend on the rate of adoption of common guidelines. As in the baseline, part of these costs could be covered by revenues through fees charged by Health Data Access Bodies. The deployment of new Health Data Access Bodies could increase such revenues with additional EUR 40 million.

6.1.2.36.1.2.3 Overview of overall costs and benefits

Table 4. Summary of economic incremental costs and benefits for Policy Option 1 (above the baseline).

	Costs		Benefits
Primary uses of health data	-EUR 8 m, shared between the Commission and Member States, for the European network of digital health authorities, including actions related to the development of guidelines, requirements and assessment frameworks. -EUR 38-106 m for public authorities for the full deployment and operation of MyHealth@EU. -EUR 42-227 m for developers and market operators for the implementation of the voluntary labels.	-EUR 0.4 bn in savings, for healthcare providers and patients, thanks to an increased uptake of telemedicine. -EUR 89-115 m in savings, for healthcare providers and patients, through faster deployment of cross-border ePrescription services through MyHealth@EU. -Faster growth of the digital health and wellness applications markets, expected at 5% to 10% per year, benefiting developers and consumers.
	Costs (C): EUR 0.1-0.3 bn	Benefits (B): EUR 0.4-0.5 bn
Secondary uses of health data	-EUR 8-9 m, shared between the Commission and Member States, for the European governance network of Health Data Access Bodies. -EUR 7-28 m for Member States for the establishment and functioning of additional Health Data Access Bodies. -EUR 136-183 m for the Commission and Member States for the deployment and operation of the infrastructure for the European network of Health Data Access Bodies. -EUR 127-258 m for data reusers to make available and access health data in the EHDS, including cross-border access to health data, data altruism and AI support actions. -EUR 17-55 m for data owners for the data quality label.	-EUR 1.7 bn in efficiency savings in the reuse of health data for researchers and innovators (including EUR additional 20-48 m in revenues for Health Data Access Bodies). -EUR 1.1 bn in increased value for patients, healthcare providers and industry thanks to further uses of health data.
	Costs (C): EUR 0.3-0.6 bn	Benefits (B): EUR 2.8 bn

6.1.36.1.3 Policy Option 2

6.1.3.16.1.3.1 Impact of actions on primary uses of health data

This policy option is expected to have a stronger economic impact than Policy Option 1, and it is estimated to result in EUR 5.4 billion savings for patients and healthcare providers over the course of 10 years, including those stemming from a greater uptake of telemedicine and cross-border interoperability of ePrescriptions and medical images.

In this option, an expert group will be established consisting of national digital health authorities. The costs for the Commission and Member States to support the work of such expert group, and the corresponding subgroups, are estimated at EUR 12 million, over 10 years, above the baseline (same calculation methodology as in Policy Option 1, but assuming greater workload due to stringent governance structure (e.g. assumed for the Commission one additional FTE). The costs for the Commission and Member States for the implementation of the labels for interoperability, cybersecurity and quality of digital health products and services are included in these governance costs.

Under this option, Member States will be required to implement the services of MyHealth@EU, including those linked to electronic identification in health, and the services under MyHealth@EU would be extended to provide services to citizens and possibly additional services. The investment and maintenance costs for MyHealth@EU are estimated to require in the range of EUR 39-109 million in 10 years, above the baseline, depending on the cost and speed of implementation. The faster rollout of MyHealth@EU would also yield additional EUR 173-232 million in cost savings in the area of ePrescriptions and medical imaging alone.

The mandatory labelling for digital health products and EHR systems (personal health data storages, mHealth products falling under MDR), and voluntary labelling of wellness applications would be more costly than in Policy Option 1, EUR 0.1-1.1 billion above the baseline, given the need for market operators and developers to obtain the mandatory label for their products and services (a transitional rollout is assumed for this label (faster than in Policy Option 1), with an annual growth rate of 15%-20%. These costs include the cost for internal preparations by manufacturers for the self-declaration, but do not include any cost of adaptation of the product to the requirements of the label). The Commission would be required to develop and maintain a database for certified/labelled products to support the rollout of mandatory labelling, which is estimated to cost approximately EUR 32 million (based on costs of Eudamed for development and maintenance). In Policy Option 2+, the higher cost of third-party certifications, affects only the medical devices that process data that feed into electronic health records, is expected to increase costs for developers and market operators to EUR 0.3-1.7 billion (for an overview of the market size, please see the Annex 5 on methodological approach the purpose of calculating the market sizes, the assumptions are derived from industry analyses and information retrieved from product databases in Finland and Italy: 3,800-5,000 products in the EHR systems market; 5,000-20,000 products in the digital health products market (medical devices with EHR data); 20,000 products in the wellness applications market). The costs for mandatory certification for EHRs: EUR 20,000-50,000, of which half (EUR 10,000-25,000) of internal costs for manufacturers, and half certification fees. Re-certification is assumed after 5 years, with costs 80% of the initial certification costs. The costs for labelling are between EUR 9,000-32,000).

Member States are expected to incur costs similar to those under Policy Option 1 to adapt their requirements, guidelines and frameworks to those defined at EU level, and/or to design them in compliance with the EU standards and frameworks in absence of a national framework. The synergies between the labelling systems and other measures are expected to generate a rapid increase in the presence of such products on the European single market, with an annual growth of 20%-30%. There is also an estimated growth of such products on the market of 15%-20% per year.

6.1.3.26.1.3.2 Impact of actions on secondary uses of health data

A mandatory but flexible intervention on secondary use of health data is likely to result in a significant positive economic impact of at least EUR 5.4 billion over the next 10 years, stemming from efficiency gains in data access as a results of a less costly access to health data by reusers, be it researchers, innovators, regulators and policy-makers EUR 3.4 billion), greater information transparency for policy-makers and regulators (EUR 0.8 billion), and increased value for patients, healthcare providers and innovators thanks to further reuse of health data, through the development of innovative products and services in health thanks to data-intensive technologies, such a AI-based systems (EUR 1.2 billion).

The more intensive use of real-world evidence (RWE) in health policy-making could yield substantial additional savings, estimated at EUR 0.8 billion, thanks to greater transparency of the effectiveness of medicinal products, resulting in a reduction of costs in the regulatory processes, including in public procurement in health CLXXIX . Under this option, IT infrastructures, such as the EMA’s DARWIN, could be fully integrated in the network of Health Data Access Bodies, supporting the EMA, national medicines agencies and HTA bodies in better decision-making and renegotiating the prices of different medicinal products based on the observed real-world effects, post-authorisation. According to experts consulted, in a medium-sized EU country, a 5% saving from re-negotiating the prices in drug cost in oncology, diabetes, cardiovascular, respiratory/neurology could result in an annual saving of EUR 50 million, which can lead to sizeable effects at EU level. With increasing prices of new medicines, this saving is expected to increase in the future.

This policy option requires the establishment of an expert group consisting of Health Data Access Bodies to govern the area of secondary uses and to ensure a consistent framework. Such a group is expected to incur costs of EUR 13 million. The increase in governance costs originates from the need for additional FTEs for managing the governance framework. While including an obligation to designate Health Data Access Bodies, Policy Option 2 provides sufficient flexibility to Member States to decide on the organisation of the function to be fulfilled by a Health Data Access Body, which could be established as a unit in a larger organisation (e.g. Article 7 body under Data Governance Act) or as an independent entity (e.g. like Findata or French Health Data Hub). The cost of establishment and operation over 10 years can vary significantly depending on national choices, ranging between EUR 3.3-12.4 million for a 4-Fulltime Equivalent (FTE) or 15-FTE unit, respectively, and EUR 20.6-41.3 million for a 25-FTE or 50-FTE independent entity, respectively. The expectation is that total costs for 27 Member States and EEA countries will comprise a variety of organisational arrangements for Health Data Access Bodies. The overall costs for this option could range between EUR 39-157 million for all countries, partially recovered through the fees charged to re-users (EUR 36-58 million).

The requirements for infrastructure and security will increase harmonisation for secure data spaces, promote interoperability and standardisation of practices between Health Data Access Bodies to enable multi-country data access requests. Such infrastructure is expected to cost EUR 176-287 million, including the central services to operate the network and the services to be deployed at the level of Health Data Access Bodies. EMA, ECDC (and HERA) would also be connected to this infrastructure, but their financing is already foreseen under other legislative initiatives.

The establishment of a mandatory data quality label granted by a third party will increase the consistency of a common framework. The total number of data sets made available by Health Data Access Bodies that adhere to a voluntary label along for the 10 years period in all MS is expected to be 4,300-5,600 datasets, with a cost estimated to EUR 25-81 million. This action, combined with costs for data reusers to access the data made available through the EHDS (EUR 97-204 million), is expected to carry costs of approximately EUR 122-285 million. The costs are higher in Policy Option 1 than in Policy Option 2, due to multi-country data access requests being more expensive in the formern as the latter provides for common data request and reuse procedures. Not having such common data request and reuse arrangement increases the cost for data reusers in Policy Option 1. The governance and interoperability and data quality requirements also translate into simpler procedures/lower burden for stakeholders to request data and process the requests, which are reported as part of the benefits (as ‘efficiency gains’). The one-off cost of a labelling scheme on data quality could amount to EUR 20,000 and EUR 50,000 for obtaining the label and EUR 20,000 to EUR 35,000 per year for renewing the label for data holders (the figures are derived from the costs of the DiGA system and from the impact assessment on Data Governance Act, and consistent with those for primary use of health data). The costs of the label are expected to be not so high, especially in the case of self-assessment (around EUR 7,000-17,500 in internal preparation costs). In case of the third-partly labelling mechanism, it is expected that the costs will be somewhat higher, including at least the third-party labelling fee. The costs for AI would entail trainings, but also development of standards together with bodies of AI Act and would be between EUR 8-11 million.

6.1.3.36.1.3.3 Overview of overall costs and benefits

Table 5. Summary of economic incremental costs and benefits for Policy Option 2 (above the baseline).

	Costs		Benefits
Primary uses of health data	-EUR 12 m, shared between the Commission and Member States, for the European expert group of digital health authorities, including actions related to the development of guidelines, requirements, labels and assessment frameworks. -EUR 39-109 m for public authorities for the full deployment and operation of MyHealth@EU. -EUR 0.1-1.1 bn for developers and market operators to implement and obtain the labels. -EUR 32 m for the Commission to develop and maintain a database for certified/labelled products. Policy Option 2+: -EUR 0.3-1.7 bn for developers and market operators to implement and obtain the third-party certifications for and voluntary labels.	-EUR 5.4 bn in savings, for healthcare providers and patients, in health costs thanks to an increased uptake of telemedicine and more efficient exchanges of health data. -EUR 173-232 m in savings, for healthcare providers and patients, through faster deployment of cross-border ePrescription and medical imaging services through MyHealth@EU. -Faster growth of the digital health and wellness applications markets, expected at 20-30% and 15-20% per year, respectively.
	Costs (C): EUR 0.2-1.2 bn (Option 2+: EUR 0.3-1.8 bn)	Benefits (B): EUR 5.5-5.6 bn
Secondary uses of health data	-EUR 13 m, shared between the Commission and Member States, for the European governance network of Health Data Access Bodies. -EUR 39-157 m for Member States for the establishment and functioning of additional Health Data Access Bodies. -EUR 176-287 m for the Commission and Member States for the deployment and operation of the infrastructure for the European network of Health Data Access Bodies. -EUR 97-204 m for data reusers to make available and access health data in the EHDS, including actions to support interoperability and data quality, data altruism and AI support actions. -EUR 25-81 m for the data quality label for data owners.	-EUR 3.4 bn in efficiency savings in the reuse of health data for researchers and innovators. -EUR 0.8 bn in savings thanks to information transparency for policy-makers and regulators (including additional EUR 36-58 m in revenues for Health Data Access Bodies). -EUR 1.2 bn in increased value for patients and healthcare providers thanks to further reuse of health data.
	Costs (C): EUR 0.4-0.7 bn	Benefits (B): EUR 5.4 bn

6.1.46.1.4 Policy Option 3

6.1.4.16.1.4.1 Impact of actions on primary uses of health data

This policy option is expected to produce an economic benefit that is lower than Policy Option 2, given the stringency of the framework, which could function as a disincentive for market operators when entering the European market and the additional costs for the EU body. This policy option is expected to provide similar mechanisms (mandatory labels replaced by certification) for the adoption of interoperable systems across the EU, reducing fragmentation of the digital health market and increasing competitiveness of the EU IT sector. Therefore, similarly to Policy Option 2, this option is estimated that EUR 5.4 billion could be saved, by patients and healthcare providers, over the course of 10 years.

Binding decisions at EU level through a European Digital Health Body will help overcome gaps in regulation of digital health systems. If such function would be established as new task of an existing body, the Comission is expected to incur costs of approximately EUR 9 million, over the baseline (assuming a requirement of 12 FTE). If such function would be established based on a new agency (Option 3+), the Comission is expected to incur costs of approximately EUR 321 million, including set-up and yearly operation (using the costs of the European Labour Authority as a proxy). Under this option, in a similar fashion to Policy Option 2, Member States will be required to implement the services of MyHealth@EU, including those linked to electronic identification in health, and the services under MyHealth@EU would be extended to provide services to citizens and possibly additional services. Assuming that a full rollout of MyHealth@EU within the first three years since entry into force of the EHDS, the investment and maintenance costs for MyHealth@EU would be marginally higher than for Policy Option 2 (EUR 42-117 million above the baseline, assuming mandatory adoption of digital health services for the exchange all of data domains under the EEHRxF by Year 3). The full rollout of MyHealth@EU within a set timeframe would contribute to additional savings of EUR 173-232 million from cross-border prescriptions and medical imaging alone.

The actions to support common European interoperability in Policy Option 3 are similar to those in Policy Option 2, but include a third-party certification scheme for ensuring interoperability and quality of data flows for digital health products (including EHR systems, personal health data storages, mHealth products falling under MDR, already certified by the MDR notified bodies) and for wellness applications. This mandatory certification is expected to generate compliance costs of approximately EUR 0.6-2.9 billion for market operators, including developers and suppliers of EHR systems, digital health products and wellness applications. While the European market for wellness applications is estimated to comprise approximately 100,000 products, for the purpose of the calculations, an assumption was made that 20% (20,000) could fall under the scope for certification. If one considers that all the wellness apps were certified, the costs could reach over EUR 8 billion, which would be very unproportionate and cost ineffective. The potential benefits of easier cross-border market access could off-set such costs, at least to some extent. Synergies between the certification schemes and other measures (such as reimbursement and compensation policies) are expected to generate a rapid increase in the presence of such products on the market, with annual growth of 10%-20%. A lower increase compared to Policy Option 2 is due to the higher costs for certification, which can represent a barrier for technology developers and vendors. Under such circumstances, wellness applications are estimated to grow at a lower pace (5%-10% per year).

6.1.4.26.1.4.2 Impact of actions on secondary uses of health data

A high-intensity legislative intervention aiming at harmonisation on secondary use of health data matters is likely to result in a positive impact of EUR 6.1 billion during the next 10 years, stemming from efficiency gains, increased value of health data and greater information transparency for policy-makers and regulators in health.

The creation of a centralised function at EU level, the European Health Data Access Body (EHDAB) that could regulate and govern the functioning of the space for secondary uses could contribute to reduce fragmentation. Such function could be established within an existing body, with an estimated additional of EUR 106 million, or be assigned to a new European Digital Health Body as an additional task (Option 3+). The establishment and associated costs of Health Data Access Bodies would remain unchanged from Policy Option 2 (EUR 39-157 million), as that option already includes several obligations regarding the designation of these entities. However, Policy Option 3 would entail implementing a centralised architecture with increased costs at European level for the infrastructure of the European Health Data Access Body (EHDAB). The total costs for the infrastructure, including implementation and maintenance, could range between EUR 202 and 313 million. These costs would be partially recovered through the fees charged to re-users (EUR 36-58 million, as in Policy Option 2).

A compulsory certification framework for data quality would cost between EUR 20,000 and EUR 50,000 to obtain the certification (the total number of data sets for the 10 years period in all MS is expected to be 3,400-4,400 datasets). The total amount for the compulsory certification scheme for data owners and the costs for reusers to access health data across borders is estimated to be between EUR 191-457 million (EUR 57-143 million for dataquality and EUR 134-314 million for data reusers). Costs for carrying out the certification system are considered to be in line with those incurred in national contexts (i.e. EUR 10,000 to EUR 25,000), while costs for processing and redistributing multi-country data access requests are expected to be limited. High costs of the certification scheme for data quality are likely to reduce the availability of niche datasets, lower the offer in the EHDS, and possibly have a disproportionally adverse impact on smaller dataset owners.

6.1.4.36.1.4.3 Overview of overall costs and benefits

Table 6. Summary of economic incremental costs and benefits for Policy Option 3 (above the baseline).

	Costs		Benefits
Primary uses of health data	-EUR 29 m, shared between the Commission and Member States, for the governance of the EHDS on primary uses of health data based on an existing EU body. -EUR 42-117 m for public authorities for the full deployment and operation of MyHealth@EU. -EUR 0.6-2.9 bn for developers and market operators to implement and obtain the certifications (for EHRs, digital health products and wellness apps). Policy Option 3+: -EUR 321 m for the Commission for the governance of the EHDS on primary uses of health data through a newly-established European Digital Health Body.	-EUR 5.4 bn in savings, for healthcare providers and patients, in health costs thanks to an increased uptake of telemedicine. -EUR 173-232 m in savings, for healthcare providers and patients, through faster deployment of cross-border ePrescription and medical imaging services through MyHealth@EU. -Faster growth of the digital health and wellness applications markets, expected at 10-20% and 5-10% per year, respectively.
	Costs (C): EUR 0.7-3.1 bn (Option 3+: EUR 0.9-3.4 m)	Benefits (B): EUR 5.5-5.6 bn
Secondary uses of health data	-EUR 106 m for the Commission for the governance of the EHDS on secondary uses of health data based on an existing EU body, but with completely new functions (access to data etc). -EUR 39-157 m for Member States for the establishment and functioning of additional health Data Access Bodies. -EUR 202-313 m for the Commission and Member States for the deployment and operation of the infrastructure for the European network of Health Data Access Bodies. -EUR 134-314 m and data reusers to make available and access health data in the EHDS, including actions to support interoperability, data quality data altruism and AI support actions -EUR 57-143 m for data owners for the data quality certification. Policy Option 3+: -Same costs (EUR 106 million) for the Commission for the establishment and operation of an independent European Health Data Access Body (EHDAB) within the newly set up European Digital Health Body.	-EUR 4.1 bn in efficiency savings in the reuse of health data for researchers and innovators. -EUR 0.8 bn in savings thanks to information transparency for policy-makers and regulators (including additional EUR 36-58 m in revenues for Health Data Access Bodies). -EUR 1.2 bn in increased value for patients, healthcare providers and industry thanks to further uses of health data.
	Costs (C): 0.5-1.0 bn (Option 3+: no cost increase)	Benefits (B): EUR 6.1 bn

6.26.2 Single Market, competitiveness, innovation, SMEs and international aspects

6.2.16.2.1 Baseline scenario

In the Baseline scenario, the cooperation framework is limited to primary uses of health data and mostly to the exchange of health data across national health systems, with no or limited intervention in the single market. It provides no incentives at EU level for manufacturers to improve the interoperability and connectivity across national borders. The reliance on consent as the legal basis for data processing is expected to continue with prohibitive costs for researchers and SMEs to reuse health data, constraining the capacity of the latter to innovate in the area of data-driven technologies in health. The position of the EU in the international arena and as a standard setter would not be coherent, as many of the initiatives would remain voluntary.

6.2.26.2.2 Policy Option 1

Policy Option 1 relies on a decision-making system based on consensus and voluntary participation does not provide a strong incentive to overcome the fragmentation of the EU’s digital health market, nor does it create forces that will increase the competitiveness of the EU IT sector. The heterogeneity of standards and specifications and limited interoperability raise barriers and additional costs for manufacturers, especially SMEs, to enter new markets. With regard to the secondary use of health data, Option 1, like the baseline, in terms of governance, voluntary participation will not provide strong instruments to overcome the fragmentation of initiatives and frameworks for the reuse of health data.

6.2.36.2.3 Policy Option 2

Policy Option 2 is expected to have a relatively strong positive impact on competitiveness and the single market. The main aspects of the national and EU governance structures are expected to provide strong incentives for the adoption of systems that allow individuals to control their health data, with interoperable systems within and between Member States, which, in turn, will help reduce the fragmentation of the eHealth market and increase the competitiveness of the EU’s IT sector. National reimbursement and compensation policies for digital health services and products will be based on EU frameworks and guidelines, better aligned with international standards. Legal frameworks will therefore become more similar, and this is expected to reduce cross-border market entry barriers, including for SMEs. This could create new competitiveness opportunities for European SMEs on the global market. This measure will impact the development of a whole new scenario for scalable innovation, competitiveness, and overall operationalisation of digital products and services. Overall, respondents in the public consultation believed a certification scheme granted by third parties (a mandatory independent assessment of the interoperability level) would be most appropriate to foster the uptake of digital health products and services at national and EU level (52%). A smaller proportion of respondents said an authorisation scheme managed by national bodies would be appropriate (43%). The option of using a voluntary labelling scheme was the least popular (19%). With regards to the secondary use of health data, a system where access to data is simplified, but the trust and security are enhanced can fuel research and innovation. A system where access to data becomes cheaper (compared to getting the individual consent of data subjects) and volume of available data increases, would support different players, including SMEs, to bring forward innovation. Over time, this is expected to contribute to the development of a common EU system for secondary use of health data which, in turn, is expected to support research, development of new products and services, delivery of personalised medicine and more evidence-based policy-making. This could boost the global competitiveness of the EU. This holds the potential for new medical discoveries, better predictive capabilities, better preventative measures and improved ability to adapt, optimise and react to largescale health risks. An EU wide infrastructure would allow access to data from several Member States. SMEs would be able to have easier access to diverse data which would allow them to compete with large players within the EU and globally. Respondents in the Public Consultation also said that measures supporting secondary use of health data would have benefits in terms of providing access to cutting-edge, efficient and safe care (e.g. thanks to faster innovation in health – 77% of respondents said the impact would be high – and increased safety of healthcare and of medicinal products or medical devices – 75%), as well as benefits on healthcare systems efficiencies (e.g. better informed decision-making – 77% – and technological progress – 76%).

At global level, the EU can become a standards setter, as it happened with the EU Digital COVID certificate (which was only possible under of a strong legal basis and a harmonised approach CLXXX . A more systematic implementation of international standards can open new international markets to European companies. Translation of patients’ data in English or other languages can support European citizens travelling or leaving to third countries. International cooperation in research and innovation area could be facilitated by the new framework on secondary use of health data.

6.2.46.2.4 Policy Option 3

Policy Option 3 is expected to have a relatively strong positive impact on competitiveness and the single market. The harmonisation efforts concerning standards and specifications can support manufacturers to enter new markets. On secondary use of health data, the situation would be similar to Policy Option 2 and the European Data Access Body would further facilitate the cross-border access to health data, creating more research and innovation. The EU’s international position could be stronger and defended by an EU body. However, the costs for certification of standards could impact negatively on companies, especially SMEs.

6.36.3 Impacts on fundamental rights

6.3.16.3.1 Baseline scenario

The expected impact on fundamental rights of the baseline is rather limited. Although GDPR provides a common framework, the different national level legislations linked to its implementation will remain, perpetuating the current landscape of divergent rules, processes, standards and infrastructures as described in section 2.2.

6.3.26.3.2 Policy Option 1

The impact on fundamental rights is expected to be moderate. The voluntary network of Member States authorities will allow for the exchange of experiences, including in relation to the implementation of procedures and frameworks that protect privacy of individuals. The voluntary adoption of guidelines and voluntary participation in infrastructure will not guarantee patients effective data portability rights cross-borders and the impact will be minimal at national level if there is variation in standards across Member States.

6.3.36.3.3 Policy Option 2

This policy option is expected to have a significant positive impact on fundamental rights related to data protection and free movement, as through MyHealth@EU, citizens will be able to effectively share their health data when travelling abroad in the language of the country of destination or take the data with them when moving to another country. Citizens will be given additional possibilities to access and transmit digitally their health data, building upon the provisions of GDPR and market operators in health (either healthcare providers or providers of digital services and products) will be obliged to share health data with user-selected third parties from the health sector. The proposal will provide the technical and practical means to enforce these rights (common standards, specifications, labels) without compromising on the required safety measures to protect data subject’s rights under the GDPR. It would contribute to the increased protection of health personal data and the promotion of the free movement of such data as enshrined in Article 16 of the TFEU.

This option defines an EU framework for accessing the health data for public interest and scientific, historical research and statistical purposes, building upon the possibilities offered by the GDPR in this respect. It will include suitable and specific measures required to safeguard the fundamental rights and the interests of data subjects. Setting up Health Data Access Bodies will ensure a predictable and simplified access to health data, a higher level of transparency, accountability and security in the data processing. Coordinating these bodies at EU level and enshrining their common decision in implementing and delegated acts will ensure a level playing field, which will support cross-border analysis of health data for research, innovation, statistics, policy making and regulatory purposes. The promotion of interoperability of health data and its reuse will contribute to promoting a common internal market for health data in line with Article 114 of TFEU.

6.3.46.3.4 Policy Option 3

In Policy Option 3, the impact on fundamental rights is expected to be very similar to that of Policy Option 2, given that the right of citizens to access and transmit digitally their health data is the same under this option. However, a comparatively greater positive impact on freedom of movement and patients’ control over their health data can be expected through stronger requirements of certification for digital health services and products (that could also cover security and confidentiality of data).

Establishing a regulatory agency would have a strong positive effect on the protection of personal data and privacy, as it would ensure the implementation of a consistent framework for reuse of health data in compliance with the GDPR and in collaboration with National and European personal data supervisory authority. The agency could also ensure a simplified access to cross-country types of data.

6.46.4 Social and environmental impact

6.4.16.4.1 Baseline scenario

Regarding the cross-border digital infrastructure for primary uses of health data, there is no clear prospect, in the baseline scenario, for MyHealth@EU to achieve full EU coverage and complete the rollout of its services portfolio. This has direct negative consequences where EU citizens and residents seek healthcare services in a Member State that is different from their country of affiliation, as healthcare professionals will not be able to access crucial medical information. The gap between digitally skilled and digitally unskilled citizens and end-users will persist in the baseline. The baseline scenario will see a slower realisation of the potential benefits of the reuse of health data. In the absence of coordinated EU action for the reuse of health data subject to rights of others and data altruism mechanisms, the societal and environmental benefits would be limited.

6.4.26.4.2 Policy Option 1

This option is expected to have a moderate social impact. The guidance and label for the assessment and use of digital tools is expected to lead to an increased uptake and wider implementation of these solutions by healthcare providers, with positive effects in areas such as chronic disease management. However, while the cross-border digital infrastructure in health would be strengthened, and likely completed within 10 years, the progress is expected to be slow, leaving in the meantime a large share of the European population with no access to MyHealth@EU. Citizens and end-users will require guidance on digital skills in order to prevent the digital divide from widening. The exchange of experiences in a voluntary network of national authorities responsible for secondary use of health data will aid those Member States that have not yet implemented legislation in place on public and private use of data for research purposes. However, given its voluntary nature, the impacts on unlocking the health value from data in the EU would be limited.

This option is expected to have a small environmental impact overall. Interoperability, reuse of health data and the portability of patients’ data and quality criteria for telehealth are likely to improve the efficiency of use of resources, for instance by reducing unnecessary tests and visits of patients to hospitals, and the need for paper documentation and health records. This effect should reduce the overall carbon footprint of healthcare. However, greater digitalisation of health data and data portability will require larger scale IT infrastructure. This may increase the use of energy and other resources, and increase the carbon footprint of the healthcare sector, and partially offset the resource-efficiency gains stemming from interoperability.

6.4.36.4.3 Policy Option 2

This option is expected to have a significant social impact. This will put the patient at the centre with regards to management of his/her data in relation to healthcare professionals. If digital solutions are interoperable and supported by reimbursement, it will encourage their growth and uptake. With more data flowing in the system, new innovations can be put forward out, to the benefits of the patients. This option should lead to enhanced equal accessibility and availability of innovative products for diagnosis, and treatments, contributing to a reduction in health inequalities, including facilitating better access to healthcare in remote or rural areas a more consistent monitoring and early intervention of some patients with chronic diseases, preventing hospitalisations and more aggressive and expensive treatments and reducing costs. As explained in problem description, it can contribute to better adherence to medication, reduction of unnecessary tests, prevention of misdiagnosis and treatment, positively impacting individuals and healthcare systems. The mandatory requirement for Member States to deploy MyHealth@EU services within a certain timeframe will reduce disparities within the EU when accessing healthcare services in the cross-border context.

Access to data that represent different geographical, behavioural or functional settings and depicting the health of different population sub-groups improve research into targeted prevention and treatment methods. This policy option would also facilitate access to larger volumes of health data, enhancing the capacity of research, policy making and regulatory initiatives, increasing representativeness of datasets and fostering innovation, including in the area of AI. This holds the potential for new medical discoveries, more accurate predictive capabilities, more effective preventive measures and improved ability to adapt, optimise and react to largescale health risks, as well as low occurrence but high impact pathologies.

Abundance and diversity of data would support better decision making, including of regulatory authorities. It would increase transparency, negotiation capacity, bringing down the prices for some drugs, supporting the repurposing of medicinal products, to the benefit of patients. For example, rare diseases include small population sizes were clinical trials may not be feasible. A mix of randomised trials and access to high quality health data would be required to study populations with unmet medical needs and contextualisation of treatment benefits for single-arm studies. Reliable and timely evidence is required for the regulatory decisions after a serious adverse drug reactions that impacts the benefit-risk balance. As an illustrative example, a 1-year time saving in regulatory action for a medicine with 1,000,000 users in the EU and an uncommon adverse drug reaction frequency (0.001) at 20% case fatality proportion could potentially prevent 1,000 cases, including 200 deaths.

With regard to environmental impacts, similarly to Option 1, the establishment of extensive digital infrastructure, high volume of data traffic and storage, and manufacturing of digital devices to support research and innovation may lead to digital pollution including some negative environmental impacts. On the other hand, it will also reduce resources required for different processes related to healthcare or policy-making (e.g. travel-related pollution, energy and paper used in refinement of policy measures) and research (e.g. digital pollution from having to replicate processes as additional data becomes available).

6.4.46.4.4 Policy Option 3

This option is expected to have a significant social impact. The action in this option for assessment and use of digital tools should accelerate further organisational change, at a greater speed than in Policy Option 2. The mandatory connection of all healthcare providers would ensure frictionless movement of health data across the EU. The development of digital tools would encourage the advancement of digital healthcare services. As explained, there are substantial societal benefits with the advancement of digital healthcare solutions.

As in Policy Option 2, access to more coherent and granular data on the health of different sub-groups of population will benefit research into targeted prevention and treatment methods. This would in turn broader availability of innovative health products that could improve health outcomes and foster inclusion of neglected groups of citizens through increased knowledge. A higher intensity intervention to a greater extent than in option 2, as explained above can optimise capacity to conduct research and innovate, and improve policy making.

With regard to environmental impacts, this option is expected to have a similar impact to Policy Option 2.

77 How do the options compare?

Annex 11 provides the comparison of expected impacts for each measure or dimension characterising the assessed options. This dimension-by-dimension comparison is the basis for the overall comparison in this section and the choice in chapter 8 of the best-performing combination of measures for the Preferred Option. Table 7 presents an overview of the ratings of the impacts of each policy option against a series of assessment criteria, covering effectiveness, efficiency, coherence, feasibility, EU added value and proportionality.

Table 7. Overall comparison of policy options.

Criteria	Policy Option 1	Policy Option 2	Policy Option 3
Effectiveness: contributing to achieving the policy objectives
Empower citizens through digital control of their personal health data and support their free movement of people by ensuring that health data follows them	+	+ +	+ +
Unleash the data economy by fostering a genuine single market for digital health services and products	+	+ + (Option 2+: + + +)	+ + +
Ensure a consistent framework for the reuse of health data for research, innovation, policy-making and regulatory activities	+	+ +	+ +
Effectiveness: other impacts
Social impacts	+	+ + (Option 2+: + + +)	+ + +
Impacts on fundamental rights and freedom	+	+ +	+ +
Environmental impacts	+	+	+
Competitiveness, SMEs and Single Market	+	+ +	+ +
Efficiency: comparison of benefits and costs
Investment and compliance costs	–	– –	– – (Option 3+: – – –)
Savings and benefits	+	+ +	+ +
Coherence
Internal coherence	–	+	+
External coherence	+	+	+
Legal and Political Feasibility	+	+	–
EU added-value	–/+	+	+ +
Proportionality	+	+ +	+

For efficiency, effectiveness and EU added value, the scores are given on the expected magnitude of impact as explained above: + + + being strongly positive, + + positive, + moderately positive, –/+ neutral, – moderately negative, – – negative and – – strongly negative. For legal/political feasibility and coherence, + means that the assessment is positive, and – means that it is negative.

In terms of the effectiveness in achieving the policy objectives, Option 2 and 3 are the highest-scoring options in comparison with Option 1, mostly as a consequence of their stronger governance system, the establishment of new citizens’ rights and appropriate measures to address health data sharing issues related to interoperability and other aspects and a common legal basis for processing health data for reuse. Option 3 scores higher than Option 2 when it comes fostering a genuine single market for digital health as it includes a more effective mechanism (third party certification for EHR systems and digital health products that are medical devices) to regulate the market of electronic health records and digital health products. The need under Option 3 for third party certification for wellness applications, which do not pursue a medical use, risks erecting too high barriers for SMEs to enter the market, with a subsequent negative effect on the promotion of the uptake of such products across the EU. Therefore, Option 2+ provides a better balance by ensuring trustworthiness on the fulfilment of the mandatory requirements through third party certification for EHR systems and digital health products that are medical devices transmitting data to EHRs, while keeping market entry requirements to the minimum in the wellness applications market with a self-declared quality label. With regards to central governance under option 3, existing EU health-related bodies, such as the ECDC or the EMA have specific mandates in subdomains in health that do not match the transversal nature of the European Health Data Access Body function. Moreover, EMA and ECDC do not have the necessary skills and capacity to deal with primary use of health data and interoperability, which makes the re-use of an existing agency for primary and secondary use of health data an unfeasible option. At the same time, creating a new EU body would require a large investment (over EUR 300 million over 10 years) making this option cost-inefficient. In addition, such an approach and the setting up of a new EU body is unlikely to get the needed political support with the co-legislators. Therefore, option 2 with reinforced cooperation through expert groups remains the best performing option.

Option 1 would generally have a very limited impact on achieving the objectives on primary and secondary uses of health data, particularly when it comes to completing the deployment of the necessary digital infrastructures. The combination of the infrastructures for primary and secondary uses does not seem to be a feasible option, given its technical complexity and the fact that actors involved and purposes are different CLXXXI . While voluntary participation and guidelines could help improve the practical implementation initiative among the Member States participating, measures under Option 1 remain non-binding and their outcomes are highly dependent on the willingness of Member States to follow guidelines and adapt national (and regional) legal, technological and organisational frameworks. Given the poor results demonstrated by such an approach in the Evaluation of Article 14 of the CBHC Directive, expectations of achieving the objectives through Policy Option 1 are low.

As regards social impacts, Policy Option 2+ and 3 provide the greatest impacts on the provision of digital health services in general and of cross-border health services in particular, as it strengthens the legal, organisational, semantic and technical interoperability of (digital) health services in the EU. This, in turn, is expected to contribute to the financial sustainability of health systems, in a context of an ageing population, shrinking resources and a likely lack of medical personnel in the next decades. This option has the highest potential to provide access to more coherent and disaggregated health data, reduce research silos and help research and policymaking in providing targeted prevention and treatment methods (also using AI), fostering research and new medical discoveries. The mandatory certification of medical devices that feed data in electronic health records (option 2+), albeit more expensive than a voluntary approach, is the most effective way of ensuring that data which represents essential information of patients can be shared. Other voluntary approaches would allow the manufacturers to opt for proprietary standards, limiting the sharing of data between their devices and own platorms in hospitals, whithout sharing data between different healthcare providers. Policy Option 2 has a positive impact on these aspects as well, albeit to a lower degree due to the less structured governance and lower harmonisation of standards recognition. Policy Option 1, based on voluntary participation and guidelines, will provide a reduced contribution, limited to the number of Member States participating and their willingness to follow common guidelines. Policy Option 1, based on voluntary participation and guidelines, will provide a reduced contribution, limited to the number of Member States participating and their willingness to follow common guidelines.

With the introduction of AI for healthcare, which is dependent on access to health data, the health sector would see great benefits flowing from the increased opportunities for innovation. Through the better functioning of the internal market, this societal value will be further unleashed, while allowing for the necessary measures to protect against discrimination and bias and to promote quality predictions on the basis of high-quality data.

Concerning the impacts on fundamental rights and freedoms, the analysis focussed on the (indirect) effects of the options on the right to freedom of movement and on the protection of privacy and personal data. All the policy options will have positive impacts on these elements because of their support to interoperability and (cross-border) provision of health services, and because they include security features to protect sensitive personal data. Overall, Policy Option 2 and 3 scores higher on fundamental rights and freedoms due to the integration of electronic identification in the system, which is expected to provide further security and rights to individuals in the protection of their personal data (as the option guarantees better harmonised EU standards), with option 3 having a more stringent governance. For secondary uses of health data, both Option 2 and Option 3 are considered to have similar positive impacts, as they both guarantee increased harmonisation and coordination of efforts on the protection of personal data and privacy, with designated national Health Data Access Bodies responsible for supporting such protections.

All policy options are likely to have (limited) environmental impacts, resulting from the improved efficiency of resources and data use, which will translate into a reduction in unnecessary tests and patient hospital visits, and reduce the need for paper documentation (with higher positive impacts for the policy options 3 and 2). On the other hand, digital infrastructures and data centres are energy-intensive, and this aspect may (partially) offset the benefits listed above. Policy Options 2 and 3 are expected to have similar environmental impacts.

On international aspects, option 3, followed by option 2 has the highest chances to impose the EU as a global standard setter. Option 3 would support best the international collaboration. All the options would support EU citizens to access their data in English, facilitating their travel to third countries, but options 2 and 3 would have the highest coverage. Also, options 2 and 3 would support a more uniform approach to third country stakeholders to access to data through data access bodies (but solid authentication of researchers is needed). In general, options 2 and 3 have the highest impact on single market, while option 1 would continue the current fragmentation. In terms of impact on SMEs, option 2 ensures harmonisation and opens new markets for European companies and SMEs, while impacting less on SMEs compared to option 3. Option 1 would fail to address the current fragmentation, with the associated costs for companies and SMEs.

For the efficiency criterion, the analysis focussed on investments, savings and benefits, and impacts on competitiveness and the functioning of the Single Market. All policy options require investments from the Commission and Member States to support the governance systems and the digital infrastructure, and from manufacturers to support the measures on interoperability, data and software quality standards and artificial intelligence. Similarly, the policy options generate compliance costs for the different stakeholders to maintain the governance and digital infrastructure once in place, and to ensure adherence to the standards and requirements for interoperability and quality of digital health products and services (e.g. for setting-up and carrying out labelling and certification schemes, as well as to implement standards compliant with the requirements, which are likely to increase the production costs for manufacturers). The costs are highest in option 3, followed by option 2+/2 and 1.

Investments and compliance costs will generate benefits in terms of cost savings for patients (e.g. moving from traditional medicine to telehealth services that are well connected with the rest of the health digital ecosystem) and patients’ time saved (reducing visits to doctors and hospitals, duplication of tests, etc.). It would support manufacturers enter new markets and would support researchers, innovators, policy makers and regulators have access to more health data easier and at lower prices. The deployment of the measures on the use of health data will impact on EU’s competitiveness and the functioning of the Single Market by reducing the fragmentation of the digital health markets across the EU and the competitiveness of the EU IT sector, and by increasing the volume and quality of health data available for reuse purposes, with positive implications for healthcare provision (including in an emerging domain such as the use of Artificial Intelligence).

In this regard, Option 2 scores highest in terms of efficiency, providing the better balance among investments and costs required to sustain the system, savings and economic benefits for society at large, and competitiveness and the functioning of the EU market. Option 3 is the one requiring the most investments, being the most ambitious in terms of governance, digital infrastructure and interoperability and quality standards. However, Option 3 risks stifling innovation with too resource-intensive requirements for market operators, reducing the availability of niche data sources, lowering their presence on the EHDS, and having a disproportionally adverse impact on smaller dataset owners. Option 1, based on voluntary participation, risks producing benefits only for the participating Member States, widening the existing gaps among Member States in terms of research and technological development competitiveness and ultimately economic growth.

As regards competiveness of the single market, this refers to the actual and potential barriers to entry and exit, the number of companies in the sector, the relative share of the market across companies and the level of profitability. The competitiveness of the single market depends on the degree the EU business sector is able to offer better quality products and services at the same or lower costs compared with business from other geographic areas CLXXXII . Hence, most of the effect on competitiveness depends on the effect of measures on costs structure, productivity and innovation. Option 2 and Option 3 are more coherent with the existing legal framework and policies for data governance, support and supervision of Artificial Intelligence and the protection of personal data. There may be some feasibility issues with these two options, but Option 1, while having fewer feasibility issues, risks hindering the implementation of the EU frameworks on data governance and AI in the domain of digital health.

Finally, concerning coherence, Option 2 and Option 3 are more coherent with the existing legal framework and policies for data governance, support and supervision of Artificial Intelligence and the protection of personal data. Option 3’s stronger governance systems (EU bodies for primary and secondary uses) may generate feasibility concerns, as not all Member States may be likely to agree on proposals, making the decision-making difficult to achieve and slowing EU action in the domain. On the other hand, Option 1, while having fewer feasibility issues, risks hindering the implementation of the EU frameworks on data governance and artificial intelligence in the domain of digital health. Option 2 offers the best balance.

With regards to proportionality and subsidiarity, a number of options were considered in pursuing the Treaty objectives. These options looked at the impacts of both primary and secondary use of data based on a number of indicators including economic, social, environmental, fundamental, rights, SMEs, single market, competitiveness and international. The analysis concluded that the preferred option is Option 2. Option 2 pursues the Treaty objectives aimed to be achieved by this proposal. At the same time, the content and form option 2 shows that in both qualitative and quantitative terms, it better promotes the Union objectives at Union level and does not exceed what is necessary to achieve these objectives. Option 1 provides only marginal improvements the Baseline, which has been shown as highly ineffective by the evaluation of the digital aspects of the CBHC Directive.

88 Preferred option

After the assessment of the effectiveness, efficiency and coherence of the Policy Options for primary and secondary uses of health data, the preferred option for the EHDS is Option 2+. Option 2+ builds upon Option 2 and ensures a strong governance system for primary uses of health data, a mandatory digital infrastructure CLXXXIII encompassing basic cross-border digital health services (the five current health domains of the European Electronic Health Record Exchange Format), with possible additions to provide other cross-border services to citizens and interoperability of healthcare professionals’ registries, and the integration of electronic identification (eID) for healthcare professionals and patients. This option also implement sat a practical level the rights of citizens to control their health data, and enable access to it, irrespective of healthcare provider (public or private) and data source, supported by an obligation of healthcare and technology providers to share the user’s health data with user-selected third parties belonging to the health sector subject to fines charged by data protection authorities. This option provides for mandatory requirements and enforced through third-party certification for EHR systems and digital health products that are medical devices transmitting data to EHRs and voluntary labels for wellness applications. Third-party certification for digital health products and services at EU level is expected to enhance the interoperability of data and thus the availability of quality data for secondary use, contributing to that objective as well.

Table 8. Estimated distribution per stakeholder of total direct costs and benefits in the Preferred Option (Policy Option 2+) (all costs and benefits are above the baseline and in EUR million).

Stakeholder		Bound	Primary uses of health data	Secondary uses of health data	Total
Public authorities (regulators and policy-makers, including Member States' authorities, the Commission and EU bodies)	Costs	Lower	51	351	402
		Upper	121	743	864
	Benefits	Lower		1,413	1,413
		Upper		1,413	1,413
Manufacturers, suppliers of EHR systems, digital health products/services and wellness applications	Costs	Lower	271		271
		Upper	1,683		1,683
Innovators (in digital health, medical devices and pharmaceutical domains)	Benefits	Lower		1,688	1,688
		Upper		1,688	1,688
Researchers	Benefits	Lower		1,701	1,701
		Upper		1,701	1,701
Healthcare service providers	Benefits	Lower	4,436		4,436
		Upper	4,482		4,482
Patients/citizens	Benefits	Lower	1,109	615	1,724
		Upper	1,121	615	1,735
Overall	Costs	Lower	322	351	673
		Upper	1,804	743	2,547
	Benefits	Lower	5,545	5,416	10,961
		Upper	5,602	5,416	11,019

The preferred option for the EHDS in the area of primary use of health data is visualised in Annex 4. The impact assessment shows that Option 2+ is expected to be highly effective in achieving the policy objectives of the intervention regarding the digital single market in health. Option 2+ is preferred over Option 2 and Option 3, as Option 2+ is slightly less cost-efficient, but highly effective at achieving the objectives (for more details, see overall table on cost-effectiveness in Annex 3), while it promotes the use of health data and of digital health services and products without imposing excessively stringent requirements on market operators for wellness applications. Additionally, Option 2+ is preferred over Option 1, as Option 1 would only provide marginal improvements over the baseline and would fall short of achieving the objectives. Option 2+ is also efficient, requiring a balanced mix of investments from the Member States, the Commission and other stakeholders, while remaining ambitious in terms of governance, digital infrastructure and interoperability and quality standards, and it is also highly promising in terms of impacts on competitiveness and Single Market. Finally, Option 2+ is coherent with the existing legal framework and policies for data governance, support and supervision of AI and protection of personal data.

Regarding secondary uses of health data, the federated governance structure of Option 2 and its measures for promoting interoperability are the most cost-effective. Figure 7 depicts the interplay between the governance frameworks for primary and secondary uses in the context of the EHDS, whereby the expert groups for each subspace prepare the necessary guidelines, requirements and assessments frameworks, liaising where necessary, and delegated or implementing acts are used for binding decision making. The operational implementation is then performed by digital health authorities and Health Data Access Bodies for primary and secondary uses, respectively.

The preferred option for the EHDS in the area of secondary use of health data is visualised in Annex 4.

Figure 7. EHDS Overall governance.

Concerning effectiveness, Option 2+ will ensure a full deployment of the European network of Health Data Access Bodies and a common framework for data discovery, access and processing in health across the EU. Option 2+ provides the best balance between investments and costs required to sustain the system, savings and economic benefits for society at large, unleashing the potential of the health data economy and competitiveness and the functioning of the EU market. Finally, regarding coherence, Option 2+ will grant a high level of coherence with the existing legal framework and policies for data governance, support and supervision of AI and the protection of personal data, as well as with the increasing interest on setting-up systems for supporting access to health data for secondary use across Member States, guaranteeing stronger coordination at EU level. Option 3 is less preferred, for it would introduce a governance mechanism at EU level for which no existing EU body seems to fit. Option 1 is unlikely to achieve the objectives of the EHDS in the area of secondary uses of health data.

The preferred Option 2/2+, for both primary and secondary uses, will yield the best outcomes given that the required investments can be covered largely through EU funds, including EU4Health for specific investments in digital health infrastructure, governance and actions supporting interoperability, Digital Europe Programme for additional actions supporting interoperability and cross-sectorial investments in the European common data spaces (e.g. secure clouds), Horizon Europe for digital health research, as well as the Recovery and Resilience Facility and cohesion funds for national implementation. As a point of reference, investments supported by the EU funds under the 2014-2020 financial cycle included EUR 1 billion for digital health, and the national plans include investments linked to digitisation and modernisation of the health sector of over EUR 12 billion under the Recovery and Resilience Facility.

99 How will actual impacts be monitored and evaluated?

The evolution and performance of the EHDS wouldneed to be closely monitored to assess how this initiative contributes to the better functioning of the single market in the area of digital health and to more effective and efficient health research, innovation, policy-making and other regulatory activities. The indicators for the monitoring and evaluation framework for the preferred option are described in section 9. The indicators selected for Specific Objective 1 build upon the existing monitoring framework for MyHealth@EU. The Commission will review the indicators periodically and evaluate the impacts of the legislative act after 7 years.

In light of the current challenges to monitor the progress in Member States on digitisation in healthcare, the monitoring and evaluation framework below foresees a series of yearly indicators collected at national level and monitored at EU level. The preferred option foresees a federated approach for governance and for the infrastructure rollout, which would allow for monitoring progress while the system is gradually being implemented.

The bodies responsible for governing the EHDS would compile evidence about the progress and main achievements of this initiative at EU and Member State level. This will help improve the existing services and the uptake and experience of citizens, healthcare providers and professionals, researchers and businesses with digital health. To this end, the responsible authorities at Member State level would be asked to regularly report on the efficiency and impact of the services to be provided through the EHDS. The table below presents the indicators and data sources proposed for the specific objectives of the EHDS.

Table 9. Monitoring and evaluation framework for the preferred option.

Specific objective	Indicators (relevant for evaluation after 7 years)	Sources	Data collection frequency	Targets
Empower citizens through increased digital control of their personal health data and support their free movement by ensuring that health data follows them (SO1)	Percentage of people having access to their electronic health records	Reporting in the context of Digital Decade	Every 5 years	100% by 2030
	Number of Member States in routine operations with MyHealth@EU services	Coverage of MyHealth@EU reported by governance structure responsible for the infrastructure	Yearly	All Member States by 2027
	Total percentage of Pharmacies enabled with MyHealth@EU services (as Country B)	Reported by governance structure responsible for the infrastructure	Yearly	75% by 2030
	Total percentage of Hospitals enabled with MyHealth@EU services (as Country B)	Reported by governance structure responsible for the infrastructure	Yearly	75% by 2030
	Level of citizens satisfaction of MyHealth@EU services	Reported by governance structure responsible for the infrastructure	Every 5 years	70% satisfied or very satisfied by 2030
Unleash the data economy by fostering a genuine single market for digital health services and products (SO2)	Number of digital health products and services certificed (EHRs and medical devices)	Data on certification/labelling framework reported by the dedicated national authorities and notified bodies	Yearly	1000 by 2030
	Number of non-compliance cases with the mandatory requirements	Statistics reported by digital health authorities	Yearly	Less than 10 by 2030
	Number of mobile wellness applications with a quality label in the central EU database	Data on labelling framework reported by the dedicated national authorities	Yearly	100 by 2030
Ensure a consistent framework for the reuse of health data for research, innovation, policy-making and regulatory activities (SO3)	Number of peer-reviewed research publications, policy documents, regulatory procedures using data accessed via the EHDS	Surveys/enquiries on reusers Data from bibliometric analysis and reports	Every 5 years	100 by 2030
	Number of Member States in routine operations with the infrastructure for secondary uses of health data	Reporting by national Health Data Access Bodies	Yearly	All Member States by 2030
	Number of digital health products and services, including AI applications, developed using data accessed via EHDS	Surveys/enquiries on reusers Report/data on label of digital health product and services	Every 5 years	100 by 2030
	Number of accepted and rejected applications requesting data for reuse	Reporting by national Health Data Access Bodies	Yearly	1000 by 2030
	Volume of revenue from data requests per Member State	Reporting by national Health Data Access Bodies	Yearly	10 million by 2030
	Satisfaction from applicants requesting access to data (broken down by type of applicant)	Dedicated survey applicants of data access requests	Every 5 years	70% happy or very happy by 2030
	Average number of days between application and access to data	Reporting by national Health Data Access Bodies	Yearly	60 by 2030
	Number of data quality labels issued, disaggregated per quality category	Reporting by national Health Data Access Bodies	Yearly	1000 by 2030

End-notes

(I)

As mentioned in the mission-letter-stella-kyriakides_en.pdf (europa.eu)

(II)

The European Commission is building a strong European Health Union, in which all EU countries prepare and respond together to health crises, medical supplies are available, affordable and innovative, and countries work together to improve prevention, treatment and aftercare for diseases such as cancer. In addition to the European Health Data Space, the other pillars are: crisis preparedness and response, Europe’s beating cancer plan and the pharmaceutical strategy for Europe. The new EU4Health financial programme, with a budget of more than EUR 5.3 billion, will go beyond crisis response and provide investments to build stronger and more resilient national healthcare systems.

(III)

Including the following proposals: Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 851/2004 establishing a European Centre for disease prevention and control, Proposal for a Regulation of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU, Proposal for a Regulation of the European Parliament and of the Council on a reinforced role for the European Medicines Agency in crisis preparedness and management for medicinal products and medical devices.

(IV)

https://data.consilium.europa.eu/doc/document/ST-13-2020-INIT/en/pdf

(V)

https://ec.europa.eu/health/ern/covid-19_en

(VI)

Council of the European Union Conclusions (18 December 2020), https://data.consilium.europa.eu/doc/document/ST-14196-2020-INIT/en/pdf

(VII)

https://www.europarl.europa.eu/doceo/document/TA-8-2019-0083_EN.html

(VIII)

COM(2020) 66 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020DC0066

(IX)

COM/2020/767 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0767

(X)

https://digital-strategy.ec.europa.eu/en/library/data-act-proposal-regulation-harmonised-rules-fair-access-and-use-data

(XI)

https://ec.europa.eu/info/sites/default/files/state_of_the_union_2020_letter_of_intent_en.pdf

(XII)

state_of_the_union_2020_letter_of_intent_en.pdf (europa.eu)

(XIII)

soteu_2021_address_en_0.pdf (Europa.eu)

(XIV)

2021 Commission work programme – key documents | European Commission (europa.eu)

(XV)

C(2008) 3282, available at: EUR-Lex - 32008H0594 - EN - EUR-Lex (europa.eu)

(XVI)

EUR-Lex - 32011L0024 - EN - EUR-Lex (europa.eu)

(XVII)

https://ec.europa.eu/commission/presscorner/detail/en/MEMO_12_959

(XVIII)

COM(2018) 233 final

(XIX)

Electronic cross-border health services | Public Health (europa.eu) ; EUR-Lex - 32019D1765 - EN - EUR-Lex (europa.eu)

(XX)

Commission Recommendation on European Electronic Health Record Exchange Format Recommendation on a European Electronic Health Record exchange format | Shaping Europe’s digital future (europa.eu)

(XXI)

EUR-Lex - 32020D1023 - EN - EUR-Lex (europa.eu)

(XXII)

eHealth and COVID-19 | Public Health (europa.eu)

(XXIII)

Recommendation CM/Rec(2019)2 of the Committee of Ministers to member States on the protection of health-related data, available at: https://search.coe.int/cm/pages/result_details.aspx?objectid=090000168093b26e

(XXIV)

Recommendation of the OECD Council on Health Data Governance adopted on 13 December 2016, available at: https://www.oecd.org/health/health-systems/Recommendation-of-OECD-Council-on-Health-Data-Governance-Booklet.pdf

(XXV)

gs4dhdaa2a9f352b0445bafbc79ca799dce4d.pdf (who.int)

(XXVI)

https://www.digitalhealthindex.org/stateofdigitalhealth19

(XXVII)

https://www.oecd.org/health/health-systems/Recommendation-of-OECD-Council-on-Health-Data-Governance-Booklet.pdf

(XXVIII)

In the United States, legislation has been introduced that gives citizens the right to access their health data in an electronic format if it is already stored in such a fashion.

(XXIX)

In this impact assessment, “health data” is used as a term to refer to both personal and non-personal electronic data concerning health and social care.

(XXX)

There are exceptions to this definition. For example, the purpose of personal health data processed in the context of clinical trials is generally research and development, i.e. its primary use is not healthcare. Disease registries have been collected with the primary purpose of research, innovation and policy making.

(XXXI)

Electronic health record, or EHR, refers to collections of longitudinal medical records or similar documentation of an individual, in digital form (source: Commission Recommendation on European Electronic Health Record Exhange Format). An electronic health record system refers to a system for recording, retrieving and manipulating information in electronic health records.

(XXXII)

https://digital-strategy.ec.europa.eu/en/library/recommendation-european-electronic-health-record-exchange-format

(XXXIII)

Notable examples such as the Biobanking and Biomolecular Resources Research Infrastructure (BBMRI-ERIC) or the ELIXIR Data Platform https://elixir-europe.org/platforms/data#:~:text=The%20goal%20of%20the%20ELIXIR%20Data%20Platform%20is,within%20a%20coordinated%2C%20scalable%20and%20connected%20data%20ecosystem .

(XXXIV)

As laid down in Regulation 2017/745, a medical device means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more specific medical purposes that may include, for example, the diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.

(XXXV)

Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S., Febrer, N., Folkvord, F., Chabanier, L., Filali, N., Hamonic, R., Achard, E., Couret, H., Arredondo, M. T., Cabrera, M. F., García, R., López, L., Merino, B., Fico, G. (2022). Study on Health Data, Digital Health and Artificial Intelligence in Healthcare, Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/179e7382-b564-11ec-b6f4-01aa75ed71a1/language-en

(XXXVI)

The technological enablers for digital health include mobile, connected medical devices, edge and cloud computing technologies, artificial intelligence, nano and wearable sensors and actuators, the internet of things, distributed ledger technologies, high-performance computing and high capacity (wireless) internet networks, and are leading to ever-more pervasive software and the growing amount of data collected in health.

(XXXVII)

Literature on health data specifically highlights the relevance of multiple types of health data, including: (i) EHR, which can contain information on symptoms, medical exams, tests, referral patterns, prescriptions and death records as well as pharmacy records, diagnostic procedures, hospitalisations and other healthcare services; (ii) claims data giving indications of the nature of service usage, insurance and other administrative hospital data; (iii) omics data: genomics, transcriptomics, proteomics, epigenomics, metagenomics, metabolomics, nutriomics; (iv) clinical trials data; (v) pharmaceutical data such as pharmacovigilance (medicines safety) data; (vi) social media including web data pertaining to health such as data from patients forums on health topics; (vii) mobile apps, telemedicine and sensor data; (viii) geospatial health data (health data disaggregated by location); (ix) ambient data from ‘smart’ environments (e.g. electricity and gates data on the way people walk which can be used to estimate the occurrence of falling); (x) information on wellbeing, socio-economic, behavioural data; and (xi) other records of relevance to health such as occupational records, sociodemographic profiles or environmental monitoring data such as on pollution.

(XXXVIII)

Mobile health application refers to a software-based medical device that processes health data on a mobile device and is intended by the manufacturer to be used, alone or in combination, for human beings for one or more specific medical purposes that may include, for example, the diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease. A mobile wellness application distinguishes for not being intended by the manufacturer for a medical purpose and, therefore, not being a medical device itself. A 2019 study published by the Dutch National Institute for Public Health and the Environment analysed the market of mobile health applications in the Netherlands and found that 21% of sampled applications were a medical device (i.e. a mobile health application according to the definition above), while the rest 79% were not (i.e. a wellness mobile application). Study available here: https://www.rivm.nl/publicaties/apps-under-medical-devices-legislation-apps-onder-medische-hulpmiddelen-wetgeving

(XXXIX)

Marjanovic, S., Ghiga, I., Yang, M., & Knack, A. (2017). Understanding value in health data ecosystems: A review of current evidence and ways forward. https://www.rand.org/pubs/research_reports/RR1972.html .

(XL)

Article 9 of the GDPR

(XLI)

Thiel, R., Lupiáñez-Villanueva, F., Deimel, L., Gunderson, L. and Sokolyanskaya A. (2021). eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU. https://ec.europa.eu/newsroom/dae/redirection/document/79897

(XLII)

ev_20151123_co03_en.pdf (europa.eu)

(XLIII)

European Commission, European Interoperability Framework .

(XLIV)

Eurostat, 2018.

(XLV)

Health Spending Projections to 2030: New results based on a revised OECD methodology, Lorenzoni, L., et al., 2019; OECD Health Working Papers, No. 110, OECD Publishing. https://doi.org/10.1787/5667f23d-en

(XLVI)

McKinsey (2020). Shaping the digital transformation in Europe .

(XLVII)

OECD/EU (2018), Health at a Glance: Europe 2018: State of Health in the EU Cycle, OECD Publishing, Paris. https://doi.org/10.1787/health_glance_eur-2018-en

(XLVIII)

(XLIX)

https://www.oecd.org/health/health-systems/Empowering-Health-Workforce-Digital-Revolution.pdf

(L)

Grand View Research, Electronic Health Records (EHR), Market analysis 2016-2028, base year 2020. Opportunities beyond COVID-19 crisis, Electronic Health Records Market Size Report, 2021-2028 (grandviewresearch.com) .

(LI)

Electronic Health Records Market Worth $35.1 Billion By 2028 (grandviewresearch.com)

(LII)

Idem

(LIII)

(LIV)

Webb, E., Hernández-Quevedo, C., Williams, G., Scarpetti, G., Reed, S., & Panteli, D. (2021). Providing health services effectively during the first wave of COVID-19: A cross-country comparison on planning services, managing cases, and maintaining essential services. Health Policy (Amsterdam, Netherlands). https://doi.org/10.1016/j.healthpol.2021.04.016

(LV)

For example, according to the 2021 Country Health Profile for Belgium, the number of teleconsultations in Belgium peaked during the two waves of COVID-19 in 2020, but fell when restrictions were lifted.

(LVI)

European Commission (2018). Market study on telemedicine. Available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/2018_provision_marketstudy_telemedicine_en.pdf

(LVII)

Ibid.

(LVIII)

https://www.oecd.org/health/tackling-wasteful-spending-on-health-9789264266414-en.htm

(LIX)

Telemedicine Market Size, Share, Growth & Trends [2020-2027] (fortunebusinessinsights.com)

(LX)

European Commission (2018). Market study on telemedicine. Available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/2018_provision_marketstudy_telemedicine_en.pdf

(LXI)

Ibid.

(LXII)

Socio-economic impact of mHealth: An assessment report for the European Union (pwc.in)

(LXIII)

Online data code: HLTH_SHA11_HC

(LXIV)

No data available for Malta.

(LXV)

MedTech Europe (2021). The European Medical Technology Industry in figures 2021. Available at: https://www.medtecheurope.org/wp-content/uploads/2021/06/medtech-europe-facts-and-figures-2021.pdf

(LXVI)

Devices - EUDAMED (europa.eu)

(LXVII)

REGULATION (EU) 2017/ 745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of 5 April 2017 - on medical devices, amending Directive 2001/ 83/ EC, Regulation (EC) No 178/ 2002 and Regulation (EC) No 1223/ 2009 and repealing Council Directives 90/ 385/ EEC and 93/ 42/ EEC (europa.eu)

(LXVIII)

https://www.rivm.nl/publicaties/apps-under-medical-devices-legislation-apps-onder-medische-hulpmiddelen-wetgeving

(LXIX)

71,000 new health and fitness apps launched in 2020, estimates App Annie report (leisureopportunities.co.uk)

(LXX)

Digital Health Trends 2021 - IQVIA

(LXXI)

Mobile Health & Fitness App Spending Jumped 70% Last Year in Europe to a Record $544 Million (sensortower.com)

(LXXII)

Ibid.

(LXXIII)

Flynn, R., Plueschke, K., Quinten, C., Strassmann, V., Duijnhoven, R. G., Gordillo-Marañon, M., Rueckbeil, M., Cohet, C., & Kurz, X. (2021). Marketing Authorization Applications Made to the European Medicines Agency in 2018–2019: What was the Contribution of Real-World Evidence? Clinical Pharmacology & Therapeutics. https://doi.org/10.1002/cpt.2461

(LXXIV)

Calculated as a share of the estimated value of data sharing in the EU. For more details, see Annex 5.

(LXXV)

Flynn et al. (2021).

(LXXVI)

Eskola, S. M., Leufkens, H. G. M., Bate, A., De Bruin, M. L., & Gardarsdottir, H. (2021). Use of Real-World Data and Evidence in Drug Development of Medicinal Products Centrally Authorized in Europe in 2018–2019. Clinical Pharmacology & Therapeutics. https://doi.org/10.1002/cpt.2462

(LXXVII)

Half of them included RWE for the full development phase (48.6%) and for supporting regulatory decisions at the registration (46.8%), whereas over a third (35.1%) included RWE for the early development.

(LXXVIII)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(LXXIX)

Regulation (EU) 2018/1725

(LXXX)

Such processing also requires a basis under Article 6 GDPR, like any other processing of personal data, but the specificity of health data is in article 9.

(LXXXI)

(LXXXII)

These conditions apply on top of the requirements for lawfulness of processing in Article 6 GDPR.

(LXXXIII)

The Finnish Act on secondary use of health data covers both public and private data holders; in France, the beneficiaries of data obtained through French Data Hub can be public or private entities that carry out research projects of public interest – e.g. that contributes to information concerning health, definition and evaluation of health policies, innovation in the area of health and healthcare etc; FR law forbids to use the health data for marketing towards healthcare providers or patients or to exclude or modify the insurance premia of data subject based on the data obtained from FR Data Hub; the DE law goes further and punishes under criminal law the de-identification of data subjects

(LXXXIV)

Findata, French Data Hub, German Data Lab, Danish and Norwegian data access bodies.

(LXXXV)

E.g. CNIL, in France

(LXXXVI)

For details, see Page d'accueil | Health Data Hub (health-data-hub.fr) ; Réaliser sa demande d’autorisation auprès de la CNIL | Health Data Hub (health-data-hub.fr) ; Findata ; Data requests - Findata ; Data permits - Findata

(LXXXVII)

EUR-Lex - 52020PC0767 - EN - EUR-Lex (europa.eu)

(LXXXVIII)

https://digital-strategy.ec.europa.eu/en/library/data-act-proposal-regulation-harmonised-rules-fair-access-and-use-data

(LXXXIX)

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0206

(XC)

Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM(2020) 823 final

(XCI)

Evaluation in Annex 12.

(XCII)

Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic (Text with EEA relevance)

(XCIII)

https://ec.europa.eu/health/medicinal-products/clinical-trials_en

(XCIV)

Medicinal products for rare diseases (‘Orphan medicines’) ( Regulation (EC) No 141/2000 , Medicinal products for children ( Regulation (EC) No 1901/2006 , Advanced therapy medicinal products ( Regulation (EC) No 1394/2007 .

(XCV)

Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 851/2004 establishing a European Centre for disease prevention and control, Proposal for a Regulation of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU, Proposal for a Regulation of the European Parliament and of the Council on a reinforced role for the European Medicines Agency in crisis preparedness and management for medicinal products and medical devices.

(XCVI)

https://ec.europa.eu/health/sites/default/files/preparedness_response/docs/hera_2021_propcouncreg_medical-countermeasures_en.pdf

(XCVII)

https://ec.europa.eu/health/sites/default/files/non_communicable_diseases/docs/eu_cancer-plan_en.pdf

(XCVIII)

EU Mission: Cancer | European Commission (europa.eu)

(XCIX)

Deetjen, U (2016). European E-Prescriptions: Benefits and Success Factors. https://www.politics.ox.ac.uk/materials/publications/15224/workingpaperno5ulrikedeetjen.pdf

(C)

OECD (2019), “Health in the 21st Century: Putting Data to Work for Stronger Health Systems”, OECD Health Policy Studies, Éditions, Paris, https://doi.org/10.1787/e3b23f8e-en (Accessed 06/12/2021).

(CI)

(CII)

2.2 Working abroad (europa.eu)

(CIII)

(CIV)

Electronic cross-border health services | Public Health (europa.eu)

(CV)

https://ec.europa.eu/health/sites/default/files/cross_border_care/docs/impl_directive_presciptions_2012_ia_en.pdf

https://ec.europa.eu/health/sites/default/files/cross_border_care/docs/impl_directive_presciptions_2012_ia_summary_en.pdf

(CVI)

Hansen, J., Wilson, P., Verhoeven, E., Kroneman, M., Kirwan, M., Verheij, R., van Veen, E.-B. (2021). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/system/files/2021-02/ms_rules_health-data_en_0.pdf (Annexes available at: https://ec.europa.eu/health/system/files/2021-02/ms_rules_health-data_annex_en_0.pdf ).

(CVII)

Recommendation on a European Electronic Health Record exchange format | Shaping Europe’s digital future (europa.eu)

(CVIII)

eHealth Network guidelines to EU Member States and the European Commission on an interoperable eco-system for digital health and investment programmes for a new/updated generation of digital infrastructure in Europe ev_20190611_co922_en.pdf (europa.eu)

(CIX)

(CX)

Evaluation in Annex 12.

(CXI)

https://www.hiqa.ie/sites/default/files/2018-05/ePrescribing-An-Intl-Review.pdf

(CXII)

Deetjen European E-Prescriptions: Benefits and Success Factors [Online]. Available from https://www.politics.ox.ac.uk/materials/publications/15224/workingpaperno5ulrikedeetjen.pdf

(CXIII)

(CXIV)

Ibid.

(CXV)

Ibid.

(CXVI)

BfArM - Digital Health Applications (DiGA)

(CXVII)

Validation pyramid - mHealthBELGIUM

(CXVIII)

(CXIX)

Validation pyramid - mHealthBELGIUM

(CXX)

2013-19020.pdf (govinfo.gov) , Medical-Device-Fact-Sheet-09FEB11.pdf (nist.gov)

(CXXI)

mHealth label published | Shaping Europe’s digital future (europa.eu)

(CXXII)

https://www.bfarm.de/EN/Medical-devices/Tasks/Digital-Health-Applications/_node.html (acccessed on 01/12/2021).

(CXXIII)

https://www.medtecheurope.org/wp-content/uploads/2021/11/2111_v4.8_mte_dht_reimbursement16.11.2021-2.pdf

(CXXIV)

It is difficult to estimate the size of the European market for mobile health applications, but according to the IQVIA Institute ( Digital Health Trends 2021 - IQVIA ) the volume of health-related mobile applications would have surpassed 350,000 globally in 2021. Assuming a European share that is proportional to the share in the global medical devices market (27.5%), there could be almost 100,000 mobile health applications in the European mobile health applications market.

(CXXV)

(CXXVI)

https://tehdas.eu/app/uploads/2021/11/tehdas-citizens-perception-of-and-engagement-with-health-data-secondary-use-and-sharing-in-europe.pdf

(CXXVII)

Ibid.

(CXXVIII)

https://tehdas.eu/app/uploads/2021/09/tehdas-summary-of-results-case-studies-on-barriers-to-sharing-health-data-2021-09-28.pdf

(CXXIX)

13 Member States as using some form of centralised data governance organisation (BG, DK, DE, IE, EL, FR, CY, MT, NL, PT, SI, SK and FI). More details, in chapter 7 of the study carried out by Verhoeven, et al. (2021) for the Commission.

(CXXX)

(CXXXI)

Deloitte (2018), Unlocking R&D productivity, Measuring the return from pharmaceutical innovation 2018, Αvailable at: www2.deloitte.com/content/dam/Deloitte/global/Documents/Life-Sciences-Health

(CXXXII)

Wouters OJ et al, (2020), Estimated R&D investment needed to bring a new medicine to market, 2009-2018. JAMA. 323(9) 844-853.

(CXXXIII)

https://tehdas.eu/app/uploads/2021/09/tehdas-technical-and-operational-analysis-report-of-existing-data-sharing-initiatives-2021-09-30.pdf

(CXXXIV)

(CXXXV)

Kruse, C. S., Goswamy, R., Raval, Y., & Marawi, S. (2016). Challenges and Opportunities of Big Data in Health Care: A Systematic Review. JMIR medical informatics, 4(4), e38. Available from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5138448/

(CXXXVI)

(CXXXVII)

European Commission (2020). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf (Annexes available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_annex_en.pdf ).

(CXXXVIII)

(CXXXIX)

(CXL)

I.e. the probability for a foreign prescription not to be dispensed.

(CXLI)

While there is an indication that issues remain in the provision of cross-border prescriptions, it should be noted that this figure relies on a low response rate of 158 pharmacists across 5 countries

(CXLII)

The cost for visiting a local GP is estimated at EUR 65.77, based on a population-weighted extrapolation of the outpatient/ambulatory activity (2.6 billion consultations in 2019, according to Eurostat) and the total general outpatient curative and specialised outpatient curative care cost (EUR 132.5 billion in 2019, according to Eurostat).

(CXLIII)

The cross-border services for the exchange of ePrescriptions through MyHealth@EU relies on common structured formats and coded data fields, allowing pharmacists to access the necessary information in their own language, through a verified system.

(CXLIV)

Evaluation in Annex 12.

(CXLV)

https://eithealth.eu/wp-content/uploads/2021/11/EHDS_report.pdf

(CXLVI)

eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU. Lot 1 - Interoperability of Electronic Health Rec

(CXLVII)

https://findata.fi/en

(CXLVIII)

i.e. stored in free text or not coded according to an standardised terminology.

(CXLIX)

DG Health and Food Safety (2019), Assessment of the EU Member States’ rules on health data in the light of GDPR.

(CL)

Arlett, Peter (2020) Workshop, DARWIN EU (Data Analytics and Real World Interrogation Network), European Medicines Agency. Available from: https://www.ema.europa.eu/en/documents/presentation/presentation-proposal-darwin-eu-data-analytics-real-world-interrogation-network-parlett-ema_en.pdf

(CLI)

Data protection issues in cross-border interoperability of Electronic Health Record systems within the European Union, Giorgia Bincoletta, March 2020, published by Cambridge University Press

(CLII)

IACOB, N., & SIMONELLI, F. (2020). Towards a European Health Data Ecosystem. European Journal of Risk Regulation, 11(4), 884-893. doi:10.1017/err.2020.88

(CLIII)

Medical deserts are areas (e.g. certain rural and remote areas) with inadequate or limited access to healthcare services, and many times citizens living in such areas need to travel long distances to receive such services.

(CLIV)

For instance, immediate access to health data in electronic form or portability of inferred data, such as tests

(CLV)

(CLVI)

The EEHRxF includes five data domains: patient summaries, ePrescriptions/eDispensations, laboratory reports, medical images and reports, and hospital discharge letters.

(CLVII)

Commission Recommendation on a European Electronic Health Record exchange format C(2019)800 of 6 February 2019 available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.039.01.0018.01.ENG

(CLVIII)

The right to access one’s health data in electronic format, including those stored by healthcare providers (public or private) is supported completely by 100% of the consumer organisations, completely or to a great extent by 100% on non-EU citizens, 91% of EU citizens, 94% of NGOs, 84% of companies 81% of public authorities and 74% of business associations responding to the public consultation

(CLIX)

The right to transmit one’s heath data in electronic format to another professional/entity of one’s choice is considered as important by 100% of consumer organisations, 100% of non-EU citizesn 89% of NGOs, 86% of companies, 85% of EU citizens, 80% of research institutions, 80% of trade unions, 75% of public authorities and 73% of business associations responding to the public consultation. https://ec.europa.eu/info/sites/default/files/state_of_the_union_2020_letter_of_intent_en.pdf

(CLX)

The penetration of smart phones at EU level is high and increasing (over 86% of population subscribed to mobile services in 2020),

(CLXI)

(CLXII)

mHealth label published | Shaping Europe’s digital future (europa.eu)

(CLXIII)

(CLXIV)

For example, the Health Data Hub acts as a single point of contact in France for health data discovery and access request handling and for submission to the French Data Protection Authority (CNIL). However, other entities, such as research hospitals, are also empowered to handle such requests and for submission to the CNIL.

(CLXV)

The detailed overview for the calculations is shown in Annex 5, including the general methodological approach used in the study supporting this impact assessment.

(CLXVI)

This figure relies on the estimated yearly costs for the Commission and Member States for the current cooperation framework in the eHealth Network.

(CLXVII)

See the conclusions of the evaluation of Article 14 in CBHC Directive in Annex 12.

(CLXVIII)

This estimate is calculated on the basis of costs for services (between EUR 0.3-2.5 million per service) under the Connecting Europe Facility Programme and based on input from Member States authorities. More details in Annex 5.

(CLXIX)

https://www.oecd.org/health/health-systems/Empowering-Health-Workforce-Digital-Revolution.pdf

(CLXX)

Calculated as 10% average of duplicated tests for a total of EUR 14 billion per year for examinations requiring Computed Tomography, Magnetic Resonance Imaging and PET scans (Eurostat).

(CLXXI)

Assuming a 4 FTE team per Member State as a lower bound, and a combination of organisational arrangements across the EU (ranging between 4-FTE and 50-FTE entities) for the upper bound.

(CLXXII)

(CLXXIII)

Considers, as per the Data Governance Act, a set up cost of EUR 10.6 million and a maintenance costs of EUR 0.6 million yearly.

(CLXXIV)

Arlett, P., Kjær, J., Broich, K., & Cooke, E. (2021). Real-World Evidence in EU Medicines Regulation: Enabling Use and Establishing Value. Clinical Pharmacology & Therapeutics. https://doi.org/10.1002/cpt.2479

(CLXXV)

Data Analysis and Real World Interrogation Network (DARWIN EU) | European Medicines Agency (europa.eu)

(CLXXVI)

European Commission (2018). Market study on telemedicine. Available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/2018_provision_marketstudy_telemedicine_en.pdf

(CLXXVII)

It assumes that 17 Member States will participate in the network for secondary uses, as cooperation will be on voluntary basis

(CLXXVIII)

Trasys for the European Commission (forthcoming study). A study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space.

(CLXXIX)

Monitoring of estimates of effectiveness and whether these are in line with initial authorisation and estimates used for defining value for reimbursement may allow renegotiating prices with considerable savings. Borge FC et al. Monitoring real-life utilization of pembrolizumab in advanced melanoma using the Portuguese National Cancer Registry. Pharmacoepidemiol Drug Saf. 2021;30:342–349. DOI: 10.1002/pds.5163

(CLXXX)

See further and a thorough analysis on these points by Anu Bradford, The Brussels Effect, OUP 2020

(CLXXXI)

Trasys for the European Commission (forthcoming study). A study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space.

(CLXXXII)

Voinescu, R. and Moisoiu, C., 2015. Competitiveness, theoretical and policy approaches. Towards a more competitive EU. Procedia Economics and Finance, 22, pp.512-521.

(CLXXXIII)

The digital infrastructure ecosystem architecture for Policy Option 2 is shown in Annex 4.

EUROPEAN COMMISSION

Strasbourg, 3.5.2022

SWD(2022) 131 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Health Data Space

{COM(2022) 197 final} - {SEC(2022) 196 final} - {SWD(2022) 130 final} - {SWD(2022) 132 final}

Table of contents

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

2.Organisation and timing

3.Consultation of the RSB

4.Evidence, sources and quality

Annex 2: Stakeholder consultation

Annex 3: Who is affected and how?

1.Practical implications of the initiative

2.Summary of costs and benefits

Annex 4: Graphical representation of different elements in the Impact assessment

Annex 5: Methodological approach

1.Sources

2.Discount rate

3.Timeline

4.Baseline scenario

5.Estimation of costs of measures proposed

6.General take-up/participation scenarios

7.Specific assumptions used for measures on primary use of health data

7.1.Governance

7.2.Digital infrastructure

7.3.Data interoperability

7.4.Economic benefits

8.Specific assumptions used for measures on secondary use of health data

8.1.Governance

8.2.Digital infrastructure

8.3.Data interoperability and data quality

8.4.Economic benefits

9.Methodology and assumptions used for the evaluation of the Article 14 of the CBHC Directive (Annex 12)

Annex 6: Coherence with other legislative instruments

Annex 7: List of m-health and telehealth initiatives (legislation, frameworks and certification/labels)

Annex 8: Overview of the GDPR legal basis for processing health data for different purposes

Annex 9: Overview of national bodies dealing with secondary uses of health data

Annex 1: Procedural information

11. Lead DG, Decide Planning/CWP references

The legislative proposal on the European Health Data Space (EHDS) was prepared under the lead of the Directorate-General for Health and Food Safety. In the DECIDE Planning of the European Commission, the process is referred to under item PLAN/2020/870. The Commission Work Programme for 2021 includes a legislative action for a European Health Data Space.

22. Organisation and timing

An Inter-Service Steering Group (ISSG) assisted DG Health and Food Safety in the preparation of the Impact Assessment and legal proposal. It included Commission services of Directorate-Generals CNECT, JUST, GROW, JRC, TRADE, EMPL, MOVE, RTD, ECFIN, COMP, REGIO and REFORM, together with the Commission’s Legal Service and Secretariat General.

The ISSG met two times in March 2021 and October 2021. Moreover, the ISSG members have already been consulted regularly via formal written consultations and bilateral discussions. An Inception Impact Assessment was published on 23 December 2020 and was open to feedback from all stakeholders on the Better Regulation Portal for a period of 6 weeks. The public online consultation was launched on 3 May 2021 and closed on 26 July 2021.

The draft Impact Assessment report and all supporting documents were submitted to the Regulatory Scrutiny Board (RSB) on 26 October 2021, in view of a meeting on 24 November 2021. The RSB issued a negative opinion on 26 November 2021. After a re-submission of the Impact Assessment report on 21 December 2021, the RSB issued a positive opinion on 26 January 2022.

33. Consultation of the RSB

The Impact Assessment report was reviewed by the Regulatory Scrutiny Board. After the first submission, the RSB issued the following findings:

(1)The report is not clear on the coherence with other related initiatives.

(2)The justification of the legal basis is not sufficient and does not reflect the core objectives targeted by the initiative.

(3)The objectives regarding secondary use are not sufficiently specified in their scope. They are not sufficiently clear on the coherence and consistency with the legal principles on the extent of personal data use, set out in related initiatives.

(4)The report is not clear on the issue of data control and consent in the proposed options.

(5)The report does not sufficiently justify the combination of measures in the different options. It does not sufficiently explain the choice of the preferred option.

(6)The report is not clear on how the different groups of stakeholders will be affected by the proposal. Their views are not well reflected throughout the report.

The table below lists the changes in response to the recommendations of the RSB in its first opinion (negative opinion). Besides these modifications, targeted corrections and amendments have been included to address the technical comments provided by the RSB to DG SANTE.

Recommendations of the RSB	Modifications in the impact assessment report in response to the Board’s recommendations
(1) The report should clearly identify the gaps and overlaps with existing and planned initiatives, in particular the General Data Protection Regulation (GDPR), the Data Governance Act and the upcoming Data Act. Coherence with those initiatives should be ensured, in particular on the issues of the use of data for public purposes as well as data altruism, consent, portability and ownership. This is especially in relation to secondary uses and the creation of a single personal data driven market for digital health products and services.	The subsection on the Legal Context (1.3) has been amended and expanded on the provisions from the GDPR, Data Governance Act and Data Act that are relevant for the EHDS. Regarding the GDPR, the implications of portability and consent in health and the functioning of national Health Data Access Bodies have been further elaborated. Regarding the Data Governance Act, the way in which the EHDS would build upon and further specify the horizontal framework has been clarified. Regarding the Data Act, further discussions were held with DG CNECT on the interplay of the Data Act with the EHDS, and subsequently the main limitations of the Data Act (scope of portability and access conditions to data by public bodies) in relation to the use cases covered by the EHDS have been described. Additionally, the Description of the Policy Options (5.2) has been amended to take into account the adjustments concerning coherence with other legislative frameworks.
(2) The legal basis for this proposal should be better justified and linked to its main objectives. The report should clarify why Article 168(1) of the TFEU is not the main legal basis given that the proposal’s core objective is better healthcare for citizens, while Article 114 relates to establishment of a single market for digital health data that is more focused on the potential commercial exploitation of this data.	The justification for the choice of Articles 16 and 114 of the TFEU as the legal basis for the EHDS has been elaborated further in subsection 3.1, particularly in relation to Article 168(1) of the TFEU. The references to public health have been removed for consistency from the Objectives (Chapter 4) and to keep the focus on data protection and single market aspects. Targeted clarifications have been added throughout the text to explain that common legal basis for the reuse of health data in the EHDS is foreseen on grounds of public interest, scientific research and statistics, and regardless of the nature of the reuser (be this public or private). This approach is similar to that of existing Health Data Access Bodies such as Findata in Finland.
(3) The report should clarify the main objectives of the proposal, in particular related to the secondary use of health data. It should be explicit on the possible secondary uses of health data and which private and public markets would be affected. It should clarify how these uses would comply with the principles and objectives on data access, control and use, as outlined in related initiatives. In this respect, it should differentiate between use of health data for commercial purposes and use of health data for improving health care.	The subsection on the specific objective on secondary uses of health data (4.2.3) has been amended to include the specific main use cases that are foreseen under the EHDS (research, innovation, policy-making, regulatory activities) and key markets that would be most affected (healthcare services, digital health products, medical devices and medicinal products). Specific descriptions of the affected markets have been added to the subsection on the Socio-Economic Context (1.2), and the product markets targeted by measures on interoperability and other aspects have been specified in subsection 5.2. The size of the problems and the demand for interoperability has also been included in subsections 2.2 and 2.3, including figures where possible. As when addressing recommendation (2), targeted clarifications have been added throughout the text to explain that common legal basis for the reuse of health data in the EHDS is foreseen on grounds of public interest, scientific research and statistics, and regardless of the nature of the re-user (be this public or private). A detailed description of the existing national legislation on secondary use of health data has been included in the legal context 1.3.
(4) The proposed options should be clearer on the issue of consent on data use and data portability, as distinct from interoperability rules, especially with reference to the property and liability rules regimes that would apply.	The section 1.3 on legal context defines the control in the sense of GDPR, as well as the use of consent and law as a legal basis under GDPR. It also explains the right of access and portability, as well as the technical aspects that could support the sharing of data and enforcement of the interoperability. The section 1.1 on technological context provides an overview of interoperability needs. A new Annex (10) on interoperability has been added. The descriptions on the types of data describes the property regime (5.2.2.2).
(5) The report should assess whether it is possible that a different combination of measures would lead to a better result. It should justify each measure that appears in the preferred option and demonstrate that it contains the best performing combination.	A dimension-by-dimension analysis on the assessed options has been included (Annex 11) to support the comparison of options and justify the best performing combination of measures (Chapter 7). Two new options have been added in Chapter 5 containing variations of existing options (Option 2+ and Option 3+). Option 2+ is a variation of Option 2 with a mix of measures from Option 2 and 3 depending on the product category (EHR systems, digital health products that are medical devices and wellness applications) for ensuring minimum mandatory requirements for interoperability and other related aspects. Option 3 has been modified so that the tasks at EU level are assigned to an existing EU body, whereas Option 3+ considers the establishment of a new body. The economic assessment of the impacts has been amended accordingly (6.1), as well as the comparison of options (Chapter 7) and the description of the Preferred Option (Chapter 8).
(6) The report should provide justification for all assumptions used when estimating the costs and benefits and should acknowledge limitations and uncertainties in these estimates when proposing a best performing option. The report should be clearer on the costs and benefits for different groups of stakeholders.	The Methodological Approach (Annex 5) has been strengthened by adding justifications for the assumptions and references to the limitations and uncertainties of the estimates used in the assessment of the options. Footnotes have been included in the subsection on the Economic Impact (6.1) to clarify major assumptions, limitations and uncertainties. The distribution per stakeholder of total direct costs and benefits has been included in tabular format in the description of the Preferred Option (Chapter 8). The part on socio-economic context describes the size of the market that is being taken into account into the cost/benefit analysis of the policy options.
(7) The report should introduce the views of different stakeholder groups in the main report and explain how they affect the choice of the combination of measures in the preferred option. It should clarify and discuss the possible divergent views of stakeholders.	New references to the views of stakeholders have been introduced throughout the report, particularly in subsections 2.2 and. 2.3. A new subsection with the views of stakeholders has been added (subsection 5.2.3). Annex 2 and Annex 3 have been enriched.

After the second submission, noting that its previous recommendations have been addressed to a large extent, the RSB issued the following finding:

(1)The rationale for having a specific sectoral initiative on health data is not sufficiently explained.

(2)The difference between secondary use and data altruism is not clear and this leads to confusion in the different consent mechanisms.

(3)The report does not sufficiently reflect different stakeholder views.

The table below lists the changes in response to the recommendations of the RSB in its second opinion (positive opinion).

Recommendations of the RSB	Modifications in the impact assessment report in response to the Board’s recommendations
(1) The report should better explain the rationale behind having a sectoral initiative on health data, in particular whether this is due to its peculiarity and related security issues, and the reason why other horizontal initiatives like the Data Act may increase the risks of inappropriate use of health data.	Subsection 1.3.1 on the horizontal framework context for this initiative was amended in order to provide additional context and examples in relation to the limitations of horizontal legislations in addressing the specific challenges for the processing of health data. In particular, the added elements illustrate that the operational needs for the processing of health data are not properly met by horizontal initiatives and are fully addressed by this tailored sectoral legislation.
(2) The report should clarify what data altruism could add to secondary use of data. It should clarify the application of different consent mechanisms regarding data altruism and secondary use. It should explain better why another consent mechanism (opt-in) would be applied compared to opting-out for secondary use when no explicit individual consent is required.	The part on the opt-in opt-out mechanism as been removed from the document since consent was found not to be relevant to the proposal.
(3) The report should clarify if the benefits from data governance by Health Data Access Bodies are related to obtaining individual consent or rather originate from the need to safeguard the rights and freedoms of the data subjects when no explicit consent is required.	The role of Health Data Access Bodies in the data governance as providers of safeguards to the rights and freedoms of the data subjects has been further explained in Subsection 5.2.2.2.
(4) The report should better differentiate the stakeholder views throughout instead of providing majority views.	The views of the stakeholders, as they were expressed in the public consultation, have been more broadly been included in the different chapters of the impact assessment report to connect stakeholder views to the different policy options.

44. Evidence, sources and quality

This proposal is supported by a number of studies and background documents, in particular:

·A study on the assessment of the EU Member States’ rules on health data in the light of the General Data Protection Regulation 1 ,

·A study on the regulatory gaps to cross-border provision of digital health services and products, including artificial intelligence, and the evaluation of the existing framework for cross-border exchange of health data 2 ;

·A study supporting the impact assessment of policy options for an EU initiative on a European Health Data Space;

·A study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space (forthcoming);

·A study on the electronic health record interoperability in the European Union (MonitorEHR) 3 ;

·A study on the use of real-world data (RWD) for research, clinical care, regulatory decision making, health technology assessment, and policy making 4 ;

·A market study on telemedicine 5 ;

·The EDPS preliminary opinion on the EHDS 6 .

Annex 2: Stakeholder consultation

Different stakeholders have been consulted in different phases of the legislative process.

The consultation activities aimed at collecting the views of national public health, digital health and data protection authorities, healthcare providers, healthcare professionals, academic and research institutions, patient associations, economic actors and their professional associations (e.g. health technology industry, digital industry), consumer organisations, NGOs, trade unions and citizens. These stakeholder groups were expected to have important information and insights on:

·the achievements of the provisions on eHealth of the CBHC Directive, any implementation and application problems and their underlying causes and on possible ways forward and their impacts;

·how health data governance mechanisms and structures can best maximise the social and economic benefits of health data usage in the EU, as well as how digital health services and products and AI can deliver greater levels of accessibility, availability, sustainability and affordability of healthcare.

This section provides an overview of the consultation activities carried out as part of the Public Consultation, the Assessment of the EU Member States Rules on health data in light of GDPR, the Study on Health Data, Digital Health and Artificial Intelligence in Healthcare and the Study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space.

1.Public Consultation

The European Commission conducted a Public Consultation (PC) to gather the views of the public on an EU initiative for a EHDS. The purpose of the consultation was to inform the Commission’s work to support the impact assessment on the problems to be tackled, the policy options to be considered and their likely impacts. The consultation was open from 3 May 2021 to 26 July 2021 7 .

382 valid responses to the PC were received and of these respondents, 64 provided additional documentation. EU citizens were the most common type of stakeholders among respondents (26%), followed by non-governmental organisations (NGOs) (21%), academic/research institutions (14%), companies/business organisations (11%), business associations (8%), public authorities (5%), non-EU citizens (2%), trade unions (1%) and consumer organisations (1%). Respondents came from 23 EU Member States and 8 non-EU countries. The most represented country was Belgium 8 (19%), followed by Spain (11%), France (11%), Germany (11%) and Italy (8%).

On the question of fundamental rights, Member States’ positions are rather fragmented, also based on national practices, the status of national debate on the right to privacy and re-use of personal data. Some highlighted the importance of ethics in the re-use of secondary health data and noted that it was too early to determine whether the EHDS would improve privacy. If EHDS would simply be a tool linking already existing datasets, the security of personal data would not be affected. However, if it allowed researchers to access and analyse datasets, personal data security and privacy would be affected, and mechanisms preventing privacy breaches would need to be built into the EHDS’ infrastructure. They further noted that since EHDS2 concerns policy, which can impact the freedom of movement, it is indirectly related to the right of freedom of movement. Other Member States emphasized the need to stick to some key objectives first, with the focus primarily being on delivering trust to European citizens, which implies legislation ensuring data security, as well as a robust infrastructure. Member States expressed specific points with regard to the opt-in vs. opt-out approach to the secondary use of health data, and on the role of National Agencies/Authorities in authorising access. Some Member States advocated for a system where the patient could easily stop the sharing of their data at any time. Although an opt-out system would likely make more data available due to the effort it takes to opt out, it could generate criticism. To avoid unnecessary bureaucracy, no additional ethical clearance should be required when a researcher was already cleared by an ethics committee at his/her institution. A regionalised Member States considered that legislation regarding the authorization to access data should be done at Member State level, as the competences in those matters are currently national. The governance body may therefore have to apply different criteria depending on the Member State where the data come from.

The opinions of Member States on the possible characteristics of the EHDS were different as well. In the view of a federal Member State, it is important that the Member States keep in place their own legislation regarding the privacy of their citizens and that it is respected; legislation should be based on cultural ways of thinking as considers how citizens handle their data. However, EU guidelines or a general framework could be established. In this way, the national and EU legislations could complement each other and address cross-border issues particularly in times of crisis. Other Member States preferred a pluri-disciplinary approach on the main topics, as a wide range of competences will be needed. This involves discussing a clear strategy with all Member States, focusing both on a broad plan of action and technical operations. In Spain’s view, the current model for the governance of the eHealth Network is reasonable since consensus between the Member States is needed in the decision-making process.

Access and use of personal health data for healthcare

The most important objectives that respondents said a European framework on the access and exchange of personal health data should aim included:

·supporting and accelerating research in health (89%), with most support coming from industry (97%), academia (94%) and public authorities (88%)

·promoting citizens’ control over their own health data, including access to health data and transmission of their health data in electronic format (88%), with most support coming from consumer organisations (100%), industry (94%) and EU citizens (85%) and public authorities (93%). The lowest support for this objective is among trade unions (80%) and academic/research institutions (78%).

·facilitating the delivery of healthcare for citizens across borders (83%), with most support coming from consumer organisations (100%), industry (93%) and public authorities (77%)

The most contentious was the objective to promote private initiative. This is supported by industry (88%) and public authorities (63%) but there is less support amongst consumer organisations (67% said not at all) and NGO’s (31% support this objective).

Several rights were deemed important by respondents, including:

·the right to access one's health data in electronic format, including those stored by healthcare providers (public or private) (88%), with most support coming from consumer organisations (100%), NGO’s (94%), EU citizens (91%), companies (86%) trade unions (80%) and public authorities (81%) Lower support was recorded among business associations (74%)

·the right to transmit one's health data in electronic format to another professional/entity of one's choice (84%), with most support coming from consumer organisations (100%), NGO’s (89%) and industry (86%). 85% of EU citizens, 86% of companies and 75% of business associations, 75% of public authorities, 80% of research institutions and trade unions that participated in the public consultation also supported this right.

·the right to request healthcare providers to transmit one's health data in one's electronic health record (83%), with most support coming from consumer organisations (100%), NGO’s (90%) and EU citizens (82%)

·the right to request public healthcare providers to share electronically one's health data with other healthcare providers/entities of one's choice (82%), with most support coming from consumer organisations (100%), NGO’s (87%) and EU citizens (86%)

·60% of trade unions, 73% of companies, 75% of business associations, 71% of public authorities, 54% of EU citizens, 54% of non-EU citizens 61% of NGOs 64% of research institutions and only 25% of consumer organisations participating in the public consultation consider that healthcare professionals should have the right to access to patients’ digital health records and to data pertaining to the patient’s use of digital health products or services.

A more contentious question was regarding whether healthcare providers that fail to provide access to health data in an electronic format and to transmit it to a healthcare provider/entity of their choice are sanctioned or receive a specific fine. There is support for this question from consumer organisations (100%) and EU citizens (69%) but there is less support amongst companies (66%), business associations (46%), and public authorities (31%).

By far, the element that respondents considered the most appropriate for controlling access and sharing one’s health data with healthcare professionals was ensuring the infrastructure or personal digital storage for accessing the data are secure and prevent cyberattacks (90%). The options of accessing one's health data that is exchanged between health professionals or with other entities either:

·via a digital infrastructure (72% support), with most support coming from NGO’s (81%), public authorities (75) and industry (70%), with less support from consumer organisations (25%)

·or via an EU electronic infrastructure (69% support), with most support coming from NGO’s (77%), EU citizens (71%) and industry (70%), with less support from public authorities (43%)

The support for facilitating the cross-border delivery of healthcare should be one of the objectives of a European framework on the access and exchange of personal health data, according to 100% of consumer organisations, 93% of the companies, 84% of business associations, 77% of public authorities, 85% of NGOs, 84% of EU citizens, 82% of research institutions and 40% of trade unions. Most stakeholders found that the EHDS would bring benefits in terms of cross-border access to healthcare, with business associations, companies/business organisations and NGO’s being the most likely to say the impact would be high (76%, 79% and 77% respectively), compared with only 42% of public authorities, and academic/research institutions and EU citizens being the least likely. However, the communication concerning the infrastructure MyHealth@EU should be improved, as only 23% of EU citizens and 43% of non-EU citizens participating in the public consultation were aware about changes concerning data sharing cross border in order to ensure the continuity and access to safe and high-quality healthcare; this was the case for 53% of public authorities, 47% of companies and 50% of consumer organisations.

Regarding mandatory participation in an EU-level infrastructure MyHealth@EU, Member States have different views. Two Member States consider that waiting for perfect coordination of healthcare systems across the EU may take too long, as the differences are too great. Instead, the number of services delivered could be gradually increased over time as more countries connect and the services improve. The EU should therefore incentivise countries to improve their infrastructure, while making participation in the EHDS mandatory, since the directive’s objectives will otherwise never be met. According to the representative of these two Member States, a continuum of healthcare in the EU is necessary to achieve real mobility, and a clear link can be drawn between the EHDS and the EU Resilience and Recovery plans.

Respondents were also asked how standards and technical requirements (e.g. to support the exchange of data in healthcare or to ensure the interoperability of health data exchanges) should be made applicable at national level and across the EU. Overall, respondents believed appropriate measures would be either an access scheme managed by national bodies (a mandatory prior approval by a national authority; 39%) or a certification scheme granted by third parties (a mandatory independent assessment of the interoperability level; 37%) would be appropriate most.

Digital health services and products

Respondents were asked about how to ensure access to, and sharing of, health data nationally and across borders through digital health services and devices.

85% of the business associations participating in the public consultation and 89% of companies consider that EHDS should promote the use of digital health products and services by healthcare professional and citizens, while this opinion is shared by 74% of EU citizens, 76% of public authorities and only 33% of consumer organisations.

Support for minimum standards for tele-health equipments established at EU level reaches 100% among consumer organizations, 75% for trade unions 72% for NGO, 66% for EU citizen, 65% for public authorities, 64% for companies and 36% for business associations participating in the public consultation. Such support for protocols/rules for tele-health established at EU level reaches 75% among consumer organisations, 50% for trade unions, 70% for EU citizens, 65% for public authorities, 60% for research institutions, 59% among companies and business organisations and only 26% for the business associations participating in the public consultation.

Overall, a majority of respondents said that it would be useful if citizens were able to transmit the data from mHealth and telehealth into their electronic health records (77% overall, with most support coming from industry (97%), NGO’s (82%) and EU citizens (76%), public authorities (70%)), or, to a smaller extent, into the EU health data exchange infrastructure (67% overall, with most support coming from industry (88%), trade unions (80%) and NGO’s (71%)). A majority of respondents also said that it would be useful if healthcare professionals could request transmission of the data from prescribed apps and other digital health services into the electronic health records of the patient (68% overall, with most support coming from industry (81%), academia (72%) and NGO’s (71%), public authorities (70%)), or, to a lesser extent, if healthcare professionals had the right to access patients’ digital health records and data pertaining to the patient’s use of digital health products or services (62% overall, with most support coming from industry (75%), public authorities (71%) and academia (64%)).

Overall, respondents believed a certification scheme granted by third parties (a mandatory independent assessment of the interoperability level) (52% overall, with most support from EU citizens (61%) and trade unions (60%) and less support from public authorities (47%) and industry (39%)) would be most appropriate to foster the uptake of digital health products and services at national and EU level. A smaller proportion of respondents said an authorisation scheme managed by national bodies would be appropriate (43% overall, with most support from trade unions (80%), consumer organisations (75%) and less support from NGO’s (40%) and industry (12%)). The option of using a voluntary labelling scheme was the least popular, with least support from NGO’s (9%) and public authorities (18%).

Respondents believed that the most appropriate measure to support reimbursement decisions by national bodies would be a framework where EU funds support/top up cross-border digital health services that comply with interoperability standards and ensure patient control over their health data (71% overall, with most support coming from industry (80%), consumer organisations (75%) and NGO’s (75%)). EU guidelines for reimbursement of digital health products get a 100% support among consumer organisations, 54% among companies, 46% for EU citizens and only 18% for public authorities. Respondents said that other measures would also be appropriate, such as the use of an EU repository of digital health products and services assessed according to EU guidelines to aid national bodies to make reimbursement decisions, or a framework which facilitates reimbursement of all telehealth services (64% overall, with most support coming from consumer organisations (100%), trade unions (80%) and NGO’s (72%), and a more limited 49% support from public authorities).

Mutual recognition across EU for reimbursement purposes is supported by 100% of consumer organisations, 69% of NGOs63% of EU citizens, 75% of companies, 46% of business assoeciations, 36% of public authorities (a similar percentage of authorities opposing it) participating in the public consultation.

When inquired who would be the best suited to develop these standards and technical requirements at EU level to support exchange of data in healthcare, responses were mixed. 40% of respondents in the public consultation believed 'national digital health bodies cooperating at EU level' are best suited to develop standards and technical requirements at EU level to support the exchange of data in healthcare. More than a third of respondents (125 out of 363, 34%) said that 'an EU body' might instead be best suited to do this. There were some differences across stakeholder types, in particular between public authorities (71% in favour of national digital health bodies, and only 12% in favour of an EU body) and companies/business organisations (only 24% in favour of national digital health bodies, but 59% in favour of an EU body).

A relatively large proportion of respondents thought another type of body would be best suited to develop standards and technical requirements at EU level to support the exchange of data in healthcare (93 out of 363, 26%). Among these, some suggested that there should be a combination of both national digital health bodies and an EU body. Several mentioned they believed 'an EU body' might be best suited to develop standards and technical requirements at EU level to support the exchange of data in healthcare, but that this EU body should meet some requirements. For example, it should involve scientific experts with thorough knowledge of diseases, as well as representatives from patient organisations, Member States' national institutions, private sector consortia and academic institutes.

With regards to the costs of complying with standards, across the stakeholder groups, 62% of academic/research institutions and 53% of public authorities expected this cost impact to be high, compared with only 21% of business associations and 23% of companies/business organisations.

A large majority of respondents said they believed access to EU funds for digitalisation in healthcare by Member States should be conditional upon ensuring interoperability with electronic health records and national healthcare systems (81%). Only 8% disagreed, and the rest said they did not know.

Access and use of personal health data for research and innovation, policy-making and regulatory decision-making

Among Member States that participated in the public consultation, some upheld that legislation on data authorization should remain at country level, although it recognized a need for a European body to coordinate authorization with Member States, such that only one procedure would have to be taken by any research institution looking to access a dataset. Others would welcome the creation of a portal for accessing data at EU level, which would not host any data, but would hold the keys to all the datasets stored elsewhere. With the development of a common health data space, more Member States are also planning to set up a national data permit authority. A big Member State in the process of setting up a data access body agreed that having a clear mandate of EU data access rules would be very beneficial, and the EHDS should contain legislation compelling Member States to grant data to researchers in other EU countries. Moreover, algorithms should be trained across countries to ensure sufficient quantity and diversity of data.

Concerning the participation in the EU infrastructure on secondary use of data, the views of Member States were more heterogenous. Some Member States were in favour of mandatory participation in EHDS infrastructure for secondary use, but pointed out that it could also be optional in use, with a seal of quality reassuring citizens about their data’s use. Others underlined that, while some have made progress regarding the establishment of a health data authority, the situation in other Member States may be different as they may not have the same capacity to join. Therefore, making participation mandatory will not necessarily increase progress, and investments should be made into capacity building to bring all countries’ infrastructure to the same level. A federal Member State mentioned that a discussion should also take place on how to ensure that the right technical and organizational measures to ensure maximum data protection are being used while allowing maximum research.

Support decisions by policy-makers and regulators in health as an objective of a European framework on the access and exchange of personal health data should is supported completed or to a great extent by 82% of academic and research organisations, 80% of trade unions, 81% of companies and business associations, 83% of NGOs, 69% of EU citizens, 57% of non-EU citizens, 65% of public authorities and 50% of consumer organisations participation in the public consultation.

The objective of supporting and accelerating research in health is supported by 100% of consumer organisations and non-EU citizens, 83% of EU citizens, 97% of business associations, 95% of companies, 94% of research institutions, 88% of public authorities, 80% of trade unions and 90% of NGOs.

Promoting private initiatives (e.g. for innovation and commercial use) in digital health has received a more mixed support: 88% from business associations that participated in the open publc consultation, 79% of companies, 60% of trade unions, 29% of non EU citizens and 38% of EU citizens, 63% of public authorities, 47% of research institutions, 31% of NGO that participated in the public consultation. 67% of the consumer organisations that participated in the public consultation are against a European framework on the access and exchange of personal health data that would promote private initiatives (e.g. for innovation and commercial use).

Only a small proportion of respondents said a fee would facilitate the sharing of health data held by private stakeholders (20%), while many highlighted the limitations of using this incentive (e.g. difficult to manage, not stimulating enough to share data etc.) and a few said it would have a negative impact (e.g. potentially endangering patient interest by commercialising health data). A federal Member State also highlighted that no profit should be made from the data, however a fee system should control the amount of permissions to be granted to limit the burden on the system and support the sustainability of the system. Moreover, it would support the establishment of a transparency registry where all granted permissions would be published, and of a website showing how the data was used, to enhance public trust. Many respondents said that other types of incentives would facilitate the sharing of health data held by private stakeholders, such as: legal/mandatory obligations, and greater interoperability between systems, databases and registries or a more transparent system for sharing data.

The mechanism that respondents thought most appropriate to facilitate the access to health data for research, innovation, policy-making and regulatory decision was the mandatory appointment of a national body that authorises access to health data by third parties (55%) (deemed more appropriate than the voluntary appointment of such a body), followed by the use of a public body which collects the consent of individuals to share their health data for specified societal uses (“data altruism”) and manages their health data (47%).

Overall, respondents thought additional rules on conditions for access to health data for research, innovation, policy-making and regulatory decision would be needed at EU level, mainly for research purposes, and for policy and regulatory purposes (when asked about health data categories, format, eligibility and security).

The two options that respondents said were most appropriate in facilitating access to health data held by private stakeholders was to have access to health data granted by a national body (rather than by the data holder), either subject to the agreement of data subjects (most support from industry (57%), least support from public authorities (24%)), or in accordance with national law (most support from public authorities (65%), least support from industry (21%)). Only a small proportion of respondents said a fee would facilitate the sharing of health data held by private stakeholders (20%), while many highlighted the limitations of using this incentive (e.g. difficult to manage, not stimulating enough to share data etc.) and a few said it would have a negative impact (e.g. potentially endangering patient interest by commercialising health data). Many respondents said that other types of incentives would facilitate the sharing of health data held by private stakeholders, such as: legal/mandatory obligations, and greater interoperability between systems, databases and registries or a more transparent system for sharing data.

A large majority of respondents said an EU body could facilitate access to health data for research, innovation, policy making and regulatory decisions if it had a number of functions, the most important ones being: setting standards on interoperability together with national bodies dealing with secondary use of health data (87% overall, most support from consumer organisations (100%), NGO’s (92%) and industry (91%)); bringing together the national bodies dealing with secondary use of health data, for decisions in this area (79% overall, most support coming from consumer organisations (100%), NGO’s (89%) and trade unions (80%)); and facilitating cross-border queries to locate relevant datasets in collaboration with national bodies dealing with secondary use of health data (78% overall, most support coming from consumer organisations (100%), NGO’s (87%) and academia (84%)).

Overall, respondents believed the mandatory use of specific technical requirements and standards would be most useful to address interoperability and data quality issues for facilitating cross-border access to health data for research, innovation, policy-making and regulatory decision (67% overall, with most support coming from consumer organisations (100%), academia (82%) and least support from industry (48%)). A smaller proportion of respondents said using an audit, certification or access before participating in EHDS cross-border infrastructure would be appropriate (59% overall, most support coming from EU citizens (75%), consumer organisations (75%) and least support from industry (33%)).

Artificial Intelligence (AI) in healthcare

To facilitate the sharing and use of data sets for the development and testing of AI in healthcare, respondents recommended allowing access to health data by AI manufacturers for the development and testing of AI systems in a secure way (including compliance with GDPR rules), by bodies established within the EHDS (65% overall, with most support coming from industry (82%), trade unions (80%) and public authorities (70%) with least support from consumer organisations (25%)).

A majority of respondents believed the introduction of AI in healthcare is creating a new relationship between the AI system, the healthcare professional and the patient (69%). While some thought this relationship was positive (bringing positive changes such as acceleration and optimisation of care as well as the fostering of research and discoveries), others said this would have downsides (e.g. worsening the level of trust between physicians and patients, or decreasing patient confidence in the solutions proposed).

To ensure collaboration and education between AI developers and healthcare professionals, a large majority of respondents agreed that healthcare professionals and/or providers should demonstrate understanding of the potentials and limitations in using AI systems, including 66% of business associations, 89% of NGOs and 82% of public authorities

2.Assessment of the EU Member States Rules on health data in light of GDPR

The study 9 examined the rules governing the processing of health data, highlighting differences, identifying elements that might affect the cross border exchange of health data and examining potential for EU action to support health data use and reuse. The study was carried out between the end of 2019 and the beginning of 2021.

During the study, 5 workshops took place with Ministries of Health representatives, experts, stakeholder representatives and experts from national data protection offices 10 . A stakeholder survey was also carried out to cross validate and supplement the topics addressed and identified. In total, 543 persons responded to the online survey19% respondents were health professionals, 1% health insurers, 11% healthcare providers, 11% citizens, 15% patient organisations, 15% public administration, 20% scientific research and 1% others.

A number of legal and operational issues need to be addressed to ensure that European healthcare systems can make best possible use of health data. Variations in interpretation of GDPR has led to a fragmented approach which makes cross-border cooperation difficult. Only 52% of respondents consider that it is easy for a patient to access his/her medical records and 42% to obtain a portable copy of their medical record to take to another healthcare provider in the same country (even less, 28% when it comes to sharing with a healthcare provider in another country). 73% of consulted stakeholders believe that having health data in a personal data space or patient portal facilitates the transfer between healthcare providers. There is a high consensus (87%) that lack of data portability drives up costs through repeating testing and examination, slows down time to diagnosis and treatment (84%) and can limit the rights of Europeans to seek care in another EU country (79%). Low interoperability is considered the main cause for preventing data sharing for healthcare provision at national level by 70% of respondents and by 83% between EU countries. 81% of respondents considers that additional measures should be taken at EU level to enforce patients’ control over their own health data and portability of this data, including though legislation (84%).

81% of stakeholders consider that the use of different GDPR legal basis (consent, provision of care, public interest) make it difficult for health related data to be shared for public health purposes between EU countries, 76% agree that such sharing is hampered by differences in datasets and 70% believe that this is also made difficult by datasets scattered over many healthcare providers. 79% believe that epidemiological institutions should have easier and direct access to health data (and 71% for medicine agencies, medical devices and HTA bodies) and 85% consider that EU should support this (80% for medicine agencies, medical devices and HTA bodies). 75% of respondents are convinced that one should facilitate direct reporting of national and regional public health authorities to public health institutions dealing with epidemiological aspects, without going through a reporting cascade. 71% believe that one should set up an EU level system allowing patients to make data available for research without reference to a particular research project (data altruism) and the same percentage believe that such a data altruism system should be also used for pandemics. 71% of respondents believe that the time and interaction costs of gaining access to health data for research are high and 86% plea that EU should support the processing of health data for scientific or historical research or statistical purposes by legislation; 81% suggest that EU should promote the use of the same legal base of sharing health data for research purposes and provide EU level guidance on obtaining the consent from patients for sharing data (86%).

82% of respondents believe that EU should support Member States to put in place structures allowing for secondary use of health data for policy making and research, including by legislation. 79% support a single point of contact for the use of health data for research in all Member States and 80% believe that all single points should be linked at EU level, to support pan-European research. 70% consider that one single point of contact should also be set up at EU level, in addition to national ones. The support for data altruism (make patients data available without reference to a particular research project) is high (72%), for both national and EU level and 78% consider that EU should support Member States to set up structures for managing such systems (78%) or such governance should be set up at EU level (76%). With regards to infrastructure for secondary use of health data, 69% of respondents support a structure linking the one entry points/Health Data Access Bodies of different countries, other research infrastructures and data sources at EU level, slightly ahead of a structure intermediating access to health data (a body where a request for access to existing health data can be put forward and managed) (68%). 58% of respondents consider that such an infrastructure should be set up at the level of an EU agency, followed by an EU committee (43%). Only 4% consider that a common model for health data sharing has no added value.

Action at EU level is supported in several areas: anonymizing/pseudonymising health data (90%); use of open exchange formats (86%), data quality and reliability through the use of standards (90%), health related cybersecurity standards (89%), minimum datasets for data exchange (81%). When it comes to EU action, legislation (67%) is support more than Codes of Conduct put together by representatives of all relevant national authorities (59%) of by a board of stakeholders (59%).

The stakeholder consultations contributed to the identification of future EU level actions in the area of governance, legislation, support for digitalisation, interoperability and digital infrastructures.

3.Study on Health Data, Digital Health and Artificial Intelligence in Healthcare

The study, which was carried out between September 2020 and August 2021, provides evidence needed to enable informed policy making in the areas of digital health products and services, AI, the governance on the use of health data and the evaluation of Article 14 of the CBHC Directive.

The consultation activities included 28 interviews, 9 focus groups and 2 online surveys. Relevant stakeholders identified and contacted were eHealth Network members and coordinators of Joint Actions supporting the eHealth Network and the European Health Data Space; national bodies (Ministries of Health, eHealth agencies, National Medicines Agencies); EU institutions (European Commission, European Medicines Agency, ECDC); patients organisations; healthcare professionals organisations; organisations representing the industry (e.g. medical devices industry) and individual companies (digital industry, pharmaceutical industry, medical devices industry) as well as individual experts (scholars, researcher, etc.).

The stakeholders support measures in a number of areas, ranging from guidance on digital health services and products quality, interoperability, reimbursement, identification and authentication, digital literacy and skills. On primary use, stakeholders support mandating national digital health authorities with tasks to support cross-border provision of digital health and access to health data. In addition, they also support expansion of the services of MyHealth@EU. There is also support for giving patients the right to portability of their electronic health records in an interoperable format.

On secondary use, there is support for the introduction of a legal and governance framework, building on the establishment of Health Data Access Bodies in a number of Member States, with cooperation at EU level through a network or an advisory group. To reduce barriers, there would be support for specifications and standards.

4.Study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space 11

The study, which was carried out between April 2021 and December 2021, aims to present evidence-based insights that will support the impact assessment of options for a European digital health infrastructure. The study identifies, characterises and assesses options for a digital infrastructure, outlines cost-effectiveness, provides data on the expected impacts, both for the primary and the secondary use of health data.

A total of 18 interactive workshops were conducted covering 65 stakeholders who actively engage with health data usage. Their background varies from Ministries of Health, digital health authorities, National Contact Points for eHealth, health data research infrastructures, regulatory agencies, Health Data Access Bodies, healthcare providers, patients and advocacy groups.

In addition, a survey focusing on costs was developed, including questions related to the value, benefits, impact and cost of different options. The objective was to refine the principles and options that were identified during the study. The survey was targeting four stakeholder groups: National Contact Points for eHealth, Digital Health Authorities or Ministries of Health, Health Data Research Infrastructures and EU Health regulatory, surveillance or policy making agencies, and finally national Health Data Access Bodies or access bodies.

The stakeholder consultations were focused on gathered input regarding three key infrastructure options for the infrastructure for primary uses of health data, for secondary uses of health data and for a potential European Health Data Access Body (EHDAB). These options are depicted in the figure below.

Figure 1. Over of infrastructure options.

Option 1 considers extending the current infrastructure for primary uses of health data (MyHealth@EU) with capabilities to support secondary uses of health data. In the figure, the lower plane shows the network of NCPeHs in MyHealth@EU which would also connect Health Data Access Bodies 12 . While this option could facilitate the sustainability of MyHealth@EU, several stakeholders suggested against mixing given the complexity of mixing both networks (primary and secondary), as their functions are inherently different at national level (while NCPeHs act as gateways to synchronously transmit health data across Member States, Health Data Access Bodies have specific functions related to providing access to health data to third parties). Participants indicated that Option 1 is highly complex and possibly unrealistic due to different governance rules, technical requirements/solutions and use cases, and modes of access, privacy and data quality issues and lack of collaboration between NCPeHs and Health Data Access Bodies.

Option 2 considers directly connecting Health Data Access Bodies through a federated (distributed) network at EU level, which would facilitate communication and limit disruption in the existing infrastructure (MyHealth@EU) and would be the preferred option. A total of 45% participants in the consultations stated that Option 2 is the less complex of the three presented options. Specifically, it was considered ‘the most appropriate for public health’, ‘more desirable/preferrable’ and ‘the simpler,’ as it can be established with low deployment costs.

Option 3 would rely on the EHDAB as the central gateway to process multi-country requests and connect national Health Data Access Bodies at EU level. This third option would come at a substantial cost for the EU as it would require the deployment of heavyweight infrastructure centrally. Option 3 was recognised by 29% of participants as the most complex option, although 17% recognised that a European unified framework would reduce local heterogeneity and lead to a more 'harmonised' European digital health data environment with ‘the highest impact for the competitiveness of Europe in the data economy’. In order for this option to function, more regulation, structure and EU governance would be required.

This study also investigated the future development of MyHealth@EU. Regarding this, healthcare professionals attach high importance to services such as patient summaries, ePrescription and critical analysis. For patients, they attach high importance to all services allowing access and sharing of health data. For researchers and policy makers, they attach high importance to services facilitating access to health data for reuse.

Across all participants that took part in the workshops and survey, a total of 24 were asked about the potential implementation challenges they expect in relation to the three presented health infrastructure options. Out of these participants, 16 responded to this question. Overall, the data indicate that the implementation challenges depend on the exact functions and roles associated with each infrastructure option. The biggest challenges identified when attempting to specify a technological infrastructure ecosystem relate to:

·Interoperability: technical, data, and semantic barrier in the use of different classifications, code lists, terminologies and languages.

·Measures and information about quality in the data: data quality and validation are necessary.

·Leveraging existing projects and initiatives: the challenge would be to reuse existing infrastructures, services and structures.

·Legal barriers: variability between EU Member States in the implementation of GDPR, standards on health data sharing, data processing ethical use of data, data transfers.

A number of participants expressed the opinion that anonymised or pseudonymised data could be sufficient to enable health data reuse. However, there are cases where research may need access to identifiable and personal medical data, e.g. where linkages across databases is needed.

Interoperability and the use of common data models and standards are necessary for the reuse of data across datasets. On common data models, users were split between the development of a common data model with refined granularity, lightweight formats and models with clear semantics for data integration or a combined approach.

In relation to when data mapping should occur in the infrastructure, although ‘an upfront exercise would be useful if it is reliably implemented’, it is more realistic to trigger the mapping upon project authorisation or on demand. Mapping all data to the chosen common data model upfront might be complex and time-consuming due to the depth of the mapping and the evolving nature of study needs. Other participants explained that they foresee multiple complementary approaches, such as mapping to a common data model upfront and on-demand mapping as part of the project authorisation. In any case, the common model would need to be agreed upon.

Some participants explained that they expect the data alignment and mapping to be necessary for the research infrastructures working with different national datasets, while others foresee a mixed model with a small, core set of variables being aligned and mapped across Member States and data providers. Other stakeholders see an added value on the data alignment and mapping across Member States for comparability. A few participants expected the EHDS infrastructure to support analytics on identified data to validate/demonstrate the AI model quality. However, ‘ensuring quality would be a major effort’.

In terms of data storage provisions, participants showed preference for a mixed model as ‘the complexity of the data is pushing more towards a federated model where data can stay in place and the code tools can be deployed on co-located infrastructure’. Participants foresee data refreshes, where relevant, and at cases there is a need for both mechanisms but perhaps, as explained, there is no need for active tracking or monitoring for science use-cases.

Actors working on registries or national data access bodies mentioned interoperability as the main challenges, while stakeholders working in the research field and national data access bodies also flagged issues with the measurement and information about data quality. Advocacy groups also mentioned the importance of leveraging existing projects and initiatives, while health data research infrastructures, regulatory, surveillance and policy agencies mentioned legal barriers, such as variations in the implementation of GDPR.

5. Impact Assessment Study

The study, which was carried out between June 2021 and December 2021, aims to present evidence-based insights that will support the impact assessment of options for the EHDS. The study defines and assesses the overall policy options for the EHDS, building upon the evidence gathered in the previous studies.

The study analyses the results of the public consultation (see above), which was open between May and July 2021, and relies on desk research, targeted consultations and qualitative and quantitative analyses of collected data.

Annex 3: Who is affected and how?

51. Practical implications of the initiative

The planned legislative framework will have a range of practical implications for different stakeholders. In this section, the practical implications for patients, healthcare providers, digital health authorities, researchers and digital health industry are briefly addressed.

There is a wide variety of uses and reuses of health data by different stakeholders that the EHDS could support. Table 1 shows some examples of use cases by different stakeholders.

Table 1. Examples of use cases of use and reuse of health data by different stakeholders.

Stakeholders	Primary use of health data	Secondary use of health data
Patients/ citizens	Access to their health data online, including through mobile apps. Control over the use of their data, such as authorisation to access data or the transmission of health data to healthcare providers of their choice. Use of telehealth services and online pharmacies. Recording Patient Reported Outcomes to measure health and wellness outcomes of treatment.	Participation to research projects and clinical trials. Participation to patient communities and data cooperatives producing data in specific contexts, such as in connection with disease groups. Data altruism.
Healthcare professionals	Review of patient’s medical history from one or multiple sources, for planning healthcare delivery, ensuring continuity of care, patient safety and monitoring healthcare outcomes. Entry of relevant data for documenting healthcare encounters. Use of decision support systems. Dispensation of electronic prescriptions.	Individual healthcare delivery using data concerning other patients with comparable conditions.
Health researchers	n/a	Use of health data for the purposes of their research projects. Confirmation or reproduction of research outcomes. Reuse of data from previously conducted research projects.
Industry	n/a	Use of (aggregated) health data for research and development purposes (e.g. medicinal products, medical devices, AI algorithms).
Policy-makers	n/a	Analysis and improvement of quality and efficiency of healthcare processes. Planning of improvements in the organisation of the healthcare system, preparation of legislative reform.
Regulators	n/a	Carrying out regulatory activities based on real-world evidence (e.g. monitoring the long-term effects of medicinal products, beyond the data submitted by manufacturers in the context of authorisation).

The initiative will benefit patients, healthcare providers and researchers in a number of ways. Patients will have greater control over their health data, whenever and wherever they want, giving them greater autonomy and freedom to receive care wherever they are. They will be able to grant access to healthcare providers of their choice, giving greater control to patients. Healthcare providers will enjoy enhanced access to health data in an electronic, interoperable format. Healthcare providers will find that they spend less time copying data from different data sources in different formats, saving them a lot of time, thus improving healthcare systems efficiency. Researchers, innovators and policy makers will enjoy enhanced access to health data in a standardised format, with transparency on data quality and with an infrastructure supporting their needs.

Digital health authorities will work towards making their infrastructure and their solutions interoperable across borders. This has practical implications for the design and configuration of their work, which will be impacted by EU-level decision making (binding decision-making through delegated and implementing acts). The digital health authorities will work to expand the services of MyHealth@EU to cover a larger group of end-users. eID requirements will become mandatory and will require digital health authorities to introduce the necessary measures, making it possible to support an ecosystem of trust, where users of digital health solutions can safely grant access to health data.

Member States will be mandated to appoint a national health Data Access Body (DAB), working on the basis of the EHDS mandate and binding decision-making (delegated / implementing acts). Certain categories of health data will be made available through the EHDS legal base, which will make more health data available for re-use for researchers, policy makers, regulators and innovators. The NHDAB will become part of a mandatory federated European infrastructure. Data sources will be required to fulfil a mandatory data quality label and should support algorithm training and validation for certain user groups.

Through the services provided by the NHDABs, user groups such as researchers, policy-makers, regulators and innovators will have services at their disposal that will facilitate the development of innovative digital health solutions to better serve the needs of the healthcare systems and patients.

With more health data available for reuse, researchers will be able to better develop improved prevention, diagnosis and treatment services together with healthcare providers and industry. Regulators and policy-makers will have more health data available to build on real-world evidence to improve the functioning of the healthcare system. This will improve the health outcomes for patients and the public at large.

Digital health industry will find that the initiative creates a level playing field through standardisation and the promotion of interoperability across borders, which will promote the uptake of digital health software solutions across borders. The practical implications for industry are that they are able to prove their solutions are interoperable and meet common requirements, which will help make the solutions easier to use for end-users across borders.

62. Summary of costs and benefits

The figures cited in the tables below illustrate the costs under the preferred option in relation to its specific elements for different types of stakeholders. They are based on the assessment of costs and benefits as part of the study supporting this impact assessment, conducted by a consortium led by ICF. The overall methodology used in the study to estimate the baseline scenario, as well as the impacts of the policy options, are provided in Annex 5.

Table 2. Overview of Benefits for the Preferred Option (above the baseline and over 10 years).

I. Overview of Benefits (total for all provisions) – Preferred Option
Description	Amount	Comments
Direct benefits
Cost savings and efficiency gains in the healthcare sector	EUR 5.4 billion (EUR 58.9 saved per patient per year)	Savings stemming from higher uptake of telemedicine assuming traditional medicine costs EUR 68.9 per patient per year while only EUR 10 if using telemedicine
Cost savings in the cross-border provision of health services	EUR 173-232 million	Savings originating from faster deployment of cross-border ePrescription and medical imaging services through MyHealth@EU
Efficiency gains in accessing health data by researchers and innovators	EUR 0.8 billion	The use of real-world evidence in policy-making in health can yield substantial savings thanks to greater transparency of the effectiveness of medicinal products resulting in more efficient regulatory processes
Cost savings in the reuse of health data access	EUR 3.4 billion	Savings for researchers, innovators, regulators and policy-makers, originating from not having to reach directly the data subjects to further process their health data and from instead relying on access granted by national health data access bodies
Increased value of health data	EUR 1.2 billion	Value generated thanks to more intensive and extensive health data sharing supporting data-driven innovation and regulatory and policy-making processes in health
Indirect benefits
Contribution to the growth of the digital health and wellness applications markets	Faster growth expected at 20%-30% and 15%-20% per year, respectively
Reduction of non-dispensation rate for cross-border prescriptions	26%	Based on the estimate of the current non-dispensation rate (46%)
Availability of innovative medical products based on health data use and reuse	Non-quantifiable due to lack of data	Citizens, healthcare professionals and providers would be able to benefit from innovative medical products based on health data use and reuse

Table 3. Overview of costs for the Preferred Option (above the baseline).

II. Overview of costs – Preferred option
		One-off	Recurrent	One-off	Recurrent	One-off	Recurrent
Governance of the EHDS (including preparation of requirements, assessment frameworks and guidelines, both for primary and secondary uses of health data)	Concerned parties	National digital health authorities and the Commission (primary uses)		Health Data Access Bodies and the Commission (secondary uses)
	Direct costs	-	EUR 1.3-2.0 million/year	-	EUR 1.3-2.0 million/year EUR 1.0-3.0 million/year invested for actions promoting interoperability, data altruism and the development of AI in health
	Indirect costs	-	-	-	-
Establishment and operation of health data access bodies	Concerned parties	Member States’ authorities
	Direct costs	EUR 1-3 million for each health data access body (not considering secure clouds and infrastructure, which may be shared with other bodies under Article 7 of the DGA)	EUR 0.5-1.5 million/year for each health data access body
	Indirect costs	-	-
Expansion of the EU infrastructure for primary uses of health data (MyHealth@EU)	Concerned parties	National digital health authorities and European Commission
	Direct costs	EUR 0.8-2.5 million for the deployment of each new NCPeH (for new Member States only; shared) EUR 0.3-1.0 million for the implementation of each new service for at a NCPeH (shared)	EUR 0.5-1 million for the maintenance of each MyHealth@EU generic service EUR 7 million for the central services of MyHealth@EU (Commission only)
	Indirect costs	-	-	-	-
Mandatory third-party certification for EHR systems	Concerned parties	Citizens, healthcare professionals/providers		Digital health products manufacturers obtaining the label		Digital health authorities
	Direct costs	-	-	EUR 20,000-50,000	(Recertification estimated at 80% of certification cost every 5 years)	-	Monitoring of market and guidance on label (included in governance costs)
	Indirect costs	-	-	-	-	-	-
Mandatory third-party certification for digital health products (medical devices feeding into EHRs)	Concerned parties	Citizens, healthcare professionals/providers		Digital health products manufacturers obtaining the label		Digital health authorities
	Direct costs	-	-	EUR 20,000-50,000	(Recertification estimated at 80% of certification cost every 5 years)	-	Monitoring of market and guidance on label (included in governance costs)
	Indirect costs	-	-	-	-	-	-
Voluntary self-declared quality label for wellness applications	Concerned parties	Citizens, healthcare professionals/providers		Mobile wellness applications developers obtaining the label		Digital health authorities
	Direct costs	-	-	EUR 1,500-3,000	Non-quantifiablecosts due to lack of data	-	Monitoring of market (non-quantifiable) Guidance on label (included in governance costs)
	Indirect costs	-	-	-	-	-	-
Development and deployment of the EU infrastructure for secondary uses of health data	Concerned parties	Health Data Access Bodies		European Commission
	Direct costs	EUR 0.8-2.8 million for the deployment of infrastructure required per data access body to connect to the EHDS infrastructure	EUR 0.2-0.8 million for yearly maintenance	EUR 3 million for the deployment of a node for an EU body EUR 25 million for the deployment of central services	EUR 6-7 million for the maintenance for central services and nodes of EU bodies
	Indirect costs	-	-	-	-
Data quality label	Concerned parties	Data holders		Health data access bodies		Data reusers
	Direct costs	EUR 7,000-17,000 for obtaining the data quality label	-	-	Monitoring and enforcement costs (non-quantifiable due to lack of information)	-	Increased costs in data access due to increased data quality (non-quantifiable due to lack of information)
	Indirect costs	-	-	-	-	-	-

Table 4. Costs, benefits and benefit-cost ratio for the considered policy options (costs and benefits are shown in EUR billion, except for the ratio; costs and benefits for the policy options shown as above the baseline; in order to maximise the possible range of costs-benefit ration, this was calculated by dividing the lower bound benefit by upper bound costs and of higher bound benefit by lower bound costs).

		Costs	Benefits	Benefit-Cost ratio
Policy Option 1	Primary uses	(+) 0.1-0.3	(+) 0.4-0.5	1.4-5.1
	Secondary uses	(+) 0.3-0.5	(+) 2.8	5.3-9.5
	Total	(+) 0.4-0.9	(+) 3.3	3.8-8.5
Policy Option 2	Primary uses	(+) 0.2-1.2	(+) 5.5-5.6	4.7-30.2
	Secondary uses	(+) 0.4-0.7	(+) 5.4	7.3-15.4
	Total	(+) 0.5-1.9	(+) 11.0	5.7-20.5
Policy Option 2+ (certification for EHRs and digital health products/ services; voluntary labelling for mobile wellness applications)	Primary uses	(+) 0.3-1.8	(+) 5.5-5.6	3.1-17.0
	Secondary uses	(+) 0.4-0.7	(+) 5.4	7.3-15.4
	Total	(+) 0.7-2.6	(+) 11.0	4.3-16.2
Policy Option 3 (EU governance by existing EU body)	Primary uses	(+) 0.7-3.1	(+) 5.5-5.6	1.8-8.5
	Secondary uses	(+) 0.5-1.0	(+) 6.1	5.9-11.3
	Total	(+) 1.2-4.1	(+) 11.6-11.7	2.9-9.8
Policy Option 3+ (EU governance by new EU body)	Primary uses	(+) 0.9-3.4	(+) 5.5-5.6	1.7-5.9
	Secondary uses	(+) 0.5-1.0	(+) 6.1	5.9-11.3
	Total	(+) 1.5-4.4	(+) 11.6-11.7	2.7-7.9

Annex 4: Graphical representation of different elements in the Impact assessment 13

Figure 2. User perspectives on the use and reuse of health data.

Figure 3. Overview of problems.

Figure 4. Preferred option for primary use of health data.

Figure 5. Preferred option for secondary use.

Figure 6. Federated infrastructure architecture for the EHDS for primary uses of health data (MyHealth@EU) (same architecture for all policy options).

Figure 7. Federated infrastructure architecture for the EHDS for secondary uses of health data (Policy Option 2).

Figure 8. Centralised infrastructure architecture for the EHDS for secondary uses of health data (Policy Option 3).

Annex 5: Methodological approach

This section presents the methodological approach used in this impact assessment, including the general approach used in the study supporting this impact assessment. The body of the text of this impact assessment provides complementary information, where necessary, particularly in the footnotes.

71. Sources

The assessment of the costs was carried out using multiple sources and triangulating data when possible. The main sources used have been:

Ÿdesk research;

Ÿinterviews with stakeholders from national authorities in four Member States (Belgium, France, Germany, Slovakia);

Ÿinformation from stakeholders’ workshops organised as part of related European Commission activities and initiatives;

Ÿdata from other relevant and still ongoing studies commissioned by DG SANTE; and

Ÿresults of the Public Consultation as relevant.

82. Discount rate

A 3% social discount rate was applied. Monetary results are expressed in current prices.

93. Timeline

All figures are provided over 10 years from entry into force, as net present value, unless specified otherwise.

104. Baseline scenario

The baseline scenario defines the expected evolution of the primary and secondary uses of health data in the EU (and the problems of concern within it) in the absence of additional EU intervention.

For both primary and secondary data, a baseline scenario was established to understand which Member States already implement measures in line with what is proposed under each measure for primary and secondary data. This analysis allows for the identification of those countries for which the EU proposals will require larger adjustments (e.g. creating structures and policies ex-novo), and of those countries for which the EU proposals will require adjustments of measures already in place.

The following information was mapped for all Member States, as these are considered relevant predictors of the preparedness of Member States to implement the EU proposals:

Ÿparticipation in the eHDSI by 2025;

Ÿdeployment of EHRs and data personal spaces;

Ÿexistence of labelling/certification mechanisms for digital healthcare services and products and the costs for this; and

Ÿexistence of governance and digital infrastructure for regulating secondary access to health data.

This mapping exercise was also used to collect available data on the costs of such national measures, to be used in the estimation of the likely costs of the measures proposed for the different categories of stakeholders concerned.

The baseline scenario also considers that the estimated governance framework, including potentially two joint actions, would cover for the staff costs (for Member States and the Commission) of twice-a-year 1-day general meetings and operational meetings of 1.5 hours, on top of the joint actions. This estimate for the governance framework in the baseline relies on the experience of the eHealth Network. Normally, two physical meetings of the eHealth Network and semantic and technical subgroups would be organised yearly. These are complemented with online meetings (which reached 300 meetings during March 2020 and September 2021, to deal with COVID-19, although the normal activity is expected to be less intensive). Here, the participation was counted involving 30 Member States and online meetings of 1-1.5 hours. The work of the eHealth Network is complemented with joint actions to support specific cooperation activities, and this would be expected to continue in the future.

Based on the information provided by Member States (e.g. regarding their deployment roadmap for cross-border services), the expectation is that, within baseline, by the end of 10 years period, all Member States will have a National Contact Point for eHealth and digital services for the exchange of patient summaries and ePrescriptions. However, based on the same information, the expectation is that only around 20 Member States would allow their patients and healthcare professionals to share or have access to laboratory results, images and image reports, discharge reports within the same 10 year period.

The benefits originating from cross-border ePrescriptions are calculated on the basis of the methodology used for the 2012 impact assessment for the Commission Implementing Directive on the recognition of medical prescriptions issued in another Member State 14 . This methodology allows for capturing the cost of non-dispensation of a cross-border prescription (in the form of a visit to a local General Practitioner), as well as to identify the potential benefit of rolling out cross-border digital health services.

Results from the study supporting the evaluation of the CBHC Directive, which includes a repeat study of the cross-border prescriptions use case, suggest that 7.8 million cross-border prescriptions are presented for dispensation per year in EU, with a non-dispensation rate of 46%, which is down from the estimated 55% non-dispensation rate in 2012. The key problem drivers for non-dispensation include veryfying prescription, veryfying prescribing doctor, language, insufficient information, correct drug/device and alternative drug/device. One important limitation of the calculation of the non-dispensation rate in 2021 (46%) and the reasons for non-prescription is that it originates from a survey with a low response rate of 158 pharmacists across 5 countries, which was extrapolated to the whole of the EU.

The cross-border exchange service of ePrescriptions through MyHealth@EU would solve authentication and language barrier issues. To calculate the cost of non-dispensation, it is assumed that an individual would need to visit a local GP to obtain a local prescription. The cost for visiting a local GP is estimated at EUR 65.77, based on a population-weighted extrapolation of the outpatient/ambulatory activity (2.6 billion consultations per year) and the total general outpatient curative and specialised outpatient curative care cost (EUR 132.5 billion, from Eurostat). The adoption timeline is based on input collected from Member States.

The benefits originating from cross-border interoperability of medical images are calculated as potential savings in the use of medical imaging machinery (Computed Tomography Scanners, Magnetic Resonance Imaging Units, PET scanners). For that purpose, the number of examinations using medical imaging techniques in the EU (97.7 million examinations, based on a population-weighted extrapolation from the total reported in Eurostat) was multiplied by the estimated cost for the UK (GBP 94, GBP 173 and GBP 270, respectively 15 ), and corrected for the proportion of examinations of non-residents across the EU using the proportion of non-residents among all hospital discharges as a proxy (population-weighted average: 0.63%; based on Eurostat data). There is very limited data available on the estimated costs of examinations involving imaging technology in the EU. While the UK is no longer an EU member, the costs available for the UK are considered a useful proxy for the EU.

The amount of duplications/waste is considered between 4% and 16% based on data reported for The Netherlands and Germany, respectively 16 , which was used to calculate the lower and upper bounds. The absence of precise and up-to-date data on waste in health and the potential contribution of interoperability to solving this problem is a source of uncertainty. However, the duplication/waste rates (4% and 16%), although estimated originally in 2007, are thought to be conservative given that several studies published in the last 5 years have estimated overall wasteful spending as 20% of total spending 17 . Moreover, OECD estimates that around a fifth of health care expenditure across the OECD countries (around USD 1.3 trillion annually) is wasteful (such as the unnecessary duplication of diagnostic tests or services, avoidable hospitalisations, inappropriate care, and other inefficiencies within clinical, operational, and administrative activities), i.e. it is not used to generate better health, and sometimes even harms health 18 .

For estimating the investments needed at national level for interoperability of the data domains included in the European Electronic Health Record exchange format (ePrescriptions, patient summaries, medical images, laboratory results and discharge letters), of original clinical documents and for the access of patients to their health data, the digital health service availability at national level was used as gathered by Thiel et al. The estimated average cost to introduce nationally a digital health service for a data domain that is in scope of MyHealth@EU is between EUR 50 and 150 million. This is based on estimates reported by Member States (e.g. a large-sized Member State reported the need for EUR 100-200 million for national deployment of digital health services in the scope of MyHealth@EU), and a mapping of the deployment roadmap by Member States of the MyHealth@EU services. There is little visibility currently of the national investment requirements for the deployment of MyHealth@EU services nationally, and this uncertainty is reflected in the wide range between the estimated lower (EUR 3 billion) and upper bounds (EUR 9 billion).

115. Estimation of costs of measures proposed

The mapping exercise of Member State preparedness revealed a low availability of detailed information to be used for the estimation of the costs of the measures considered in this impact assessment. Specifics on costs and structures applicable to the estimation exercise were available only for a very limited number of Member States (the most advanced ones).

It was thus decided to use the mapping exercise to build clusters of countries which had similar developments in digital healthcare which could then be used to estimate the likely extent of the costs associated with implementing the different measures proposed. In detail, the following dimensions were used to define the clusters:

ŸHealth expenditure as a share of GDP (dataset from Eurostat 19 ), as a proxy for the size of the heath sector in the country and the existing development of digital health products and services (as it is considered that part of the health expenditure would be for the EHRs, telehealth and m-health).

ŸIndex of development of cross-border public services (from the annual eGovernment benchmark 20 ), as a proxy of the development of the digital infrastructure necessary to implement the measures considered by the impact assessment. It was not possible to use more specific indices, as those measuring the IT infrastructure are not up-to-date (e.g. the ITU index has been under revision since 2018 21 ), and the Digital Health Index recently created by the WHO 22 only covers 22 countries (only one in the EU).

ŸExistence (already operational or under development) of a Health Data Access Body 23 , as a proxy for how advanced countries are in relation to the secondary use of data.

The combination of these indicators allowed for the identification of three clusters. The first cluster (Cluster A) includes countries above the EU average in both indices, and with an existing or soon-to-be created Health Data Access Body. The second cluster (Cluster B) includes countries above the EU average in only one of the indices, and with no (or a soon-to-be created) Health Data Access Body. Finally, the third cluster (Cluster C) includes countries below the EU average in both indices, and with no Health Data Access Body.

The clusters were thus used to provide some granularity to the estimation of costs for national authorities, manufacturers, dataset owners and researchers in the Member States. The clusters were considered to be predictors of the effort and costs necessary for Member States to implement the measures considered by the impact assessment. Countries in Cluster A are more advanced and likely to require less effort, while countries in Cluster B are likely to require more effort (and incur higher costs), and countries in Cluster C even higher effort and costs.

Available information on costs concerned Member States in Cluster A. Such data was then use as a proxy for the basic estimation, to be adjusted for each cluster to account for the level of effort required.

The table below provides an overview of the composition of the clusters and the basis assumptions used to estimate the efforts and costs.

Table 5. Clusters of Member States used for cost estimation

Cluster	Cluster A	Cluster B	Cluster C
Number of MSs	8	10	9
MSs	AT, BE, DK, FI, FR, DE, NL, SW	CY, EE, IE, IT, LV, LU, MT, PT, SL, ES	BG, HR, CZ, GR, HU, LT, PL, RO, SK
Assumption of costs	80%-90% of basic estimation	110%-120% of basic estimation	130%-150% of basic estimation

126. General take-up/participation scenarios

It was also considered that the implementation of the measures analysed in this impact assessment would follow different ‘paths’, depending on their nature (i.e. voluntary vs. mandatory), the interest towards the domain (especially in the case of voluntary measures), the level of investment and time needed to be ready for implementation (the implementation of eHDSI, with the progressive participation of Member States over time, provided an example), the existing level of governance and infrastructure necessary to support the implementation.

Where insufficient information exists for the estimation of adoption and participation, Member States were clustered into 3 groups (Clusters A, B, and C) 24 . While Member States in Cluster A and, to a lesser extent, Cluster B were considered likely to participate in voluntary measures from the beginning or early-on following their introduction, this was considered more difficult for countries in Cluster C.

As a result, the study generated take-up/participation scenarios to account for the number of Member States likely to implement voluntary measures, and the rate at which Member States from different clusters are likely to be ready to deploy the measures (either voluntary or mandatory).

The first scenario (low participation) considers that only up to 20 Member States are likely to implement some voluntary measures proposed over the 10-year period considered, either because the investments necessary are deemed too expensive in relation to the likely benefits, and/or because the measures are considered to interfere with national prerogatives.

The second scenario (medium participation) considers that up to 25 Member States are likely to implement some voluntary measures proposed over the 10-year period considered.

Finally, the third scenario (high participation) considers that all 27 Member States are likely to implement some voluntary measures proposed over the 10-year period considered.

The table below provides an overview of the estimated take-up/participation rate over the 10-year period considered under the three scenarios.

Table 6 – Take-up/participation scenarios used for cost estimation

N. MSs	Year 1	Year 2	Year 3	Year 4	Year 5	Year 6	Year 7	Year 8	Year 9	Year 10
Scenario 1 – low participation
Cluster A	8	8	8	8	8	8	8	8	8	8
Cluster B	2	3	4	5	7	8	9	10	10	10
Custer C									1	2
Scenario 2 – medium participation
Cluster A	8	8	8	8	8	8	8	8	8	8
Cluster B	4	6	7	8	9	10	10	10	10	10
Custer C						1	2	3	5	7
Scenario 3 – high participation
Cluster A	8	8	8	8	8	8	8	8	8	8
Cluster B	4	6	7	8	9	10	10	10	10	10
Cluster C					1	2	4	6	8	9

137. Specific assumptions used for measures on primary use of health data

147.1. Governance

Governance costs are to be incurred by the Commission and Member States.

Costs for the Commission are estimated using the available information on existing related to similar initiatives as a proxy. In more details:

·In the case of measure Policy Option 1 (strengthened eHealth Network), cost estimations are based on the current EU funding of the eHealth Network, increased to reflect the mandatory participation of all Member States and the broadened scope of their work.

·In case of measure Policy Option 2 (Expert Group on Digital Health), costs estimations are based on costs information available on other expert groups organised and coordinated by DG SANTE, and used by ICF in other recent impact assessments for DG SANTE. On this basis, up to 4 FTE were considered to be needed for the participation in the Expert Group on Digital Health.

·In case of measure Policy Option 3 (new task given to an existing EU Body), costs estimations are based on the size of the team working on digital health at DG SANTE (10-12 FTE). On this basis, the costs are assumed to be equal to 12 FTE over 10 years.

·In case of measure Policy Option 3+ (new EU Body), cost estimations are based on information available on the budget for European Labour Authority, a recently created agency assisting national authorities to help ensure that EU rules on labour mobility and social security coordination are enforced consistently, which is used as a proxy 25 .

Costs for Member States are estimated using the same approach, i.e. using available information on the governance costs for similar initiatives as a proxy. In more details:

·In the case of measure Policy Option 1 (strengthened eHealth Network), cost estimations are based on the current EU funding of the eHealth network, increased to reflect the mandatory participation of all Member States and the broadened scope of their work.

·In case of measure Policy Option 2 (Expert Group on Digital Health) and Policy Option 3 (new task given to an existing EU Body), costs estimations are based on costs information available on other expert groups organised and coordinated by DG SANTE, and the related activities and costs of participating Member States (e.g. preparatory work for meetings, participation to technical groups, etc.);

·In case of measure Policy Option 3+ (new EU Body), costs estimations are based on information available on the costs for Member States in the case of supporting the work of an EU body such as the EDPB, used as a proxy.

157.2. Digital infrastructure

The costs for MyHealth@EU are estimated taking in consideration the experience of the deployment of National Contact Points for eHealth (NCPeH) and additional cross-border digital health services (for patient summaries and ePrescriptions) for the first 6 years (2016-2021) of deployment and operation of this infrastructure. The services portfolio for MyHealth@EU includes the exchange of patient summaries ajd ePrescriptions currently and, in the future, medical images, discharge letters and reports and laboratory results, and original clinical documents (plus patients’ access to health data in Policy Options 1, 2 and 3).

The total costs include the initial investment phase (set-up) and maintenance phase (operation). These estimates are based on expected timelines for the deployment of new NCPeHs in Member States, as reported by the relevant experts, and new digital health services in MyHealth@EU, according to each policy option, e.g. while in Policy Option 1 the assumptions is that all Member States would have a NCPeH established but not all services deployed within 10 years, Policy Option 3 imposes a requirement for all Member States to have all MyHealth@EU services in operation by Year 3. Policy Option 2 sets out a faster adoption scenario than in Policy Option 1, with patient summaries and ePrescriptions becoming mandatory in Year 3, and the rest of data domains by Year 6. While these adoption scenarios are based on the best available information, one key limitation is that these adoption scenarios are dependent on future political decisions and, therefore, there is limited certainty.

The cost estimation per service is an extrapolation of costs incurred by Member States in the deployment and maintenance of existing services gathered through a survey with Member State experts and validated internally. These costs entail: the expenditure for central services, calculated based on the incurred costs by the Commission (between EUR 4-7 million/year); costs for Member States, based on previous financing from Connecting Europe Facility (CEF) and inputs of Member States. On average, the costs are: EUR 1 million for the implementation of each service (Patient Summary, ePrescription, images, laboratory results, discharge reports and access of patients to their health data in a foreign language) and between EUR 0.3-1 million/NCPeH/year for maintaining the services and to upgrade the existing services to the new requirements. In absence of detailed information on associated costs, costs related to audits of new NCPeHs, project management, etc. are added as 10% of maintenance and implementation costs.

The detailed implementation costs for each service are estimated as follows:

-Implementation of initial services (including the deployment of the NCPeH and Patient Summaries and ePrescriptions): EUR 0.8 million to EUR 2.5 million;

-Implementation of Original Clinical Documents: EUR 0.8 million to EUR 2.5 million;

-Implementation of Structured Laboratory reports: EUR 0.3 million to EUR 1.0 million;

-Implementation of the Structured Hospital Discharge Letters: EUR 0.5 million to EUR 1.5 million;

-Implementation of the Structured Medical Images and Reports: EUR 0.3 million to EUR 1.0 million;

The above described reference values were used as assumptions to estimate the necessary investment in digital infrastructures and adjusted according to the intensity of the different policy options.

The total cost over 10 years for MyHealth@EU varies according to the intensity of the policy options. For Option 1, costs are distributed along the 10 year period, with Member States gradually adopting more services. For Options 2 and 3, due to the mandatory nature of the interventions, costs tend to accumulate in the first 5 years of these intervention. In particular in Option 3 where all the services become available in all countries by the Year 3. Hence, the costs peak in the first years of the initiative while the remaining years are dedicated to maintenance.

For estimating the total cost of rolling out the necessary digital infrastructure, the digital health service availability nationally gathered by Thiel et al. (2021) was used as a reference.

167.3. Data interoperability

Measures for data interoperability in the case of primary use of health data include provisions on cross-border exchanges falling within EEHRxF, quality labels for digital health products and services and framework for assessment of wellness mobile applications.

The costs for the Commission and Member States are estimated to account for their role in the design and definition of implementation of policies and implementing measures for the provisions listed above. Measures for data interoperability are expected to generate costs for manufacturers of digital health products and services. Some key assumptions include:

-The estimated costs for self-declared labels for EHR sytems, digital health products (Policy Option 1 and 2) are EUR 9,000-32,000 (EUR 1,500-3,000 for wellness applications). The overall amount is derived from the costs of the German DiGA system. One important limitation is that these costs do not include any cost of adaptation of the product to the requirements of the label, but rather the preparatory work by the manufacturer for the self-declaration.

-The estimated costs for third-party certification for EHR sytems, digital health products and wellness applications (Policy Option 3) are EUR 20,000-50,000. Similarly, the same limitation applies: these costs do not include any cost of adaptation of the product to the requirements of the certification.

The table below shows the modelling assumptions for the calculation of costs for labelling and certification for each option. In the cases where labelling/certification is voluntary, a base year (Year 1) volume is estimated on the number of products labelled/certified within the French and German systems (DiGA). In the cases where labelling/certification is mandatory, a linear growth is assumed until full market coverage is reached in Year 5, which could mark the end of a possible transition period.

Table 7. Modelling assumptions for the calculation of costs for labelling and certification for each option.

	Option 1	Option 2	Option 2+	Option 3 (same for Option 3+)
EHR systems	Voluntary self-declared label	Mandatory self-declared label	Mandatory third-party certification	Mandatory third-party certification
	Base year 1: 8-12 products for Cluster 1 MSs, 5-9 for Cluster 2 MSs, 3-5 for Cluster 3 MSs, i.e. about 86 to 140 in year 1	Estimated market size: 4,000-5,000 products	Estimated market size: 4,000-5,000 products	Estimated market size: 4,000-5,000 products
	Gradual market coverage with 10-15% yearly market growth	Full market coverage by Year 5	Full market coverage by Year 5	Full market coverage by Year 5
	Cost per label: EUR 9,000-32,000	Cost per label: EUR 9,000-32,000	Cost per certification: EUR 20,000- 50,000	Cost per certification: EUR 20,000- 50,000
Digital health products (medical devices)	Voluntary self-declared label	Mandatory self-declared label	Mandatory third-party certification	Mandatory third-party certification
	Base year 1: 8-12 products for Cluster 1 MSs, 5-9 for Cluster 2 MSs, 3-5 for Cluster 3 MSs, i.e. about 86 to 140 in year 1	Estimated market size: 5,000-20,000 products	Estimated market size: 5,000-20,000 products	Estimated market size: 5,000-20,000 products
	Gradual market coverage with 10-15% yearly coverage growth	Full market coverage by Year 5	Full market coverage by Year 5	Full market coverage by Year 5
	Cost per label: EUR 9,000-32,000	Cost per label: EUR 9,000-32,000	Cost per certification: EUR 20,000- 50,000	Cost per certification: EUR 20,000- 50,000
Wellness applications (not medical devices)	Voluntary self-declared label	Voluntary self-declared label	Voluntary self-declared label	Mandatory third-party certification
	Base year 1: 60% of volume of digital health products	Base year 1: 8-12 products for Cluster 1 MSs, 5-9 for Cluster 2 MSs, 3-5 for Cluster 3 MSs, i.e. about 86 to 140 in year 1	Base year 1: 8-12 products for Cluster 1 MSs, 5-9 for Cluster 2 MSs, 3-5 for Cluster 3 MSs, i.e. about 86 to 140 in year 1	Estimated market size: 20,000 products
	Gradual market coverage with 5-10% yearly market growth	Gradual market coverage with 5-10% yearly market growth	Gradual market coverage with 5-10% yearly market growth	Full market coverage by Year 5
	Cost per label: EUR 9,000-32,000	Cost per label: EUR 9,000-32,000	Cost per label: EUR 9,000-32,000	Cost per certification: EUR 20,000- 50,000

The implementation costs for the label and assessment schemes are estimated using the information available on the fees charged by national authorities in the application of the DiGA system in Germany 26 . In particular, the fees charged by authorities are used as a proxy for the costs necessary for the labelling/certification body to process the documentation submitted. Manufacturers are estimated to incur into similar internal costs to prepare for the labelling/certification scheme, which is confirmed by the quantification of labelling/certification costs used recently in the Impact Assessment for the Digital Governance Act 27 .

For estimating the cost of developing and maintaining a product database at EU level, the yearly costs of EUDAMED were taken as a reference, as it is a similar product database under the MDR. On this basis, the development costs where estimated at EUR 15-20 million for development and EUR 2 million for maintenance when in regular operations.

A key limitation of these calculations is the lack of reliable data on the market sizes and growth rates for different product categories. Therefore, proxies and ranges are used to overcome this uncertainty. Although the high uncertainty around the sizes of the targeted markets, the assumptions rely on the best available information, and are expected to capture the differences between mandatory and voluntary and self-declared and third-party schemes across the considered options.

In the case of EHR systems, the volume of digital systems certified under the Finnish system was used as basis for extrapolation to the whole of the EU. Finland has enlisted around 400 electronic health record systems and other digital health products processing electronic health data in its current database of certifiable products. The system has been operated for more than 10 years. Out of these products, around 80 are connected to the national system (Kanta). By extrapolation, and considering that some of the products are either provided by manufacturers supplying several national markets concurrently, the estimate is that the market of EHR systems could have a size of 4,000-5,000 products within the scope of certification/labelling. Assuming that re-certification would be required every 5 years, the number of certifications during the period of 10 years could be estimated as 8,000-10,000.

In the case of digital health products that are medical devices, the volume of software products on medical devices databases were used as a reference. The volume of products falling within the scope of certification/labelling was estimated to be 5,000-20,000.

In the case of wellness applications, according to the IQVIA Institute, the volume of health-related mobile applications would have surpassed 350,000 globally in 2021 28 . According to industry analysts, sales in health and fitness apps in Europe accounted for 30% of global spending in the category, up from a 27% share in 2019. Therefore, the European market for wellness applications is estimated to comprise approximately 100,000 products. It is uncertain how many of these wellness applications could eventually fall within the scope of mandatory third-party certification, and the eventual costs will vary dependent on this scope. However, for the purpose of the calculations, an assumption was made that 20% (20,000) could fall under the scope for certification. This volume is sufficiently large to illustrate the effect that mandatory third-party certification would have on market operators.

177.4. Economic benefits

The estimation of the economic benefit for primary use of health data is based mostly on the potential saving for European citizens from access and use of telemedicine in place of traditional medicine services, as the former is cheaper.

Telemedicine is not only less expensive to EU patients compared to traditional medicine, but it also requires less time taken for patients at health care. Both effects bring about potential savings in terms of the monetary cost of health care for patients and time taken which is monetised by taking the EU gross average salary as a measure of the value of time.

Formulas applied:

The estimation is based on the following evidence and assumptions:

Ÿ[Evidence] The annual cost of traditional medicine per EU citizen/patient is EUR 68.9 compared to EUR 10 of telemedicine according to a market study on telemedicine 29 .

Ÿ[Evidence] Traditional medicine demands more consultation time per year (0.014 days) compared to telemedicine (0.03 days) according to the same market study on telemedicine. This means more time taken for patients at their health care centre.

Ÿ[Evidence] EU-27 population is assumed to grow at an 0.19% according to Eurostat population projections (TPS00002).

Ÿ[Evidence-based assumption] The percentage of the population demanding heavily health care is about 30% based on Eurostat self-perceived health statistics (HS1 variable in the European Health interview survey) 30

Ÿ[Evidence-based assumption] The proportion of potential savings is adjusted by a rate of digital readiness of users and is assumed at an average of 44% based on Eurostat (eGovernment use) 31 .

Ÿ[Evidence-based assumption] The daily wage of EU-27 population on average is EUR 172 based on Eurostat (LC_LCI_LEV 32 ).

ŸA total demand for healthcare is assumed fixed and patients are able to substitute traditional medicine by telemedicine which is cheaper for patients in terms of monetary costs and time taken by the service.

ŸThe total EU population demands healthcare according to their needs. Based on EU survey on self-reported health, the coefficient adjusting the total population is 35%.

The uptake of telemedicine is given by the digital readiness of the EU population, hence, the effective demand for health is further adjusted by 44%, based on the index of digital readiness in Europe. The baseline uptake of telemedicine equals 5%, corresponding to the share telemedicine would substitute traditional medicine. The benefits by options are assumed as 6%, 20% and 20% for Policy Option 1, 2 and 3, respectively. This means 1%, 15% and 15% above the baseline, respectively.

One key limitation of this approach is the absence of a data-driven approach to attribute the potential for increasing efficiency (i.e. producing savings in the health sector) of each of the options. However, it is understood that voluntary measures are close to the baseline, and therefore their potential for producing benefits above the baseline is limited (hence, only a small improvement of 1% is attributed to Option 1), while options establishing obligations on manufacturers and Member States to ensure interoperability are expected to produce higher benefits (15% above the baseline).

The benefits (explained above for baseline), stemming from the use of ePrescriptions and avoiding repeated costs, are maintained in subsequent policy options.

188. Specific assumptions used for measures on secondary use of health data

198.1. Governance

The assessment of the governance costs for secondary use of health data followed the same approach as for governance in the context of primary use of data. Measures in Policy Option 2 and 3 require Member States to designate a Health Data Access Body, which would require either the creation of such authority (if it does not exist already), or to assign such role to an existing national authority/body.

Based on the available information on the annual costs of existing national Health Data Access Bodies (e.g. in France and Finland), it is estimated that their staff includes at least 10 FTEs, and their costs varies between EUR 2 million and EUR 5 million per year.

Under both measures, it is assumed that only a very limited number of Member States will create such authorities (larger Member States, from Cluster B – two in Policy Option 2 and four in Policy Option 3), while all the remaining ones will attribute this role to existing bodies. The new role will require an extra budget and staff for those national authorities, which is estimated in 3 to 5 FTEs (as most of the remaining Member States are smaller ones and/or from Cluster C), with annual running costs of approximately EUR 200,000- 250,000 per year.

208.2. Digital infrastructure

Costs and revenues for the infrastructure for secondary use of health data are estimated taking as reference 2 of the existing Health Data Access Bodies (Findata and French Health Data Hub).

The baseline considered the costs under Data Governance Act for setting up (EUR 10.6 mil) and maintenance (EUR 0.6 mil/year) of the secure processing environments 33 .

Costs are organised by initial investment phase (set-up) and maintenance phase (operation). While, in average a set-up phase from a Health Data Access Body can range from EUR 0.5 million to EUR 8.5 million (depending on the size and complexity of a Member State) the maintenance costs range from EUR 0.2 million to EUR 4.0 million per year, per country.

To connect the National Health Data Access Body to the EU-wide infrastructures, the initial investment costs vary between EUR 0.8 million to EUR 2.5 million per year, per country, while maintenance costs of this connection are estimated to be between EUR 0.2 million to EUR 0.8 million. The cost for central services is estimated EUR 7 million yearly.

Besides the digital infrastructure deployed in the Member States, it is also important to consider the costs associated with supporting services (also known as central or core services) provided by the Commission. These central services would require an initial overall investment of EUR 25 million across a period of 4 years and yearly maintenance costs of around EUR 4-7 million.

For the calculation of costs of national health data access bodies, EUR 75,000 is used as a reference for each FTE, for comparability, as this is used as a reference in the impact assessment for the DGA. The average overall costs over 10 years for individual Health Data Access Bodies (HDABs) are expected to range between EUR 3.3 million (4 FTE) and 41.3 million (50 FTE), depending on the size of the organisational arrangement. The lower bound (4 FTE) is meant to reflect the choice of a Member State to establish the HDAB within an existing body, while the upper bound (50 FTE) is meant to reflect the choice of a Member State to establish a separate independent body for the HDAB (as done in France with the French Health Data Hub).

The upper bound is calculated on the basis of a balanced mix of sizes: 11 4-FTE HDABs; 10 15-FTE HDABs; 6 25-FTE HDABs; and 1 50-FTE HDAB. Given that many countries have not adopted yet HDABs, it should be noted that the calculation of the upper bound is highly uncertain, but it is aligned with the various approach taken so far by Member States.

Total costs vary according to the intensity of the policy options. For Policy Option 1, costs are distributed along the 10-year period and the costs related with EU connection are calculated as an additional cost in the infrastructure for primary use of health data (MyHealth@EU). For Options 2 and 3, costs increase in particular in the first 5 years of the intervention, as this is the period when Member States would most likely make investments to meet their obligaions. Regarding Option 3, costs increase for the central services due to the centralised architecture that requires that a bigger number of digital services by the central entity, namely to EUR 32 million across a period of 3 years and yearly maintenance costs of around EUR 4 million. It should be noted thath the estimated costs for the central infrastructure are highly uncertain, as the actual system requirements will not be defined until the implementation phase begins, but they build upon the information that is currently available from similar initiatives (e.g. EU DARWIN).

The above-described reference values were used as assumptions to estimate the necessary investment in digital infrastructures and adjusted according to the intensity of the different policy options.

218.3. Data interoperability and data quality

Measures for data interoperability for secondary use of health data include requirements for Member States to ensure secure, reliable and interoperable discovery, access, sharing and processing of health data (up to certification in Policy Option 3) and procedures for handling multi-country data requests.

Measures for data quality include quality labels (and certification in measure Policy Option 3) datasets to evaluate, according to a common assessment scheme, their quality.

The cost of label/certification for data quality (carried out by public authorities) was estimated using the same costs calculated by the Impact Assessment for the Data Governance Act (EUR 20,000-50,000, of which half represent internal costs for manufacturers and half certification fees, which are considered as a proxy of the costs for authority to process the application) as a basis. The following additional assumptions were used:

·Policy Option 1: costs for self-assessment estimated to represent about half of the certification costs, to be borne by datasets owners only;

·Policy Option 2: costs for self-assessed label estimated to represent about 70% of the certification costs, to be borne by datasets owners only;

·Policy Option 3: costs for public certification scheme estimated in line with the IA for the Data Governance Act, to be borne by public authorities managing the certification process and by datasets owners (in equals share);

·Number of datasets likely to be labelled/certified: extrapolated from the number of datasets currently available in national systems (15, of average), and used as a proxy for Cluster A countries. Member States in Clusters B and C are estimated to have fewer datasets (8 and 6 respectively). Availability of datasets is expected to grow between 5% and 10% per year over the 10-year period considered.

228.4. Economic benefits

The total benefit of secondary use of health data is the sum of the economic value of health data, the savings of more efficient access to data and cost savings thanks to information transparency.

The economic value of health data is measured using the economic value of data in general estimated by the IDC study and used by the study supporting the Data Governance Act IA. Then, the value of data sharing is adjusted by the R&D expenditure in health as proportion of GDP in Europe. This adjustment allows to obtain an approximate magnitude of the corresponding value attributable to health. The estimation is based on the following evidence and key assumptions:

Ÿ[Evidence] According to the WHO, Europe allocates about 0.03% to R&D in health as proportion of the EU GDP 34 .

ŸTo measure how much of the overall value corresponds to health, it was used the 8.3% as adjusting factor, which is the average expenditure on health across EU-27 countries.

[Evidence] The value of data sharing is obtained from the IDC market study on data economy that was used in the study to support the Data Governance Act 35 . A conservative estimate increase of 0.5%, 1.0% and 1.2%, respectively for each policy option, is applied to the economic value of health data based on the econometric analysis performed as part of the impact assessment of the Data Governance Act.

For the benefits from information transparency for policy-makers and regulators thanks to direct access to health data through EHDS infrastructure, input gathered from experts in the pharmaceutical regulatory process was that if a 10% reduction in drug development cost of phase III trials can be delivered through use of real-world evidence (in situations where this is appropriate, e.g. repurposing medicines), it is estimated that, for 100 medicines annually, this could produce a possible saving of EUR 184 million. The cost of a single phase I clinical trial was estimated as 2.9 million EUR, 7.4 million EUR for phase II and 18.4 million EUR for a phase III trial 36 . Additionally, in a medium-sized EU country, a 5% saving in drug cost in oncology, diabetes, cardiovascular, respiratory/neurology thanks to information transparency regarding their effectiveness could result in an annual saving of EUR 50 million. With increasing prices of new medicines, this saving is expected to increase in the future. Over 10 years and extrapolating to the whole of the EU, these savings could yield a benefit of EUR 1.6 billion. Given that existing initiatives will contribute to capturing this benefit, EUR 0.8 billion (half) were attributed to the baseline, while other EUR 0.8 billion were attributed to Policy Options 2 and 3 for providing enhanced access to health data for policy-makers and regulators.

There will also be saving stemming from efficiency gains (replacing the collection of consent by fees paid to data access bodies). The internal costs for national health data access bodies are estimated around EUR 2,100-2,600 per request. The costs for data owners are not possible to estimate, as this depends on standards established. The costs for data reusers include assembly of data requested and costs for obtaining individuals’ consent in most Member States (used parameters: 100 requests per country, 30 min for obtaining each consent). However, the usual cohorts are much bigger (they can vary between 10 persons for rare disease to 500,000 data subjects for countries like Finland. There are also cases where the cohort could include the whole population of a country, in which case obtaining consent is very difficult and biased, as one cannot have random samples). The costs for the fees of data access bodies comprise for an average request including a EUR 1,000 data request, 115 EUR/data processing hour (an average of 10-20 processing hours/request) and between 3 and 12 months of remote access. However, it should be noted that pricing models differ across existing health data access bodies and national policy choices. For example, the Danish body charges approximately EUR 300 per data processing hour and estimates self-sustainability in the medium run, with the current evolution of the number of requests. French Data Hub does not charge the public sector and the overall fees may be lower. The average of requests per year took into account Finnish and Danish experience (400-500 requests per year), but French Data Hub recorded so far over 1600 projects, which indicates that the number also depends on the size of the country.

The provisions for handling multi-country data requests were estimated using the following key data points:

·Number of requests: extrapolated from the (expected) number of requests (600) from the Finnish system for secondary use of health data (Findata), using the R&D expenditure of EU Member States from Eurostat 37 as an indicator for the volume of request. This value was used as proxy for Cluster A countries. Member States in Clusters B and C are estimated to have fewer requests per year (245 and 241 respectively). The number of requests is expected to grow between 5% and 10% per year over the 10-year period considered, as an effect of increased availability of datasets and of increasing interest in health-related fields of research.

·Costs for authorities to process the requests: estimated using the information on the data request fee in the Finnish case as a proxy (corresponding to about 3 person-days), and considered to decrease as an effect of the coordination mechanisms implemented (to 2.5 person-days under measure Policy Option 2 and to 2 person-days under measure Policy Option 3). Variable costs for the extraction and treatment of data requested were not included, as there was not sufficient information to build a robust example. Costs for the EC to process the request were estimated for measure Policy Option 3, and assessed at 0.5 person-days per request.

·Costs for data users (researchers) to prepare the data request: assumed to be of approximately 15 person-days (not including waiting times in between steps of the process) for multi-country requests to be filed separately to each national data access body, up to 20 days.

An illustrative example was elaborated to describe the procedures and costs under the different measures, considering a 3-country data request.

239. Methodology and assumptions used for the evaluation of the Article 14 of the CBHC Directive (Annex 12)

A consortium led Open Evidence carried out a specific study for the Commission to inform and support the evaluation of Article 14 of Directive 2011/24/EU. Lot 4 of that study examines the effectiveness, efficiency, coherence, relevance, and EU added value of Article 14 of the Directive 2011/24/EU and other related articles. The study was launched in September 2020 and the final report was provided in August 2021 38 .

An extensive desk review was conducted between September and October 2020 to get the most updated and comprehensive literature and policy documents to answer the research questions guiding this study. This was complemented by targeted consultations activities (eHealth Network members and coordinators of Joint Actions; national bodies (Ministries of Health, eHealth agencies, National Medicines Agencies); EU institutions (European Commission, European Medicines Agency, ECDC); patients organisations; healthcare Professionals organisations; organisations representing the industry (medical devices industry); individual companies (digital industry, pharmaceutical industry, medical devices industry). Stakeholders were consulted via in-depth interviews 39 , focus groups 40 and online surveys 41 .

The study supporting the evaluation is based on the available evidence drawn from the triangulation of a diverse and appropriate range of methods and sources. Where secondary sources were not available to answer the research questions guiding this study, primary data and evidence was collected. A complementary desk research exercise was conducted to ensure the completeness and validity of the results obtained.

The principal limitation that this type of methodology is an intrinsic limitation coming from literature that may not cover all the information available. Another limitation was accurately quantifying costs and benefits of the access and exchange of health data by stakeholders. The nature of quantifying this process is complex due to the uniqueness per case and hard-to-measure realisation of outputs. For instance, in the case of MyHealth@EU, since the exchanges on the platform for the early adopters only started in 2019 (and 7 Member States were live at the end of 2020 and 9 mid-2021), the full potential of the platform has not been observed yet. Furthermore, the results suggest that most exchanges happen across neighbouring countries. Of the early adopters, only Finland and Estonia are neighbouring countries, limiting even more the exchanges on the platform. As more Member States and more neighbours will join the platform, one can expect that over time there will be more information to assess the results and impacts in this area.

Furthermore, quantitative data on the costs of implementing the infrastructure were limited as the Member States that did implement the infrastructure were not able to quantify the costs in terms of man-days and budget allocated to it. Often, eHealth Network members did not keep appropriate accounting of the effort invested in carrying out eHealth Network activities and did not split this work from the one conducted for their national institutions. As a result, in the area of efficiency, the information is mostly qualitative and resulting from expert’s opinions.

Annex 6: Coherence with other legislative instruments

Figure 9. Interplay of the proposal for a regulation on the EHDS with other horizontal and health-specific legislative frameworks.

1.Relevant fundamental rights legislation

The Union is founded on the values of human dignity and respect of human rights that are further specified in the EU Charter of Fundamental Rights (the Charter). Articles 7 and 8 of the Charter guarantee the fundamental rights of individuals to privacy and to data protection, while Article 35 ensures that a high level of human health protection shall be integrated in the definition and implementation of all the Union's policies and activities. Some fundamental rights obligations are further provided for in EU secondary legislation, in particular in the field of data protection.

In particular, the General Data Protection Regulation 42 and the EU Data Protection Regulation 43 aim to protect the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data including personal health data, whenever their personal data are processed. The sharing by data controllers of personal data with third parties and their further processing are subject to a number of data processing principles such as lawfulness, transparency, fairness, accuracy, data minimisation, purpose and storage limitation, confidentiality and accountability. Additionally, natural persons, whose personal data are processed, have a number of rights, for instance, the right to access, correct, or port their personal data under certain conditions. Stricter conditions also apply for the processing of sensitive data, including health data, genetic data and biometric data used for identification purposes, while processing that poses high risk to natural persons’ rights and freedoms requires a data protection impact assessment. The legislative framework for the EHDS would ensure compliance with the rules of the existing legislation on the protection of personal data and would provide further harmonised specifications on the processing of health data in line with Articles 6(1)(3) and 9(2)(h), (i) and (j) of the GDPR. The legislative initiative also aims at strengthening the application of individuals’ rights granted under EU data protection legislation as regards the processing of their health data and provides more control over their access and use. It would also provide the EU legal basis for the re-use of health data, based on public interest, scientific, historical research and statistical purposes (as per Article 9(2), (i) and (j)).

2.Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare and other legislation relevant for digital health services and products

The current relevant applicable EU legal framework for the cross-border exchange of health data is laid down in Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare 44 . The Directive provides rules for facilitating the access to safe and high-quality cross-border healthcare, ensures patient mobility in accordance with the principles established by the Court of Justice, and promotes cooperation on healthcare between Member States, in full respect of national competencies in organising and delivering healthcare. The Directive applies to individual patients who decide to seek healthcare in a Member State other than the Member State of affiliation.

However that legislation does not address access to health data for reuse. Furthermore, the proposal for a Data Governance Act, currently being examined by the co-legislators, lays down a horizontal framework across sectors with common governance mechanisms and rules to enhance access to data for reuse, which will apply also in the health sector. The initiative aims at further complementing these EU legislative frameworks with the necessary rules to further enhance health data sharing and reuse in full respect of individuals’ fundamental rights.

In addition, the current legislative initiative would strengthen Article 14 of Directive 2011/24/EU by facilitating a better uptake of digital health products and services for the provision of health care (including telemedicine, telehealth, and mHealth) across the EU.

Article 14 of Directive 2011/24/EU requires the Union to support and facilitate cooperation and the exchange of information among Member States working within a voluntary network connecting national authorities responsible for eHealth in the Member States (the ‘eHealth Network’). The objective of the eHealth Network is to “work towards delivering sustainable economic and social benefits of European eHealth systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of care and ensuring access to safe and high-quality healthcare.” (Art. 14(2)(a)). The eHealth Network – and the eHealth Digital Service Infrastructure (eHDSI), later renamed “MyHealth@EU” – has improved the cross-border exchange of health data for healthcare (primary use of data), such as patient summaries and e-prescriptions. So far 7 Member States exchange health data via this infrastructure. The current legislative initiative aims at expanding and strengthening the cross-border exchange of health data to support continuity of care for citizens travelling within the EU, by amending relevant provisions of Directive 2011/24/EU, in particular its Article 14.

3.Cybersecurity regulatory framework

The Directive on Security of Network and Information Systems ('NIS Directive' / 2016/1148/EU) represents the first EU-wide rules on cybersecurity. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU and covers operators working in the healthcare sector. The Cybersecurity regulatory framework also includes the cybersecurity Regulation (2019/881/EU) and the Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) which help business, citizens and public authorities carry out secure and seamless electronic interactions using electronic identification schemes (eIDs) to access public services available online in other EU countries.

By promoting the use of compulsory common security standards and of the integration of electronic identification (eID) for healthcare professionals and patients, the EHDS initiative reinforce and complement the principles and security measures set out in the aforementioned cybersecurity regulatory framework. It is designed to enhance the security and trust in the technical framework designed to facilitate the exchange of health data both for primary and secondary use.

The NIS Directive is being revised (the ‘NIS2 proposal 45 ) and is currently undergoing negotiations with the co-legislators. It aims to raise the EU common level of ambition of the cybersecurity regulatory framework, through a wider scope, clearer rules and stronger supervision tools. The Commission proposal addresses these issues across three pillars: (1) Member State capabilities; (2) risk management; (3) cooperation and information exchange. Operators in the healthcare system remain under the scope.

A proposal for a Cyber Resilience Act is also planned for adoption by the Commission in 2022, with the aim to set out horizontal cybersecurity requirements for digital products and ancillary services. The envisaged set of essential cybersecurity requirements to be laid down by the Cyber Resilience Act will be applied to all sectors and categories of digital products whose producers and vendors shall comply with, before placing the products on the market or, as applicable, when putting them into service and also through the entire product lifecycle. These requirements will be of general nature and technology neutral. The security requirements set out in the EHDS, notably as regards EHR systems, will provide more specific requirements in certain areas, such as access control.

4.eID framework

The initiative would build on the new framework for eID, including the Digital eID Wallet. This would allow the online identification of patients. A pilot project has been launched in 2021 and aims to support the access of patients to their data, including in the context of MyHealth@EU.

5.Medical device and pharmaceutical regulatory framework

The EU legal framework for human medicines sets standards to ensure a high level of public health protection and the quality, safety and efficacy of authorised medicines. The requirements and procedures for marketing authorisation, as well as the rules for monitoring authorised products, are primarily laid down in Directive 2001/83/EC and in Regulation (EC) No 726/2004 . They also include harmonised provisions for the manufacture, wholesale or advertising of medicinal products for human use.

Additionally, EU legislation provides for common rules for the conduct of clinical trials in the EU. Various rules have also been adopted to address the particularities of certain types of medicinal products and promote research in specific areas 46 .

The EHDS initiative complements the aims and scopes of the aforementioned Regulations and Directives by providing access to a wide range of health data that could be useful for regulatory purposes and enhance and streamline the collection of the necessary health data required to assess and supervise the introduction and surveillance of pharmaceutical products and devices in the Union.

6.Relationship with other initiatives

On 25 November 2020, the Commission adopted a proposal for a Regulation on European Data Governance (“Data Governance Act”). The proposal sets out an overarching framework encompassing horizontal measures for all common European data spaces, and leaves room for sector-specific rules, governance mechanisms and standards where relevant. The proposal complements the Directive on open data and the reuse of public sector information (Open Data Directive) 47 . EHDS would use the DGA framework for data altruism and competent bodies supporting access to data (Article 7 DGA) through a secure processing environment. For data altruism, such activities could be carried out by Data Access Bodies or DABs, in collaboration with DGA bodies, which could request specific aspects from other entities caring out data altruism activities. With regards to competent bodies to support access to health data, the National Health Data Access bodies could be built around Article 7 DGA bodies and their secure environment, with additional tasks related to providing authorisations to data.

Figure 10. Comparison between the Data Governance Act and the European Health Data Space.

Further EU legislative action on issues that affect relations between actors in the data-agile economy in order to provide incentives for horizontal data sharing across sectors (complementing data sharing within sectors) could be taken forward in the Data Act.

The EHDS initiative will build upon the horizontal framework on data to complement it and provide more specific rules for the health sector. For instance, it is important for the trustworthiness of the system that decisions concerning access to and further processing of health data, applicable rules and policies are taken by health (data) authorities and health policy makers within the appropriate framework. Similarly, the relevant health authorities should be involved in the selection of standards in the health area and in the notification of data intermediaries in the health sector to take into account the specific requirements, standards and specifications for the processing of health data. As the sensitivity of health data demands a high level of trust for citizens to voluntarily provide their health data for altruistic purposes; competent sectoral bodies should be in involved in such data altruism schemes when they relate to health data.

It would also build on upcoming Data Act, especially on its provisions of portability and access of data from private sector.

In April 2021, the Commission published a proposal for a regulation laying down harmonised rules on artificial intelligence (artificial intelligence act). This proposal constitutes a central part of the EU digital single market strategy. The primary objective of this proposal is to ensure the proper functioning of the internal market. The proposal sets out common mandatory rules concerning the placing on the market, putting into service and use of AI systems. Additionally, it contains certain specific rules on the protection of individuals with regard to the processing of personal data. It follows a risk-based approach, differentiating between (i) unacceptable risks (ii) high risks and (iii) low or minimal risks. The proposal identifies two main categories of high-risk AI systems: (i) AI systems intended to be used as safety components of products that are subject to third party ex-ante conformity assessment and (ii) other stand-alone AI with mainly fundamental rights implications expressly listed in Annex III. There are legal requirements that are set out for high-risk AI systems concerning data and data governance, documentation and record keeping, transparency and provision of information to users, human oversight, robustness, accuracy and security. The precise technical solutions to achieve compliance with those requirements may be provided by standards or by other technical specifications or otherwise be developed according to general engineering or scientific knowledge at the discretion of the provider of the AI system.

Health data play a key role in the training, validation, testing and post-market monitoring of AI in healthcare. The aim of establishing the EHDS is to also aid providers and users of AI as well as notified bodies and market surveillance authorities to carry out their tasks and effectively and efficiently fulfil their legal obligations under the AIA. The possibility to access diverse and a large amount of organized data within the EHDS infrastructure that provide transparency and information concerning the characteristics of these data would lead to the speedy development, upscale and uptake of trustworthy AI in healthcare. For instance, health data within the EHDS could share common standards and/or follow common rules and guidelines on issues like annotation, labelling, prevention of bias and avoidance of errors. Additionally, information might be provided on the characteristics of data within the EHDS infrastructure that would enable the developer of AI systems to use appropriate data to train, test and validate algorithms that reflect the geographical, behavioural or functional setting within which the AI system is intended to be used. In this regard, Health Data Access Bodies and/or national bodies might be involved to develop and oversee common rules.

The set-up of the EHDS wouldbe an integral part of building a European Health Union, a process launched by the adoption of a first set of proposals to reinforce preparedness and response during health crisis 48 , which pave the way for the participation of the European Medicines Agency (EMA) and the European Centre for Disease Prevention and Control (ECDC) in the future EHDS infrastructure, along with research institutes, public health bodies, and Health Data Access Bodies in the Member States.

European Health Emergency preparedness and Response Authority (HERA) 49 is a central element for strengthening the European Health Union with better EU preparedness and response to serious cross-border health threats, by enabling rapid availability, access and distribution of needed countermeasures. The proposal provides synergies with the Union’s Digital Single Market agenda and EHDS, by encouraging research and innovation, facilitating the access and sharing of data and information and data, and supporting the monitoring medical countermeasures.

On 25 November 2020, the European Commission adopted a Pharmaceutical Strategy 50 for Europe with the stated aim at creating a future proof regulatory framework and at supporting industry in promoting research and technologies. It will ensure that patients have access to innovative and affordable medicines, and will support the competitiveness, innovative capacity and sustainability of the EU’s pharmaceutical industry. One of the EHDS aims is to establish interoperable data access infrastructure, which will improve exchange, federated access and cross-border analysis of health data in the EU, while ensuring the necessary safeguards and citizens’ control over their own health data. The Commission will propose to revise the pharmaceutical legislation to consider how to make best use of digital transformation. This includes new methods of evidence generation and assessment, such as analysis of big and real-world data to support the development, authorisation and use of medicines 51 . EMA will be a node in the EHDS infrastrucrure for secondary use of health data.

The European Commission’s “Europe’s Beating Cancer Plan” 52 and the recently launched Horizon Europe Mission on Cancer 53 also emphasise the need for better collecting and using health data in order to tackle inequalities, survivorship, advance research. The smart combination of health data and new technologies caters for the exponential development of personalised medicine, which becomes a powerful tool to address cancer through tailor-made prevention and treatment strategies so patients receive the therapies that work best for them, and no money is wasted on trial and error treatments. 54 It is important to make the most of the potential of health digitalisation, through EHDS to improve cancer treatment, healthcare delivery and quality of life outcomes.

Annex 7: List of m-health and telehealth initiatives (legislation, frameworks and certification/labels)

Examples of legislative frameworks for the telemedicine in MS

In order to implement digital health products, Member States often have a use case approach, such as chronic diseases or rare diseases. This approach makes it possible to test products and services on a small and often more voluntary population because they are severely affected. Denmark, for example, has implemented telemedicine services for patients with COPD.

Countries can then extend the most successful services to the rest of the population, as in the case of telemedicine in France, Germany and Italy.

Finally, health crisis episodes, such as the Covid crisis, have lifted certain access limitations, such as the obligation to consult the doctor in person before a teleconsultation

In Denmark, telemedicine is specifically targeted at patients with Chronic Obstructive Pulmonary Disease (COPD) who tend to have frequent visits to a clinic.

In Estonia, since March 2013, consultation of the family doctor with a specialist is reimbursed by the Estonian Health Insurance Fund (EHIF). The specialist provides his instructions for treatment (by e-mail or other means) and receives 68% of the normal rate for a face-to-face consultation (Kruus et al., 2015).

Finland has had a telemedicine strategy since 1995. Teleradiology has become regular practice and is the main telemedicine act in Finland. Most district hospitals provide teleradiology and telelaboratory services and offer teleconsultation for primary healthcare centres. These activities are partially covered by the healthcare system and the budget of the healthcare centres. Other telemedicine services provided are telepsychiatry, teleopthalmology, teledermatology and teledentistry. Most telemedicine projects, focusing on teleconsultation and telemonitoring, were funded by public funds and EU projects (Khatri et al., 2011).

In Germany, according to the professional codes, diagnoses and prescriptions have to be provided after a face-to-face meeting between the patient and the physician and after an examination. Teleconsultations are possible for follow-up purposes and have been eligible for financial compensation since 2017, as have tele-expertise services (Hantson, 2019). Since the ban on tele-therapy only applies if the practising physician is a member of the German medical association (Bundesärztekammer), it does not apply to telemedicine provided by health providers outside the territory (Europe Economics 2019).

In France, teleconsultation has been reimbursed since 2018 at the same rate as a normal consultation, as long as there is a prior therapeutic relationship between the health professional and the patient. Tele-expertise has been funded since February 2019. Two levels of tele-expertise are defined, depending on the complexity of the telemedicine services provided (low difficulty and patient with chronic disease).

In Italy, many telemedicine projects have been initiated but only a few were sustainable. Telemonitoring and teleradiology are considered established practices, while telepathology, teledermatology and telepsychiatry, in the form of teleconsultation and tele-expertise, exist as pilot projects or informal practices (World Health Organization, 2016). Telemonitoring pilot projects are being implemented at a regional level by the regional health authorities (AziendaSanitaria Locale, ASL) (Rojahn et al., 2016).

In the Netherlands, since 2019, it has been made easier for health care providers and health insurers to include digital consultations in funding agreements. For GPs it no longer matters how the doctor organizes the consultation with the patient: in the consultation room, by telephone, by e-mail or using other digital means. In specialist medical care it has become easier to fund remote monitoring of patients. Attempts have also been made to implement telemonitoring for heart failure and diabetes in Dutch hospitals (Kroneman et al., 2016; Faber et al., 2017).

In Portugal, a national telehealth strategy and policy was implemented in 2013. One third of hospitals have offered telemedicine services since 2014 (Pina 2015; Dias 2017). Since 2013, the Health System administration has funded several telemonitoring projects. Local authorities have created a certification for teleconsultation. When a teleconsultation is required between a specialist and a patient, primary care units appoint a coordinator or the patient’s own General Practitioner to assist during the consultation (Oliveira et al. 2014). More than half of hospitals use remote screening, particularly in the area of dermatology, and have carried out teleconsultations (The Portugal news 2019).

To be noted: in Norway, most telemedicine services are available through projects. There is however a disparity between implementation by the Norwegian government and the actual use of telemedicine (Alami et al. 2017).

Source: Bensemmane et al. 2019 55

Examples of European cross-border telemedicine projects

Below are some relevant examples of currently running telemedicine initiatives in a cross-border context, used to illustrate the implementation of digital health practices across Europe.

·Pomerania project 56 is mainly funded by the European Commission (up to 84%) and involves 20 German and 15 Polish hospitals. It aims at enlarging the healthcare services offered in a region with a low density of hospitals and covers fields such as radiology, urology, stroke care, cardiology, oncology, ophthalmology, ear, nose and throat illnesses.

·The European Stroke Organisation is a Swiss organisation bringing together European stroke experts and aims at improving the delivery of stroke services. They produce guidelines 57 for the implementation of a tele-stroke network in Europe in a practical way.

·The university hospitals of Aachen (Germany) and Maastricht (the Netherlands) share the services of one neurophysiologist, through the use of telemedicine practices for certain procedures. Surgeons are able to operate on a patient at Aachen Hospital while the neurophysiologist in Maastricht follows the operation on a screen and monitors the patient’s condition.

·In 2006, Denmark and Sweden started a telepsychiatry collaboration for asylum seekers and migrants. Only one Danish hospital had a cross-cultural expertise (Mucic 2008) and the study showed a good acceptance of patients towards telemedicine and an appreciation to exchange with a healthcare professional without an interpreter.

·A shared software platform has been created between France and Swiss in order to establish collaborative diagnosis, to study neuroimaging, as well as to access virtual examination. A virtual network is even used to transfer diagnosis from university hospital Basel to collaborating German district hospitals.

However, it is important to stress the fact that the cross-border initiatives identified above are generally located in small border regions, funded by the European Union, specialised in a specific therapeutic area and often poorly documented.

Source: Author’s elaborations in Lupiáñez-Villanueva, et al. (2022).

Examples of m-health/tele-health assessment frameworks and certification/labels

DiGA 58

MS	Germany
Covered services	CE marked mobile health applications Application for reimbursement
Bodies involved	Public bodies ·National medicines agencies (Federal Institute for Drugs and Medical Devices – BfArM)
Criteria	·Technical requirements oSecurity oFunctionality oQuality (confirmed by CE marking) oImpact on health oData protection, data security oInteroperability ·Positive care effects oMedical benefits oStructural and procedural improvement
Scheme	Certification by the BfArM
Typology	Digital Healthcare Act (Digitale-Versorgung-Gesetz, DVG) on 19 December 2019

mHealth Belgium 59

MS	Belgium
Covered services	CE marked mobile health applications
Bodies involved	Public bodies ·eHealth agencies (eHealth Belgium, mHealth Belgium), ·National medicines agency (AFMPS – Agence Fédérale du Médicament et Produits de Santé), ·National sickness fund and insurers (INAMI - Institut National d’Assurance Maladie Invalidité)
Criteria	1.CE-marking 2.Interoperability 3.Socio-economic value added
Scheme	Three-level certification ·Level 1– basic requirements oCE declaration as a medical device is submitted oVoluntary notification of the mobile app to the Federal Agency for Medicines and Health Products (FAMHP), during which the CE marking and the compliance with the rules and regulations for medical devices are confirmed and can be checked. oThe app and the parent company declare that they comply with the EU General Data Protection Regulation (GDPR). ·Level 2– interoperability criteria oLevel 1 certified ohave been submitted to a risk assessment (developed by an independent organisation and included in mHealthBelgium) after which they have proven to meet all imposed criteria regarding authentication, security and the use of local e-health services by means of standardised tests (if applicable). ·Level 3– reimbursement oProof of socio-economic value added oCertification operated by the national social fund
Typology	Framework

ANS eHealth Label

MS	France
Covered services	Software and health establishment
Bodies involved	Public bodies ·National eHealth authority (ANS – Agence du Numérique en Santé)
Criteria	For healthcare professionals and software developers Garanty the basic functions for medical exercise, coordinated care, monitoring, administration of the establishement
Scheme	Label delivered by the French eHealth agency
Typology	Framework

HAS mHealth

MS	France
Covered services	Mobile applications with no medical specific purpose Specific for the “grey” zone of mHealth applications
Bodies involved	Public bodies ·National health authority (HAS – Haute Autorité de Santé)
Criteria	Four main axes ·delivering reliable and quality health information, ·either technically efficient, ·guaranteeing the confidentiality and security of personal data ·being ergonomic and easy to use
Scheme	Guidances for mobile applications developers
Typology	Guidelines

MAST CIMT

MS	Denmark
Covered services	Telemedicine
Bodies involved	Public bodies ·Centre for Innovative Medical Technology (CIMT). Research center from a university and a university hospital.
Criteria	The model defines the relevant assessment framework for the effect of telemedicine: 1.the patient and the technology, 2.patient safety, 3.clinical effectiveness, 4.patient perspectives, 5.economic aspects, 6.organisational aspects, 7.legal and ethical aspects.
Scheme	Assessment framework for managers in the healthcare sector.
Typology	Framework

Source: Author’s elaborations in Lupiáñez-Villanueva, et al. (2022).

Quality criteria: standards ISO/CEN 82304-2

At the request of DG CNECT, CEN and ISO are working towards standards on eHealth assessment criteria under this standard split into five areas, including quality aspects: (1) Medical safety, (2) Usability, (3) Security of personal data, (4) Technical quality, (5) Quality of the app. This work is guided by other frameworks and studies’ questions about health and safety, health requirements, ethics, health benefits, societal benefits, health risks, accessibility, privacy and security, and interoperability. This work could especially be used to support labelling at an EU level.

The Dutch Ministry of Health has commissioned the National eHealth LIving Lab (NeLL, Leiden University Medical Center) to build a national health app assessment framework based on CEN-ISO 82304-2 and to advise how to execute such a framework. A comparative study has been led on several app assessment frameworks, including those from Haute Autorité de Santé (France), mHealth Belgium, DiGA (Germany), Digital Technology Assessment (United Kingdom) and existing Dutch frameworks. The aim was to establish which requirements overlap with CEN-ISO and which are not yet covered in CEN-ISO and should be considered as additional Dutch requirements, and significant overlaps have been found in subjects covered. It concludes that CEN-ISO standard covers the national requirements well, with a few exceptions.

Source: Author’s elaborations in Lupiáñez-Villanueva, et al. (2022).

Annex 8: Overview of the GDPR legal basis for processing health data for different purposes 60

Please indicate the legal basis under GDPR Articles 6 (1) and derogation basis under Article 9(2) used for processing health data for normal healthcare provision purposes within the context of a patient - healthcare professional relationship. Please note this is for regular data processing, not data processing in an emergency situation, where the vital interest basis may be used.

GDPR Article 15 stipulates that data subjects (including patients) have a right to access data concerning them. Please indicate the way in which this right may be exercised in your Member State. Note: this question does not relate to research data.

Article 17 of the GDPR provides that in certain cases a data subject can ask for data to be erased or have ‘the right to be forgotten’. However, Article 17(3) of the GDPR provides that the right shall not apply to the extent that processing is necessary for reasons of public interest in the area of public health in accordance with Article 9(2)( h) and (i) of the GDPR. If not based on article 17 a limitation to the right to be forgotten in healthcare could also be based on article 23. Please indicate if a patient may have medical records deleted in your Member State.

GDPR Article 20 stipulates that if the data collection was based on consent or on the basis of the creation or execution of a contract, the data subject (patient) has a right to obtain a portable copy of the data. Please indicate which of the following apply in your Member State Note: this question does not relate to research data, see question 34. (Q33).

If you have selected the last option above, please describe why Article 20 does not pertain to patient

data

Please indicate if any specific legislation has been adopted in your Member State that addresses the processing of health data that was originally collected for the purpose of providing care to allow it to be used for planning, management, administration and improvement of the health and care systems entities such as health authorities.

If yes, please indicate which combination of legal bases the legislation relies upon when data are used for planning, management, administration and improvement of the health and care systems: (more than one answer may be applicable as different types of organisation might process data for such purposes).

Please indicate if any specific legislation has been adopted in your Member State that addresses the processing of health data that was originally collected for the purpose of providing care to allow it to be used for market approval of medicines and devices, such as medicines agencies, EMA, HTA and Notified Bodies.

If yes, please indicate which combination of legal bases the legislation relies upon when data are used for market approval of medicines and devices. (More than one answer may be applicable as different types of organisation might process data for such purposes)

Please indicate if any specific legislation has been adopted in your Member State that addresses the processing of health data that was originally collected for the purpose of providing care to allow it to be used for monitoring of medical device safety and/or pharmacovigilance.

If yes, please indicate which combination of legal bases are relied upon when data are used for monitoring of medical device safety and/or pharmacovigilance.

Please indicate if any specific legislation has been adopted in your Member State that addresses the processing of health data that was originally collected for the purpose of providing care to allow it to be used for protecting against serious cross-border threats to health. (Q20).

NOTE: some threats are classified as reportable in WHO’s International Health Regulations, and therefore intentional law may also apply to this issue (see question 22 below).

All EU Member States are required to report diagnosis and outcome of the diseases covered by the WHO International Health Regulation, which now also includes COVID-19. Has your Member State enacted any national level specific legislation about other cross-border health threats, such as food borne diseases, sexually transmitted diseases, which are not covered by the IHR?

If yes, please indicate which combination of legal bases are relied upon when data are used for protecting against such potentially serious cross-border threats to health.

Please state if any specific legislation has been adopted that addresses the processing of health data that was originally collected for the purpose of providing care, by third-party public-sector researchers, i.e. by a different controller than that where the treating healthcare professionals were based. If yes, please indicate which legal base in Article 9(2) is relied upon when data are used for research by third-party public-sector researchers.

Please state if any specific legislation has been adopted that addresses the processing of health data that was originally collected for the purpose of providing care, by third party researchers not in the public sector – i.e. researchers based in not for profit organisations, researchers based in industrial or commercial research organisations and researchers based in other privately funded research organisations. If yes, please indicate which legal base in Article 9(2) is relied upon by such third-party researchers not in the public sector.

Annex 9: Overview of national bodies dealing with secondary uses of health data 61

Data altruism in place or desirable to set up at national or EU level

Is a system for data altruism in place?	Total MS
Yes in place, or in process of being implemented	2		DK, DE, [UK]
No	25		BE, BG, CZ, EE, IE, GR, ES, FR, HR, IT, CY, LV, LT, LU, HU, MT, NL, AT, PL, PT, RO, SI, SK, FI, SE
If no, do you believe that a system of data altruism should be set up at national level?
Yes	14	BG, CZ, EE, IE, GR, ES, HR, CY, LV, MT, NL, RO, SK, FI
No	1	SI
Not sure	10	BE, DK, FR, IT, LT, LU, HU, AT, PL, PT
Do you believe that a system of data altruism should be set up at EU level?
Yes	11	BE, BG, CZ, DE, EE, GR, LV, LT, HU, SK, FI
No	5	ES, IT, CY, NL, SI, [UK]
Not sure	11	DK, IE, FR, HR, LU, MT, AT, PL, PT, RO, SE

* To illustrate the responses, EE answered both yes and no, with the clarification that the answer in the current settings would be ‘no’, and to be changed to ‘yes’ if first clear regulations with responsibilities were set in place.

Findata, Finland

Description

Findata is the brand new Finnish Health Data Access Body, acting as ‘one-stop-shop’ for health and social data access, in operation since January 2020 (www.findata.fi). The services Findata provides are to 1) grant data permits to data from multiple registers; 2) collect the requested data from the controllers and then combining, pseudonymising and anonymising the data or producing statistical data, and 3) deliver the data for use to the requestor for use in a secure remote IT environment, potentially also by converting and combining the permit holder’s own data.

Background

Findata was set up with the goal to enable fast, easy and safe access to health and social personal data. Before, one had to request access to all data controllers separately, which was a very time-consuming and administrative process. On top of that, data was not processed in a secure and controlled way.

Findata started operating in steps. Since January 2020, data requests for statistical data can be made. Since April 2020, data permit applications can be issued. From January 2021, Kanta services, where medical records are stored, will be included. Up to 12 October 2020, a total of 230 data applications were received, of which 143 data permits for personal data and 35 data requests for statistical data.

Legislation

The Act on the Secondary Use of Health and Social Data (552/2019) specifies the purposes for which one can request data access. It applies to register based research, and not to clinical trial data. Genome and biobank legislation are on its way. The Act among others also specifies that personal data can be used for the following purposes, even if the data was not collected for that purpose: 1) statistics, 2) scientific research, 3) development and innovation activities*, 4) education, 5) knowledge management, 6) steering and supervision of social and health care by authorities, and 7) planning and reporting duty of an authority. Further details of the implications of the act on services provided are described below.

* From this list of purposes, the purpose of ‘development and innovation’ only allows for the use of statistical data.

Tasks and activities

Findata is a completely new system but builds on a long history of registries and a digitalised society. The main tasks relate to the three services described above. Findata offers services for those needing data (customers) and for those controlling data (controllers), all relate to the secondary use of health and social data. To make a data request for personal rather than statistical data, it is possible since April 2020 to apply for a data permit to access pseudonymised personal data for all above mentioned purposes, including e.g. function 2 purposes of authorities’ planning and reporting duties. Only exception is the purpose of ‘development and innovation’, which only allows for the use of statistical data.

Findata serves users of data by compiling a dataset and providing access to a secure environment to process the data. Findata cooperates with data controllers to standardize data descriptions. It also provides an anonymisation service and a permit processing service if the controller authorises Findata to do so.

The Act also describes the responsibilities and tasks of both Findata, as Health Data Access Body, plus a predefined set of authorities and organisations, for the secondary use of data in the registers (being eleven different authorities and organisations such as the Ministry of Social Affairs and Health, the National Institute for Health and Welfare (THL), the Finnish Medicines Agency (Fimea) and public service organisers of health and social care) regarding the following elements:

a)Data set descriptions

b)Advisory service

c)Collection, combination and pre-processing service for data

d)Identifier administration service

e)Data request management system

f)Secure hosting service

The Act also demands the IT-systems used for secondary use of social and health data to be audited against Findata’s regulations by a Data Security Assessment Body. Findata is currently preparing to give regulations on the requirements for secure IT-environment for using and managing data for secondary use.

Governance

Findata is an independent central agency which falls under the responsibility of the Finnish Institute of Health and Welfare (THL). A steering group, consisting of representatives from data controllers whose data Findata provides access to, develops and guides Findata’s operations. The Data Protection Ombudsman, Parliamentary Ombudsman and Valvira1 supervise the operations of Findata and compliance with the Secondary Use Act.

1 Valvira is a national agency operating under the Ministry of Social Affairs and Health, charged with, amongst others, the supervision of the social and health care.

Organisation and budget

The budget of Findata is set by the temporary steering group who was preparing the implementation of the Act on the Secondary use of Health and Social Data. After a start-up budget in the beginning years 2019-2021, the annual budget is about 1 million euros per year, with the main expense items being personnel costs and ICT-systems. Since it is a new system, there is no data yet about the real yearly costs and gains of running Findata, but it is anticipated that the set budget will not be sufficient, and may be raised to over 2 million annually.

Staff and functions

There are currently 15 staff working for Findata, and recruitments are going on. It is expected that in a few years 20-25 staff will be employed. Functions of the staff are in the field of ICT, communications, law (DPO), metadata and data services.

Data sources and types of data

Via Findata social and health data can be accessed from various public institutions, private institutions and registries. The sources of data for which Findata can issue permits are specified in the Secondary Use Act.

Findata grants permissions for data collected both in public and private sector services which are part of the relevant data sources. According to Finnish legislation, only an official authority can grant permission to use Finnish citizen’s personal data. Therefore, even if the data is collected at private doctor’s surgery, the private health clinic does not have the power to grant permits for secondary use.

Data granted by Findata can be combined with data from other countries, and this can be done in two directions: it is possible to transfer Finnish data to secure environments in other countries, and it is possible to import data from other countries to Finland, either to Findata remote access system or to a secure audited environment maintained by some other organisation. Both forms have already been applied in several cases. Data can only be taken out of the remote access environment and disclosed to another secure user environment in exceptional cases. However, this is sometimes necessary due to restrictions from other remote access environments when data needs to be combined.

Foreign data users

In Finland currently, the submission of a data permit application is possible for persons who have a personal identity code registered in the Finnish Population Information System. Findata is mapping alternative secure identification applications for its international users. Hence, in the future, it should also be possible for foreign stakeholders to request a data permit, however, there is not yet a standardized way to control the identity of the foreign applicant. When applying is possible, there will be no additional protective restrictions for non-Finnish data users (such as having a Finnish research partner).

Processing data in the remote access environment of Findata when being in a third country (outside the EU/EEA) is possible if there are appropriate safeguards in accordance with Chapter V of the GDPR. Non-EU stakeholders applying require more paperwork and possibly (EU standard) agreements, and the fee is higher.

User fees

The price of Findata services are defined in the Valtion maksuperustelaki ( State Basis of Payment Act ) and detailed in the Decree of the Ministry of Social Affairs and Health Fees for the services of the Social and Health Information Licensing Authority of 30 December 2019.

For its public services, a processing fee is charged that must correspond to the amount of the total cost to the state of producing the performance (cost value). The fee (of 115 EUR per working hour) is determined based on the hours worked to produce the output (by means of data aggregation, pre-processing, pseudonymisation and anonymisation). The fee may be below the cost value of the service or may not be charged at all if there are justified reasons related to health and medical care, other social purposes, the administration of justice, environmental protection, educational activities or general cultural activities.

In the above mentioned decree, a fixed fee based on the average cost value applies for the following services:

·A data permit for a permit applicant established in Finland or another EU or EEA country of 1,000 EUR;

·A data permit for an applicant established in a non-EU or non-EEA country of 3,000 EUR,

·a change of data permit for a permit applicant 350 EUR.

·a decision concerning a data request with a fee of 1,000 EUR.

·A data permit related to a thesis and a decision on the information request for an applicant who is domiciled in Finland or another EU or EEA country of 500 EUR. 62

In addition, Findata provides remote access environment services, which are commercially priced services subject to a fee (VAT +24%). Such packages can range from a Small Package (8 GB) of 2,250 EUR/year to an XL Package (90 GB) of 8,500 EUR/year.

Pseudony-misation/ anonymisation

One can access statistical level data via a data request and individual level data via a data permit. In principle, individual level data is available in a pseudonymised or anonymous format, dependent on what is requested. Access to data with direct identifiers is not excluded, but only granted under strict conditions and fitting with the data applicant’s processing purposes.

* Sources of information: findata.fi, legal technical survey by national country correspondent, and correspondence with relevant experts.

Health Data Hub (HDH), France

Description

The Health Data Hub (HDH) is a unique gateway to health data in France. The HDH’s vision is to ensure a simple, unified, transparent and secure access to health data for public interest research with the goal to improve the quality of care and patient support. The HDH is a platform where pseudonymised health data from different sources is duplicated and made available. It is both an infrastructure and a health database catalogue, and offers related services, allowing project coordinators to access data and/or link different databases. The role of the HDH is to give access to health data, promote the collection and consolidation of data, to accompany data exploitation, to support the research community and to ensure the link with civil society. The aim of the HDH is to federate all health data stakeholders, and to facilitate access to various data sources (public/private) while ensuring high standards of transparency and privacy.

Background

The origin of the HDH stems from a report written in 2018 ‘For a meaningful AI’, where deputy and Fields Medal mathematician Cédric Villani recommended a single point of entry to access health data, as health was defined to be a key strategic sector for the development of AI in France. Following the report, President Macron announced the creation of the HDH. An in-depth study mapped the obstacles in the secondary use of health data in France, which resulted in a roadmap ‘code of conduct’ for the HDH.

The HDH aims to become the single entry point to French health data. This system is being implemented to harmonize health data access in France and to address quality and interoperability issues of the various databases are a key part of the HDH governance model.

Legislation

The Law of July 24th 2019 on the Organisation and Transformation of the Health System is the main legislative text which sets up the HDH as a public interest group (GIP) to be the main gateway to operate public interest research on the National Health Data System (SNDS).

The scope of the latter has been increased by that same law to all health data fully and partially reimbursed by national solidarity. In addition, the HDH hosts an independent Ethical and Scientific Committee for Research, Studies and Evaluations (CESREES).

Tasks and activities

The missions of the HDH can be summarized in four main areas:

-Supporting data controllers in the collection, consolidation and development of their assets;

-Offering all project coordinators simplified and fast access to health data;

-Guaranteeing transparency towards civil society and ensuring respect for citizens’ rights;

-Innovating alongside research and industry players.

Governance

The HDH takes the legal form of a public interest group (GIP) governed by public law. The HDH takes over the missions of its predecessor, the National Institute for Health Data (INDS) as the single entry point for health data access in France. It is also responsible for health data access governance as it hosts the secretariat of the CESREES, the ethical and scientific committee for health research, studies and evaluations, which evaluates requests for access to the data catalogue.

The missions of the HDH are determined through article L. 1462-1 of the Public Health Code. The health data platform, with its governance set up by decree, is composed of 56 entities that represent the State, organisations ensuring representation of patients and users of the health system, producers of health data, public and private users of health data, including health research organisations, among others.

Organisation and budget

The HDH is a single point of entry data governance model, providing access for all researchers to data currently stored in the HDH (and SNDS). The data remains stored with the original data controller. The Health Data Hub is a central body, but does not incorporate all data. For example, biobanks and registries have their own systems.

The project results are made public on the website of the HDH, with due respect for academic and industrial competitiveness.

As for budget, the HDH is currently funded by the public sector. Before the official creation of the public interest group, the Health Data Hub project was conducted under the direction of the Ministry of Solidarity and Health (Directorate of Research, Studies, Evaluation and Statistics (DREES)) and was selected in the Big Data and Artificial Intelligence call for projects of the Fund for the Transformation of Public Action (FTAP). In this context, it was granted initial funding of 36 million euros for four years. A further 40 million euros came from the national health insurance expenditure target (L’Objectif national de dépenses d’assurance maladie, ONDAM).

Staff and functions

As of end of 2020, around 50 people are working for the Health Data Hub. The Hub is planned to grow further.

Data sources and types of data

The HDH can provide access to any pseudonymised health data that is reimbursed partially or fully by national public solidarity in France. This includes the national claims database, as well as in the future numerous other databases to be included in its catalogue, such as cohorts, clinical data, genomics data etc.

Data users

Data access is only allowed for public interest research, with a strictly defined project duration and a limited scope upon approval by the Scientific and Ethics Committee (CESREES) and the national DPA (CNIL). Data is accessible via a customized secure project space, containing only the needed dataset and offering a variety of data analytics tools. The data processor cannot directly retrieve data from the platform.

Any private actor requesting access to the data will have to prove that the project is of public interest, for the benefit of citizens, in the same way as public actors.

Foreign data users

Data access can be granted to data users from other EU countries.

The HDH contributes to the dissemination of international standards and best practices as well as to improve interoperability, in order to enable quality data aggregation and linkage. The HDH is actively looking to encourage cross-border research collaborations on health data, primarily with research structures and data controllers.

User fees

In the future, the HDH could charge fees for access to its services such as the use of the secure project space for for-profit actors. As the Hub is in its start-up phases the exact rates are still under development.

Pseudony-misation/ anonymisation

The HDH only stores pseudonymised data and citizens have a right to opt out of the secondary use of their health data through the HDH. Citizens cannot object to uses made compulsory by law, or necessary to carry out a mission of public interest, for example for health monitoring purposes.

* Sources of information: health-data-hub.fr, legal technical survey by national country correspondent, and correspondence with relevant experts.

Research Data Centre at the BfArM (Federal Institute for Drugs and Medical Devices), Germany

Description

The Centre serves as a research data hub for claims data of all statutory insured people in Germany (currently covering approx. 90% of the German population). It is currently being reorganised, expanding its range of data and services. Within the next few years it will also serve as a research hub for EHR data for which patients have granted access to for research purposes.

Background

The Centre was originally based at the German Institute for Medical Documentation and Information (DIMDI), responsible for medical information classification and management. To strengthen its role, the institute was brought together with the Federal Institute for Drugs and Medical Devices (BfArM) in May, 2020 to form one authority.

Legislation

The main legislation describing the mandate of the Research Data Centre at BfArM are the §§303a-f of the Social Code Book 5 (Sozialgesetzbuch, SGB V, Statutory Health Insurance; https://www.sozialgesetzbuch-sgb.de/sgbv/303a.html ). It has been updated with the Digital Care Act in December 2019 to accommodate the new role, and the Patient Data Protection Act in July 2020 to, as of 2023, also include EHR data on a voluntary basis. Based on the new §§303a-f of the Social Code Book 5 the Data Transparency Ordinance (DaTraV) ( http://www.gesetze-im-internet.de/datrav_2020/ ) was revised in 2020. It describes the tasks of the Research Data Centre at BfArM in more detail.

Tasks and activities

As described in § 303d SGB V the Research Data Centre is tasked to handle data that is transmitted to it by the German Federal Association of Health Insurance Funds (GKV-SV) and to promote the scientific secondary use of the data for specified research and public health purposes. It, among others, includes carrying out quality assurance of the data, examining requests for data use and making it available to authorised users while balancing re-identification risks and intended scientific benefits. As separate entity, the Robert Koch Institute (RKI) performs the duties of a trust agent managing a two-layered pseudonymisation process to ensure that the pseudonymised claims data provided by the GKV-SV are correctly linked to the longitudinal data at the Research Data Centre. The data used for assigning the respective cross-period insured person pseudonyms to the transmission work numbers are deleted; only the algorithms are kept.

Governance

The legal supervision of both the Research Data Centre and the trusted agent has been assigned to the Federal Ministry of Health (BMG), but each maintain an operational independence.

Organisation

The Research Data Centre is based at the Federal Institute for Drugs and Medical Devices (BfArM) with an independent IT infrastructure. A dedicated trust agent unit is based at the Robert Koch Institute (RKI). The statutory health insurance companies reimburse the Federal Institute for Drugs and Medical Devices and the Robert Koch Institute for the costs of performing the task of data transparency.

Staff and functions

The staff of the Data Research Centre is currently being extended to accommodate the new duties. Within the next few years it is expected that the staff will expand to about 15 full time staff members comprised mostly of IT specialists, data engineers and data scientists.

Data sources and types of data

As defined in the DaTraV, the research centre receives pseudonymised claims data from the statutory health insurance companies for each calendar year (reporting year) per statutory insured person (covering approx. 90% of the German population). It will include among others diagnoses, prescriptions and treatment data from medical care, including in- and outpatient care, dentistry, aids and remedies.

Data users

As defined in § 303e SGB V a pre-defined list of authorised institutions can request permission to access data, and no further distinction is made between applicants. These for example include health reporting institutions at the federal and state levels, health insurance providers, relevant umbrella organisations of service providers or patients at federal level, and universities as well as university hospitals recognized under state law. This also includes publicly funded non-university research institutions and other independent research institutions, provided the data serves independent scientific projects. Commercial research institutes and industrial companies can thus not request permission for data access. Authorized users may work together with third parties and transfer query results, i.e. anonymised and aggregated data received from the Research Data Centre, to further project partners only with prior permission of the Research Data Centre. This will facilitate research collaboration undertaken between the public and the private sector.

Foreign data users

§ 303e SGB V does not explicitly list researchers or institutions from other Member States as authorised users, but also does not restrict research institutes to domestic institutions. In principle these can also be based in other Member States, as long as the data are used for scientific research, and applicable law is respected.

User fees

User fees are defined in the Data Transparency Fee Ordinance ( DaTraGebV ; http://www.gesetze-im-internet.de/datragebv/ ). Underlying principle is that the fees are determined based on the amount and complexity of the data rather than the time spent on the applications.

The fee for standardized data queries amounts to 300 euros. To provide data by means of a query pre-formulated by the authorized user, the fee amounts to an additional 300 euros per evaluated year. In addition, a fee of 50 to 1,600 euros will be charged for each consultation, each preparation of preliminary evaluations and for interim results depending on the scope and complexity of the request and the associated use of personnel and material benefits. For the provision of pseudonymised individual data records in future secure, physical or virtual surroundings of the centre, an additional fee of 100 to 3,000 euros is charged, again depending on the scope and complexity of the request and the associated use of personnel and material services calculated.

Data altruism

Currently, data include claims data of all statutory insured citizens without requiring their permission. As part of the "Patient Data Protection Act" (Patientendaten-Schutz-Gesetz, PDSG) in 2020, patients can voluntarily make use of an electronic patient record (elektronische Patientenakte, ePA). From 2023 onwards, insured persons will have the option of voluntarily making the data stored in the ePA available to research via the Research Data Centre (source: BMG 2020 ) 63 . This has also been adjusted in § 363 IV SGB V: Insured persons can voluntarily release the data in their ePA for the research purposes listed in § 303e II Nos. 2, 4, 5 and 7 SGB V to the Research Data Centre. Insured persons may also make the data in their ePA available for a specific research project or for specific areas of scientific research on the sole basis of informed consent.

Pseudony-misation/

anonymisation

The Research Data Centre shall provide authorised users with data that is anonymised and aggregated to the extent required for the specific research question.

* Sources of information: legal technical survey by national country consultant, legal texts as mentioned in the box and correspondence with relevant experts.

Statistics Netherlands (CBS)

Description

Statistics Netherlands (CBS) is the independent national statistics agency, providing statistical information on social issues, including health. Within CBS, the microdata services department was set up to allow researchers to obtain health and other data for research purposes.

Background

CBS is the central agency to access data for research and other types of secondary use of health and administrative data. However, access to health data is very fragmented in the Netherlands and there are also many other access points (e.g. regional biobanks). CBS was established in 1899 in response to the need for reliable and independent statistical information on social issues. The CBS statistics should support the public debate and policy-making and reduce social inequality by collecting, processing and publishing statistical data. CBS microdata services provides access to (linked) data for third parties for research purposes.

Legislation

The Statistics Netherlands Act forms the legal basis for CBS and precludes that any data recorded and collected in the Netherlands with public funding, may be used by CBS for their statistical tasks. Permission is needed from some of the data sources for secondary use by other parties.

Organisation and budget

CBS is an autonomous administrative authority which is financed by the state. Standard fees apply for anyone using the data. Fees are based on the number of datasets to be linked, a monthly access fee for each user, and the size of the dataset.

Data sources

The Healthcare Market Regulation Act requires health care providers to submit pseudonymised data about treatment codes to the Healthcare Authority (HCA). The HCA further processes the data and sends statistics to the Department of Health and CBS. Only treatment codes which are based on a fee for service (instead of a lump sum based on the number of enrolled patients) are sent regularly to the HCA. Health care providers are also obliged to submit pseudonymised data about treatments etc. to CBS. However, this obligation is balanced against the administrative burden of submitting data. If CBS can derive sufficient information from a representative sample of health care providers, it will not require all similar health care providers to provide data.

Types of data that can be accessed through CBS are: electronic health records, both from primary care and hospitals, social care data, long-term care data, health insurance claims data, prescribing and dispensation records, disease registries, health data linked with social and environmental data. Such data can be from private or public sources.

For some sources of data, separate permission has to be obtained from data sources (e.g. extracts from hospital and primary care electronic health records, claims data from health insurers). For other data sources permission from CBS suffices (e.g. socioeconomic data).

Data users

Authorised institutes can use microdata sets of CBS for research purposes, which consist of linkable data sets at individual level. Authorised organisations are Dutch universities, scientific research institutes, policy advice and analysis organisations, statistical authorities from European Member States, and other institutions that have been granted access through an application form.

In order to work with the data, the following conditions must be met: a) The primary mission of the institution (or the relevant part thereof) is to conduct statistical or scientific research, b) results of the research will be published, and c) the institution has a good name and reputation.

Foreign processors

Foreign institutions can apply for access and should preferably have working relations with a Dutch authorised institution.

Data fees

The fees which apply to microdata research depend on the number of participating researchers, the number of dataset subjects and the duration of the project, among others.

Services during the project start-up consist of a basis starting up cost of 1,800 EUR and an additional fee of 180 EUR per dataset topic. Importing one’s own data will depend on the level of encryption, from simple (250 EUR) to complicated (1,300 EUR).

Services during an ongoing research project are in part variable, depending on the data set topics (18 EUR support costs per topic) and output checking (220 EUR per output).

Pseudony-misation/ anonymisation

Pseudonymised data is accessible in a secure remote environment with a personal token. The researcher can link CBS data with other datasets upon request. Only statistical output can be exported, and CBS checks whether results imply a risk of re-identification.

* Sources of information: cbs.nl, legal technical survey, knowledge of the authors

BIGAN Health Research Infrastructure, Aragón, Spain

Description

BIGAN integrates a technological infrastructure and a data lake gathering individual population and patient data from the regional health service and health related information systems from Aragón. Specifically, for research, BIGAN has put together healthcare data from 1.3 million lives – Aragón population, more than 800 million records in a data lake of pseudonymised patient data and renders it accessible to the scientific community as a one-stop shop service.

The holistic approach gathering not only health data but also health related data (social, environmental, geographical) provides cross-fertilisation from various research areas which in turn might provide insight to future research policies.

Background

First mention of the ideas supporting the project BIGAN was introduced within the policy agenda through the Plan “Aragón Health-2030”. This plan included a regional strategy for the common exploitation of all the health and health related information systems in Aragón with big data and AI tools; thus, harnessing the potential of the reuse of real-world (big) data (RWD) in Aragón for population health research.

Legislation

BIGAN was created as a new subsystem within the existing health information system in Aragón. Executive order (SAN/1355/2018) established the Aragón Regional Health Authority BIGAN platform. BIGAN platform is a data infrastructure implemented to reuse any kind of existing data for planning, quality management and health research. As an element of the health information system in Aragón, BIGAN platform is governed by the Health Law of Aragón (Law 6/2002), the Decree on social and healthcare information system (Decree 164/2000) and the Law on Research and Innovation in Aragón (Law 17/2018). Furthermore, BIGAN research complies with Law 41/2002 Governing Patient Autonomy and Law 14/2007, on biomedical research, and with national and European data protection legislation.

Tasks and activities

BIGAN overcomes research fragmentation and duplication by integrating health and health related data from the Aragón region into a single centrally managed infrastructure based on the modular design of the BIGAN platform that allows for increasing numbers of data sources to be integrated.

BIGAN offers different portals according to its goals and required functionalities: Planning and Quality Management, Research, and Training. They are being deployed at different timespans. BIGAN Planning and Quality Management services started off in 2019, while BIGAN research and BIGAN training services are scheduled to be fully operational in 2021. From inception (2017) to full operation and evaluation (expected 2022), the deployment project has a forecasted duration of 5 years.

Governance

BIGAN is led by the Health Sciences Institute in Aragón (IACS). IACS was created by the Regional Health Law (6/2002), and is a public independent entity within the Health System in Aragón responsible for overseeing, promoting and managing biomedical research and innovation and producing evidence-based guidance on health technology, health policy assessment, and medical practice guidelines.

BIGAN Oversight Committee controls and follows up BIGAN development according to its goals while IACS is in charge of the day-to-day operations. The Ethics Committee for Research in Aragón (CEICA) is responsible for ensuring the correct application of the methodological, ethical and legal principles in BIGAN activities including the assessment of the implications for individual and civil rights, distributive justice, health and safety and quality of life.

In BIGAN, patients are able to view and change their data opt-out choice at any time (and without any justification needed).

Organisation and budget

BIGAN data controllers are the Aragón Regional Health Authority (Department of Health) and the Aragón Health Service (SALUD). Contracts between controllers and processors are in place, the last of them signed in February 2020.

BIGAN infrastructure has an available budget of 1.06 million EUR for the period 2018-2020 divided in 3 categories (HHRR, IT and Subcontracting), HHRR being around 90% of the overall budget.

Staff and functions

The IACS Biocomputing unit (four members) is responsible for the design, operational management, development and maintenance of BIGAN infrastructure with the support of IACS staff on the IT, Legal, Ethical, and HHRR departments and with the assistance of researchers from the Health Services and Policy Research group.

Data sources and types of data

BIGAN research infrastructure data lake gathers individual level data from all the population registered as beneficiaries of the Aragón Health System (virtually 100% of the population) and the regional health service information systems, including primary care, specialised care, hospitalisations, ER episodes, drug prescription, drug reimbursement, image diagnosis, laboratory analytical determinations, diagnostics, vaccination, anamnesis and demographics. Data from these sources are updated according to their specific generation dynamics, in most cases daily.

Data users

According to the Protocol approved by the BIGAN Oversight Committee (December 2019), within the context of a research project, the pseudonymised data is accessible, directly to researchers within the “R&D Aragonese system” (as defined by regional law 17/2018); and indirectly accessible by other researchers (either public or private), when an agent of the R&D Aragonese system actively participates.

Accessing BIGAN health research infrastructure includes a transparent approval process for health research projects which favours trust and accountability and fosters public-private partnerships and collaboration between public and private researchers, always under the assumption of the societal benefit of this collaboration.

Foreign data users

Favouring a seamless health data exchange in the European Research Area is an important objective of BIGAN research infrastructure and multi-country projects funded by national or European institutions are able to access to BIGAN research platform.

Within the context of cross-border research projects, pseudonymised data is accessible by researchers (either public or private), when an agent of the R&D Aragonese system actively participates in the project. Non-R&D Aragonese agents can have granted direct access to the data although it requires a specific access by the BIGAN Oversight Committee in the light of the criteria of relevance, security and social interest.

User fees

Basically the fees are composed of four categories, namely data extraction and data processing; computing; basic storage; advance storage, as follows:

1. Data extraction and data processing: 37.72 / 31.43* / 13.16** EUR/hour

2. Computing: 0.12 / 0.10* / 0.08** EUR/ hour /CPU

3. Basic storage: 0.93 EUR/year/GB

4. Advance storage: 2.67 EUR/year/GB

* Reduced fee 1: applied to research projects managed by public research bodies or other public organisations.

** Reduced fee 2: applied to research projects managed by IACS, University of Zaragoza or the IIS Aragon Foundation

Please notice that BIGAN research and training services are scheduled to be fully operational in 2021.

Pseudony-misation /anony-misation

The BIGAN data lake contains already externally pseudonymised data only. Re-identification of data at origin may take place only when, in the course of a research using pseudonymised data, it becomes apparent that there is a real and specific danger to the safety or health of a person or a specific group of people, or a serious threat to their rights, or that it is necessary to ensure proper health care.

* Sources of information: correspondence with relevant experts.

Danish health data governance landscape

Introduction

Denmark is a digitalised and data-intensive country and promotes actively data based research. As Denmark has a very rich and diverse health data governance landscape, this box outlines the main national infrastructural access points.

In Denmark there is a difference between clinical access points and research access points. Sundhed.dk is the access point to EHRs for patients and also for health professionals for clinical purposes. A stakeholder needing data for research has several access points, and can go to the Danish Clinical Quality Program (RKKP) for quality databases, the Serum Institute for health data, and to Statistics Denmark for registry data combined across sectors.

Clinical care data

Primary care data must be accessed through the municipalities (for homecare and nursing homes) and DAK-E/KIAP from the Danish Quality Unit for General Practice for GP-data.

Sundhed.dk is an independent agency governed by the Regions and the Government and contains the national EHR. At the sundhed.dk platform patients can access personal health information from EHR, laboratories, personal choices (e.g. organ donor), and the national patient registry. The patients can access their record, but they cannot report data or control the data. Health professionals also have access to the EHR.

Registry data

The two main national data governance bodies that host health data are: Statistics Denmark, storing data about the wider Danish population, and the Danish Health Data Authority (Sundhedsdatastyrelsen), hosting disease registers and data bases with health related information.

Statistics Denmark is a public independent agency and holds copies of register data and can extract health data and combine it with social conditions when the researcher requests it. Researchers can apply for access to data locally with data custodians, or for the whole country through the Researcher Service (Forsker-service) at Serum Institute (when it is health data only) and through Statistics Denmark, if the researcher wants to combine health data with other data types.

The Danish Health Data Authority holds all health registers, and provides research support service (Forskerservice) for researchers who wish to access health data. It is also responsible for national coordination of data exchange systems and infrastructures for the provision of healthcare.

The Danish Clinical Quality Program (RKKP) is the cross-regional network organisation of the five Danish regions that constitutes the infrastructure of clinical quality registries and coordinates access to the data for researchers. The decision regarding access is made by the steering group of the individual data base.

There is a fee for accessing data for research that must be paid to Statistics Denmark, the Serum Institute, or DAK-E but that only covers the hours spent on setting up the specific data set, and for DAK-E also the commercial vendor fee. It is not the cost of the infrastructure.

Registry data are available for research with no informed consent (“solidarity by law”).

Biobank data

The National Biobank, hosted by the Staten Serum Institute, and the Regional Biobank Program provide access to tissue samples. The National Genome Centre provides access to genomic data. The Health Act specifies that all genomic data from comprehensive genetic analyses is stored in a national genomic database and that patients have the right to opt-out of further use of the data.

Data exchange

All data is exchanged via the platform Sundheddatanettet. Data are not stored there but it is a secure space where you need authentication and approval to be linked up through VPN-access so that you can exchange data. MedCom is responsible for developing and setting standards for data exchange and testing supplier products before they are released to ensure data compatibility.

Data altruism

In Denmark Sundhed.dk mentions in their strategy for the coming two years that they wish to open up safe spaces for storage of citizen generated data, and potentially they can be marked as available for research too, but this is not operating yet.

Access by foreign researchers

Statistics Denmark has been involved in several working groups to facilitate data exchange between different countries.

Data from Statistics Denmark is as a main rule only available for Danish researchers, but foreign researchers can get access to micro data through an affiliation to a Danish authorised environment. The Danish Health Data Authority applies the same rules.

User fees

There is a fee for accessing data for research that one has to pay to Statistics Denmark, the Danish Health Data Authority, the Serum Institute, or DAK-E (for GP data) but that only covers the hours spent on setting up the specific data set, and for DAK-E also the commercial vendor fee. It is not the cost of the infrastructure.

While the exact situation is difficult to assess, a direct consultation with Statistics Denmark about calculation of prices does not suggest differentiated prices. However, public entities rarely pay for data access; they use the data they already have in-house, and do not order data sets through research service portals.

Pseudony-misation /anony-misation

All public agencies store data of citizens using the patient’s ID number (PIN) and they can be linked at Statistics Denmark. They also link data from different sectors. Data held in the data access infrastructures are marked with a pseudonym of the patient’s ID number (PIN).

* Sources of information: legal technical survey by national country correspondent, correspondence with relevant experts, van der Wel et al. (2019), respective organisation websites. More details on centralized bodies, in chapter 7 of the study: European Commission (2020). Assessment of the EU Member States rules on health data in the light of GDPR. (Annexes available at: ).

(1) Hansen, J., Wilson, P., Verhoeven, E., Kroneman, M., Kirwan, M., Verheij, R., van Veen, E.-B. (2021). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/system/files/2021-02/ms_rules_health-data_en_0.pdf (Annexes available at: https://ec.europa.eu/health/system/files/2021-02/ms_rules_health-data_annex_en_0.pdf ).

(2) Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S., Febrer, N., Folkvord, F., Chabanier, L., Filali, N., Hamonic, R., Achard, E., Couret, H., Arredondo, M. T., Cabrera, M. F., García, R., López, L., Merino, B., Fico, G. (2022). Study on Health Data, Digital Health and Artificial Intelligence in Healthcare, Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/179e7382-b564-11ec-b6f4-01aa75ed71a1/language-en

(3) The study covered all 27 Member States, the United Kingdom and Norway. https://ec.europa.eu/newsroom/dae/redirection/document/79897

(4) https://op.europa.eu/en/publication-detail/-/publication/6f758166-2198-11ec-bd8e-01aa75ed71a1/language-en/format-PDF/source-232403056

(5) https://ec.europa.eu/health/sites/default/files/ehealth/docs/2018_provision_marketstudy_telemedicine_en.pdf

(6) https://edps.europa.eu/sites/default/files/publication/20-11-17_preliminary_opinion_european_health_data_space_en.pdf

(7) https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12663-Digital-health-data-and-services-the-European-health-data-space_en

(8) Some of the respondents were international and pan-European organisations based in Belgium.

(9) Hansen, J., Wilson, P., Verhoeven, E., Kroneman, M., Kirwan, M., Verheij, R., van Veen, E.-B. (2021). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/system/files/2021-02/ms_rules_health-data_en_0.pdf (Annexes available at: https://ec.europa.eu/health/system/files/2021-02/ms_rules_health-data_annex_en_0.pdf ).

(10) More details in Hansen et al. (2021).

(11) European Commission (forthcoming study). A study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space, Trasys.

(12) In the figure, Health Data Access Bodies are indicated as “DPerA”s for “Data Permit Authority” instead of “Data Access Body”.

(13) European Commission (forthcoming study). A study on an infrastructure and data ecosystem supporting the impact assessment of the European Health Data Space, Trasys.

(14) https://ec.europa.eu/health/sites/default/files/cross_border_care/docs/impl_directive_presciptions_2012_ia_en.pdf

(15) https://digital.nhs.uk/services/national-casemix-office/downloads-groupers-and-tools/local-payment-grouper-2019-20

(16) Addressing Overutilization in Medical Imaging | Radiology (rsna.org)

(17) OECD/EU (2018), Health at a Glance: Europe 2018: State of Health in the EU Cycle, OECD Publishing, Paris. https://doi.org/10.1787/health_glance_eur-2018-en

(18) https://www.oecd.org/health/health-systems/Empowering-Health-Workforce-Digital-Revolution.pdf

(19) See: https://ec.europa.eu/eurostat/web/products-eurostat-news/-/ddn-20201202-1

(20) See: https://www.capgemini.com/wp-content/uploads/2020/09/eGovernment-Benchmark-2020-Insight-Report.pdf

(21) See: https://www.itu.int/en/ITU-D/Statistics/Documents/events/egti2020/IDI2020_BackgroundDocument_20200903.pdf

(22) See: https://www.who.int/health-topics/digital-health#tab=tab_1

(23) European Commission (2020). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf (Annexes available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_annex_en.pdf ).

(24) For example, for the adoption of MyHealth@EU over time more detailed information was collected by DG SANTE and other supporting studies, which was used to model specific adoption timelines for the baseline and each policy option.

(25) See: https://www.ela.europa.eu/sites/default/files/2021-01/Draft-SPD-2022-2024_0.pdf

(26) See: https://www.bfarm.de/EN/Medical-devices/Tasks/Digital-Health-Applications/_node.html

(27) See: https://digital-strategy.ec.europa.eu/en/library/impact-assessment-report-and-support-study-accompanying-proposal-regulation-data-governance

(28) Digital Health Trends 2021 - IQVIA

(29) European Commission (2018). Market study on telemedicine. Available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/2018_provision_marketstudy_telemedicine_en.pdf

(30) See: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Self-perceived_health_statistics&oldid=509628

(31) See: https://ec.europa.eu/eurostat/web/products-eurostat-news/-/EDN-20200307-1

(32) Eurostat - Data Explorer (europa.eu)

(33) https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=71225

(34) https://www.who.int/observatories/global-observatory-on-health-research-and-development/indicators/gross-domestic-r-d-expenditure-on-health-as-a-percent-of-gross-domestic-product

(35) https://digital-strategy.ec.europa.eu/en/library/impact-assessment-report-and-support-study-accompanying-proposal-regulation-data-governance

(36) Martin L et al. How much do clinical trials cost? Nat Rev Drug Discov. 2017 Jun;16(6):381-382. doi: 10.1038/nrd.2017.70. Epub 2017 May 19.

(37) See: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=R_%26_D_expenditure&oldid=503835

(38) Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S., Febrer, N., Folkvord, F., Chabanier, L., Filali, N., Hamonic, R., Achard, E., Couret, H., Arredondo, M. T., Cabrera, M. F., García, R., López, L., Merino, B., Fico, G. (2022). Study on Health Data, Digital Health and Artificial Intelligence in Healthcare, Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/179e7382-b564-11ec-b6f4-01aa75ed71a1/language-en

(39) Interviews with targeted representatives of the industry and of patients, as well as co-coordinators of current and past Joint Actions supporting the eHealth Network and the European Health Data Space (TEHDaS).

(40)

Three focus groups/workshops were carried out in. The first workshop was organised with the eHealth Network and focused on the evaluation of the activities carried out. The second workshop was organised with a broad range of experts and focused on future needs. A third workshop was carried out on the secondary use of health data with the participation of members of the Joint Action TEHDaS.

(41) A survey was sent out to all eHealth Network members to gather information on the evaluation of the activities carried out by the eHealth Network covering both the cross-border provision of digital healthcare across the EU and access to health data for secondary use. A total of 19 Member States and Norway responded to this survey.

(42) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(43) Regulation (EU) 2018/1725

(44) EUR-Lex - 32011L0024 - EN - EUR-Lex (europa.eu)

(45) Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM(2020) 823 final

(46) Medicinal products for rare diseases (‘Orphan medicines’) ( Regulation (EC) No 141/2000 , Medicinal products for children ( Regulation (EC) No 1901/2006 , Advanced therapy medicinal products ( Regulation (EC) No 1394/2007 .

(47) OJ L 172, 26.6.2019, p. 56–83.

(48) Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 851/2004 establishing a European Centre for disease prevention and control, Proposal for a Regulation of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU, Proposal for a Regulation of the European Parliament and of the Council on a reinforced role for the European Medicines Agency in crisis preparedness and management for medicinal products and medical devices.

(49) https://ec.europa.eu/health/sites/default/files/preparedness_response/docs/hera_2021_propcouncreg_medical-countermeasures_en.pdf

(50) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0761&rid=3

(51) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0761&rid=3

(52) https://ec.europa.eu/health/sites/default/files/non_communicable_diseases/docs/eu_cancer-plan_en.pdf

(53) EU Mission: Cancer | European Commission (europa.eu)

(54) https://ec.europa.eu/health/sites/default/files/non_communicable_diseases/docs/eu_cancer-plan_en.pdf

(55)

Bensemmane, S. and Baeten, R. (2019), Cross-border telemedicine: practices and challenges. OSE Working Paper Series, Research Paper No.44 Brussels: European Social Observatory, October, 63p.

(56) https://ec.europa.eu/regional_policy/en/projects/germany/telemedicine-pomerania-improves-healthcare-in-sparsely-populated-regions

(57) https://www.telemedecine-360.com/wp-content/uploads/2019/03/2018-ESO-Recommendations-on-telestroke-in-Europe.pdf

(58) https://www.bfarm.de/EN/MedicalDevices/DiGA/_node.html

(59) https://mhealthbelgium.be/validation-pyramid

(60) European Commission (2020). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf (Annexes available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_annex_en.pdf ).

(61) European Commission (2020). Assessment of the EU Member States rules on health data in the light of GDPR. https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf (Annexes available at: https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_annex_en.pdf ).

(62) The price related to the thesis is applied if the application concerns a research project that produces one thesis. If the application concerns a project that produces more than one thesis or a project that produces one or more theses and other outputs, a normal data request decision or data permit fee (EUR 1,000.00) will be charged.

(63) https://www.bundesgesundheitsministerium.de/patientendaten-schutz-gesetz.html

EUROPEAN COMMISSION

Strasbourg, 3.5.2022

SWD(2022) 131 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Health Data Space

{COM(2022) 197 final} - {SEC(2022) 196 final} - {SWD(2022) 130 final} - {SWD(2022) 132 final}

Table of contents

Annex 10: Interoperability issues in Member States

Annex 11: Dimension-by-dimension comparison for the options for the EHDS

1Conclusions

End-notes

Annex 10: Interoperability issues in Member States

Source: Refined eEIF (ReEIF) model: showing alignements that are necessary on the different levels of interoperability. Source: eHealth Network: refined eHealth European Interoperability Framework 1

The following information has a selection of information extracted from the study carried out by Empirica and Open Evidence for DG CNECT: Thiel, R., Lupiáñez-Villanueva, F., Deimel, L., Gunderson, L. and Sokolyanskaya A. (2021). eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU. https://ec.europa.eu/newsroom/dae/redirection/document/79897

A1: Legislation and national rules enable access to and sharing of electronic health data through EHRs 2 , requiring high standards for data security and privacy

Indicator A1 surveys legal aspects of EHRs with regard to access and sharing of EHR data. Important components of a legal framework are the opportunity to legally store health data electronically, requirements for data security and data confidentiality, a sufficient level of technical security, logging and audit trailing, up-to-date legislation, and the opportunity to have health data shared among all relevant healthcare providing parties. Almost 4 of 5 of countries passed national legislation on EHRs regulating data safety and technical security measures less than five years ago. Logging of health data processing is not mandatory in nine countries.

A1-1: In your country, does legislation exist that enables the electronic storage of patient data?

A1-2: Does this legislation clearly regulate safety and confidentiality of personal health data?

A1-3: Do legislation and national rules exist that are dedicated only to personal health data and that prescribe technical security measures for EHR systems?

A1-4: Does this legislation prescribe logging of any health data processing to enable audit trailing 3 ?

A1-5: Was the latest relevant legislation passed less than five years ago?

A1-6: Does your current legislation inhibit in any way health data exchange via EHRs?

A2: Legislation and national rules guarantee patients' right to access their own electronic health data

Indicator A2 focuses on legal aspects of EHRs with regard to patients’ access to personal health data. Important components of a legal framework are wide-ranging patient rights to be able to electronically access their personal EHR data and to be allowed to decide to whom to provide access to their health data. While 26 countries do provide their citizens with access to their EHR data by law in general, only 20 states record by law that citizen access must be possible independent of place and technology. Lastly, 43% or 12 countries indicate that their citizens are not entitled to decide which healthcare professional or other party can access their EHR. Often general practitioners act as 'data gatekeepers', allowing additional parties to access a patient's EHR, while in other countries the technical readiness of health data systems is not yet advanced enough to realise this option.

A2.7: Do legislation and national rules in general allow and facilitate individuals to access their health- related data when held in an EHR?

A2.8: Do legislation and national rules allow and facilitate individuals to access their health-related data when held in an EHR, independent of place and technology?

A2.9: Do legislation and national rules allow citizens to choose whom to provide access to?

A4: Cross-border sharing of EHR data is legally facilitated

Indicator A4 surveys whether EHR data sharing across national borders is legally facilitated. 18 study countries indicated that data sharing from EHRs across national borders is permitted by law.

A4-13: Do legislation and national rules facilitate the sharing of EHR data cross-border?

A6: eHealth/digital health policies build on and incorporate the results of relevant EU initiatives on facilitating EHR cross-country interoperability
Indicator A6 focuses on the extent to which national digital health policies and government digitization initiatives on EHR cross-country interoperability build on relevant projects undertaken at EU level. Current examples refer to the eHealth Network guidelines on the Patient Summary, ePrescription / eDispensation, and shared good practices for stakeholders developing or implementing EHR systems. In terms of alignment between national and EU-level eHealth efforts and resources, the indicator shows a mixed picture. From 28 study countries, 9 indicate to not refer to EU-level guidelines and documents on the Patient Summary and ePrescription / eDispensation in national policy documents and 19 do not refer to these resources in legislation documents.
A6-18: Has your country incorporated references to eHealth Network guidelines on the Patient Summary 4 or ePrescription 5 /eDispensation 6 into national policy documents?	A6-19: Has your country incorporated references to eHealth Network guidelines on the Patient Summary or ePrescription/ eDispensation into national legislation?	A6-20: Has your country issued practical implementation guidelines and guidelines for sharing good practice for all stakeholders?


A7: A technical and semantic interoperability 7 framework or strategy (or sub-strategy) is in place
Indicator A7 surveys whether a national technical interoperability strategy for EHRs and a semantic interoperability strategy are in place on the national level. The results show that only 7 countries lack a standalone technical interoperability strategy. 17 countries report that an interoperability strategy focusing on semantics is implemented through a national terminology centre.
A7-21: Does your country have a national strategy for technical interoperability, assuming it is not already part of an eHealth/digital health strategy, or that a sub-strategy exists?	A7-22: Has a clinical terminology 8 and semantic interoperability strategy been formulated and realised through a government terminology centre or equivalent national bodies?

B5: National competent authority with clinical/terminology and technical competence is institutionalised

Indicator B5 examines, in addition to B4, whether a competence authority exists that proposes technical and semantic standards, terminologies, publishes stakeholder guidelines and maintains archives of active and past standards (can be the same authority as in B4). 24 countries report that competent authorities aim to facilitate semantic and technical interoperability, but only slightly more than half of all countries also publish guidelines, maintain terminology archives, or perform mapping activities to international standards.

B5-40: Does a national competent authority propose technical standards with the aim to facilitate organisational interoperability and communication?

B5-41: Does a national competent authority propose clinical terminologies (like SNOMED CT, LOINC, WHO terminologies, etc.) with the aim to facilitate semantic interoperability and data exchange?

B5-42: Does the national competent authority in your country assist medical and clinical stakeholders with terminological guidelines 9 on how to use terminologies, build clinical information models, etc.?

B5-43: Does the terminology centre maintain an archive with all versions and also with legacy
terminologies, guaranteeing to trace back terminologies during the life-cycle of an EHR?

B5-44: Do adjustment measures and mapping activities to international standards exist to enable communication between digital health systems in other countries?

C1: Supervision of trusted electronic service 10 providers is in place

Indicator C1 surveys whether Member States have implemented a framework with technical and cybersecurity-related requirements for health professional identification and authentication in EHR systems. Czechia, Malta, and Portugal report having no such rules in place.

C1-54: Are there specific national rules for the identification and authentication of health professionals, as well as who exactly can create and access EHRs?

C4: Patient data in EHRs is linked to a unique patient identifier

Indicator C4 surveys the use of unique identifiers for patients, physicians and other healthcare professionals to which patient data is linked and unequivocal authentication is guaranteed. The only country without any unique identifiers, a key element for the successful implementation of an EHR infrastructure, is Czechia. While Bulgaria, Cyprus and Poland are lacking unique patient identifiers, Spain and Malta do not have such identifiers for healthcare staff.

C4-62: Does your country employ a citizen/patient electronic identifier 11 for health purposes?

C4-63: Does your country employ a national unique health services professional ID for physicians?

C4-64: Does your country employ a national unique health services professional ID for other healthcare professionals (nurses, specialists, etc.)?

C5: EHR systems are properly protected against cybersecurity risks

Indicator C5 examines the preparedness of EHR systems against cybersecurity risks. Questions include the use of security-by-design approaches, awareness management of cybersecurity risks among healthcare professionals and the application of penetration tests to ensure proper functioning of EHR systems and identification of security risks. More than two-third of countries employ consistent encryption and a security-by-design approach to prevent cyber-attacks. However, only one-third of countries report training healthcare personnel in the area of cybersecurity risks. Penetration test are a common practice among study countries. Poland, Czechia and Bulgaria do not perform well in this indicator.

C5-65: Are consistent encrypting algorithms used to protect patient ID’s in EHR systems?

C5-66: Are EHR systems developed to anticipate malicious cyber-attacks through a security-by-design approach?

C5-67: Are healthcare personnel working with national EHR systems sufficiently trained and aware of the risks of cyber-security?

C5-68: Does your country have tests in place to verify whether the EHR product or service performs as it is expected (like penetration tests)?

D3: National developments regarding semantic interoperability incorporate international standards
and terminologies

Indicator D3 examines which international standards and terminologies are used nationally. Examples include SNOMED CT, LOINC, ATC and ISO IDMP, HL7 and WHO classifications ICD-10 and ICD-11. While only around one-third of countries implemented SNOMED CT or LOINC, Czechia, Ireland, Malta, Poland and Slovenia have not implemented either of those terminologies mentioned, whereas Germany is in the process of implementation. The UK is the only country which does not use WHO classifications.

D3-77: Is SNOMED CT nationally implemented as “backbone” ontology/terminology?

D3-78: Is LOINC nationally implemented as central terminology?

D3-79: Are ATC, EDQM Standard Terms, or ISO IDMP referentials nationally implemented as central terminologies?

D3-80: Are resource driven information models (such as Health Level Seven Fast Healthcare Interoperability Resources (HL7 FHIR)) nationally implemented?

D3-81: Are WHO classifications (ICD-10, ICF, ATC) nationally implemented as central terminologies?

D3-82: Are there plans to nationally implement ICD-11 and ICHI?

National developments, including across the EU, NO and the UK, regarding semantic interoperability incorporate international standards and terminologies (source: Thiel et al.).

	Yes	No
Is SNOMED CT nationally implemented as “backbone” ontology/terminology?	36%	64%
Is LOINC nationally implemented as central terminology?	39%	61%
Are ATC, EDQM Standard Terms, or ISO IDMP referentials nationally implemented as central terminologies?	64%	36%
Are resource driven information models (such as Health Level Seven Fast Healthcare Interoperability Resources (HL7 FHIR)) nationally implemented?	43%	57%
Are there plans to nationally implement ICD-11 and ICHI?	57%	43%

E1: Exchange of Patient Summaries 12 via the eHealth Digital Service Infrastructure 13 is enabled
Indicator E1 surveys whether patient summaries exist on a national level, which modes of access patient have and whether the development of patient summary systems was informed by eHealth Network guidelines on the electronic exchange of health data for patient summaries. The indicator also inquires on the possibility to send and/or receive patient summaries across national borders. Patient summaries exist in two-thirds of all study countries and are most frequently accessed via an online portal, but only Czechia, Lithuania, Latvia, Poland, and Slovakia can send or receive patient summaries across borders.
E1-89: Do Patient Summaries exist on a national level and are respective IHE profiles 14 used?	E1-90: Which modes of access do patients have?

E1-91: Is the Patient Summary structured according to the provisions in the “GUIDELINE on the electronic exchange of health data under Cross-Border Directive 2011/24/EU Release 2 – Patient Summary for unscheduled care” adopted by the eHealth Network on 21 November 2016?		E1-92: Is it possible to receive and/or send a Patient Summary cross-borders transferred via the EHR system only within given regions in both countries?

E2: ePrescription 15 /eDispensation 16

Indicator E2 surveys whether ePrescription and eDispensation systems exist on a national level, which modes of access patient have and whether the development of such systems was informed by eHealth Network guidelines on the electronic exchange of health data for ePrescriptions/eDispensations. The indicator also inquires on the possibility to send and/or receive ePrescription/eDispensation reports across national borders. ePrescription services exist in two-thirds of all study countries and are most frequently accessed via an online portal. However, 11 countries still use paper printouts. Czechia, Poland, and Slovakia are the only Member States which are capable of sending or receiving ePrescriptions across borders.

E2-93: Do ePrescriptions/eDispensations and respective IHE profiles exist on a national level?

E2-94: Which modes of access to patients have?

E2-95: Are ePrescriptions/eDispensations structured according to the provisions in the “GUIDELINE on the electronic exchange of health data under Cross-Border Directive 2011/24/EU Release 2 – ePrescriptions /eDispensations” adopted by the eHealth Network on 21 November 2016?

E2-96: Is it possible to receive and/or send an ePrescription cross-borders transferred via the EHR system only within given regions in both countries?

E4: EHR system offers broad access to a variety of services and organisations

Indicator E4 examines to which healthcare organisations the national EHR system is connected and whether they routinely use EHRs. Organisations include, among others, general practitioners, specialists, hospitals, labs, pharmacies, care homes and insurance companies. The majority of GPs in 20 countries are connected to EHR systems and routinely use the offered services, followed by pharmacies in 19 countries. Labs, hospitals and specialist practices are connected to EHR systems in over 20 countries, but the routine use is recorded in only 15 countries.

E4-100: To which of the following organisations or persons is your national EHR system connected electronically? Are the connections to the organisations used routinely 17 ?

E5: Level of EHR exchange data use, interoperable solutions and services

Indicator E5 surveys the types of patient data that are recorded in national and in (if applicable) regional EHR systems and whether these data types are routinely used, i.e. filled-out in the context of routine care. Additional focus is given on the kind of digital services the national and (if applicable) regional EHR systems offers and whether these are used routinely.

E5-101: Does your national EHR system allow you to record and store the following types of patient data electronically? Are these types of data recorded and stored routinely using the national EHR system?

E5-103: Does your national EHR system allow you to transfer/share/access patient data electronically, permitting you to engage in any of the following? Are these functions used routinely?

E5-104: Does your regional EHR system allow you to transfer/share/enable/access patient data electronically, permitting you to engage in any of the following? Are these functions used routinely?

F1: Actual use of national EHR system by type of institution is high

Indicator F1 surveys the usage of EHR systems in different care sectors, such as primary, secondary, and tertiary care as well as pharmacies and home care. Bulgaria, Czechia, Germany (roll-out from 2021), and Ireland to not currently have a fully functioning EHR system and only few advanced countries have the home care sector connected to a national EHR system. Denmark, Estonia, and Finland have the overall highest level of EHR use in all categories.

F1-105: Please indicate the use of the national EHR system by the following types of institutions:

F2: Actual use of national EHR system by type of data is high
Indicator F2 focuses on the use of different documents within an EHR system such as patient summaries, ePrescriptions, lab results, imaging reports and discharge reports. Cyprus, Germany, Ireland, Luxembourg, Poland, and Romania show an overall low level of use over all data types, while Denmark, Estonia, Finland and Norway have the highest overall level of use. Imaging reports are predominantly exchanged non-electronically.
F2-106: What is the approximate percentage of Patient Summaries that are filled with patient health data (as of the total number of all Patient Summaries existing) and are being consulted by a health professional in another medical institution in your country in the last year (2019 or last year for which data are available; otherwise use your best subjective estimate)?	F2-107: What is the approximate percentage of ePrescriptions (as of the total number of all prescriptions) dispensed in your country in the last year (2019 or last year for which data are available; otherwise use your best subjective estimate)?	F2-108: What is the approximate percentage of electronic laboratory results (as of the total number of all lab results) sent from the lab to the national EHR system in the last year (2019 or last year for which data are available; otherwise use your best subjective estimate)?

F2-109: What is the approximate percentage of Imaging reports (as of the total number of all Imaging reports) sent to the national EHR system in the last year (2019 or last year for which data are available; otherwise use your best subjective estimate)?	F2-110: What is the approximate percentage of Hospital discharge reports (as of the total number of all discharge reports) sent to the national EHR system in the last year in the last year (2019 or last year for which data are available; otherwise use your best subjective estimate)?	F2-111: What is the approximate percentage of Hospital discharge reports (as of the total number of all discharge reports) sent to another healthcare provider organisation in the last year in the last year (2019 or last year for which data are available; otherwise use your best subjective estimate)?

F3: Type and characteristics of exchanged health data: Pharmacies
Indicator F3 surveys the proportion of pharmacies exchanging ePrescriptions/eDispensation service-related information and non-ePrescription data (e.g., vaccination data). The pharmacy sector in Europe is almost completely connected to national EHR systems in over 50% of study countries and exchanging service-related information. Countries like France, Germany (pilots on-going), Austria, Ireland, or Luxembourg do not have such an ePrescription system in place.
F3-112: What proportion of pharmacies is connected to a national health information exchange network (e. g. national EHR system), exchanging ePrescriptions/eDispensation service-related information?			F3-113: What proportion of pharmacies is connected to a national health information exchange network (e. g. national EHR system), exchanging other data than ePrescriptions/eDispensation service-related information (e.g., vaccination data)?


F4: Electronic data sharing among health professionals is high
Indicator F4 surveys the uptake of EHR data exchange among different subsets of healthcare professionals such as GP-to-GP, GP-to-Hospital and GP-to-Specialist. In general, the more advanced countries show a similarly high level of use among health professionals. Countries with a higher level of use in one category typically also show a higher level of use in the remaining two categories. Exceptions are Italy and France whose systems focus on the primary care sector.
F4-114: What proportion of General Practitioners exchange EHR patient data with each other?	F4-115: What proportion of General Practitioners exchange EHR patient data with hospitals?			F4-116: What proportion of General Practitioners exchange EHR patient data with specialists?

F5: Level of structured and coded content of patient data is high
Indicator F5 surveys the level of structured and coded data by querying the proportion of structured data entries in EHR systems, whether healthcare providers perform data usability evaluations and whether data quality audits are being conducted. The amount of clearly structured electronic health data in the EU is low in most countries. Only Slovenia, Latvia, Denmark and Bulgaria show higher level of structured content, but do, with the exception Latvia, not maintain any programmes to train healthcare staff or to audit data quality.
F5-117: What is the approximate proportion of data entries (as of the total number of all data entries) by healthcare professionals on a national level that are structured and coded data based on clinical terminology standards (2019 or last year for which data are available; otherwise use your best subjective estimate)?		F5-118: Does your country maintain programmes such as healthcare provider training to perform data usability evaluations with the aim to improve data quality?			F5-119: Does your country audit the clinical content of Electronic Health Records for quality?

G1: EHR standardisation for public health reporting of infectious diseases

Indicator G1 examines whether public health reporting for standardised diseases is standardised, focusing on national systems to collect epidemiological surveillance data directly from Labs and from clinical reports using HL7 standard messaging and whether a nationwide electronic surveillance software is mandatory. While most countries except for Czechia, Latvia, and Slovenia have created a system to collect epidemiological surveillance data, slightly more than half the countries receive this data in standardised fashion. Advanced countries like Denmark, Sweden and the UK have no standardised messaging service and mandatory electronic surveillance software.

G1-120: Do you have a national system to collect epidemiological surveillance data directly from Labs on diseases classified as under compulsory notification (e.g. tuberculosis, HIV, etc)?

G1-121: Do you have a national system to collect clinical reports of diseases classified as under compulsory notification (e.g. tuberculosis, HIV, etc)?

G1-122: Does your national system exchange/receive clinical reports/clinical data directly using HL7 or other standard messaging?

G1-123: Do you have legislation or national rules mandating nationwide electronic surveillance software usage?

G2: Usage of EHR data during the COVID-19 pandemic

Indicator G2 surveys how EHRs can be used to detect, prevent, respond to, and recover from epidemiological crises such as COVID 19 through generating information from ERH data for real-time surveillance. Automatically generating this information requires a high level of technical advancements, which Belgium, Denmark, Estonia, Spain, Finland, Hungary, Netherlands, Sweden, Slovenia and the UK are capable of.

G2-124: Can you generate information from the national EHR to detect, prevent, respond to, and recover from epidemiological crises such as COVID‑19?

G2-125: Can you extract routine data from your country’s national EHR system for real-time surveillance to detect, prevent, respond to, and recover from epidemiological crises such as COVID‑19?

Rated importance of items addressed in the EHR Recommendation for national EHR development. In your opinion, how would you rate the importance for the development of the national EHR system of the following items as addressed in the European Commission “Recommendation on a European Electronic Health Record exchange format”?

Overview of items addressed in the EHR Recommendation classified by importance to Member States for their national EHR development from 1 (strongly disagree) to 6 (strongly agree). In your opinion, how strong would you agree to the following statements derived from the European Commission “Recommendation on a European Electronic Health Record exchange format” of 6.2.2019 on the importance for the development of the national

Rated importance of barriers to EHR interoperability. In your opinion, how would you rate the importance of the following barriers towards a successful realisation of EHR interoperability in your country?

Annex 11: Dimension-by-dimension comparison for the options for the EHDS

Table 1. Dimension-by-dimension comparison for the options for the EHDS.

Dimension/ measure	Comparison of options and impacts	Preferred option
Primary uses of health data
Scope of data domains (SO1, SO2)	All options broaden the scope of data domains with respect to the baseline to cover other digital health domains beyond the EEHRxF (e.g. genomics, mobile-specific data domains). However, only Options 2 and 3 cover cybersecurity, beyond interoperability. These two are fundamental dimensions for enabling reliable and secure data sharing in healthcare. This makes the scope of Options 2 and 3 the most effective to achieve the goals of the EHDS and most coherent with the expectations of stakeholders.	Option 2
Individuals’ and health professionals’ access and control over health data (SO1)	Option 1 provides only a marginal added-value over the baseline as the legal framework for ensuring citizens’ access and control remains unchanged. Options 2 and 3 provide new health-specific means for citizens’ to execute their rights for control over their health data. Therefore, Option 2 and 3 have the most positive effect on fundamental rights and freedoms.	Option 2
Quality and interoperability requirements (SO2, SO3)	Option 1 expands the scope of EU cooperation on interoperability to other digital health domains, but remains subject to voluntary implementation and provides only a voluntary mechanism transparency with consumers and procurers. Option 2 establishes mandatory requirements and transparency obligations for manufacturers and service providers of EHR systems, digital health products and services through a mandatory self-declared quality label, while keeping the label voluntary for wellness applications. Option 3 establishes minimum mandatory requirements for these products as well as wellness applications to enter the market, implemented through a certification scheme. Option 2 does not effectively ensure that interoperability is achieved in ther markets of the respective products and therefore it is not expected to provide the optimal cost/benefit balance. Option 3 provides a more effective mechanism to regulate the market of EHR systems and digital health products. For mobile wellness applications, which are the majority of applications in mobile applications markets and mostly provided by SMEs, Options 3 is not proportional given their stringency on products that do not pursue a medical use. Therefore, Option 2+, which establishes a third-party certification scheme for EHR systems and digital health products and services while keeping the quality label voluntary for wellness applications, is considered the option that strikes the right balance between proportionality and cost-efficiency.	Option 2+
Cross-border health data sharing (SO1, SO2)	Option 1 does not provide any improvement over the baseline. Options 2 and 3 foresee a mandatory deployment of MyHealth@EU services to support the rights and freedoms of individuals regarding control, but Option 3 includes a more ambitious timeline and the possibility of extending to other data domains. The mandatory requirement for deployment in Options 2 and 3 is more effective in achieving the full rollout of MyHealth@EU and avoid accentuating a digital divide between citizens with and without access. This is also reflected in that Options 2 and 3 provide a better benefit/cost (2.1-4.4 and 2.2-4.4, respectively) than Option 1 (1.1-2.3). The possibility for extending services beyond the EEHRxF in Option 3 is expected to be more future-proof, as it would ensure flexibility to adapt the framework to future needs, and therefore more effective. However, the shorter timeline in Option 3 is understood not be coherent with the maturity of digital healthcare services across Member States.	Option 2
Governance and EU cooperation (SO1, SO2)	The expected potential of Option 1 in fulfilling the goals of the EHDS more effectively than the baseline is marginal, because it relies on a voluntary cooperation framework, as in the baseline, but only covering a broader scope of data domains and including a voluntary labelling framework. Option 2 is expected to be more effective and value-adding as it provides a mechanism for binding decision-making and enforcement in digital health. This would support a unified approach to tackle divergences in interoperability and quality requirements across Member States. Option 3 relies on the designation of national digital health authorities for the implementation/ enforcement of rights and requirements and an EU body tasked with the definition of requirements (European Digital Health Body). Given strong national competences in the area of health, the legal and political feasibility of such an approach are expected to be low. Moreover, there is currently no health-related EU agency that could suitably take such mandate. The creation of a new body for such mandate (Option 3+) would add significant costs (around EUR 300 million over 10 years) and would reduce the cost-effectiveness of the intervention.	Option 2
Secondary uses of health data
Reusers’ access to health data (including researchers, innovators, policy-makers and regulators) (SO3)	Option 1 would only provide marginal improvement over the baseline. It would not be sufficient to tackle divergences across Member State frameworks as it would expand EU cooperation to the areas of secondary uses of health data only with a specific mandate to issue guidelines. Option 2 would be more effective in tackling fragmentation issues as it would set a common legal basis for reuse of health data on grounds of public/general interest, statistics and scientific research and complementing the GDPR.	Option 2
Types of data in scope for reuse (SO3)	Option 1 would not be effective in addressing fragmentation, due to the voluntary nature of guidelines would not ensure uptake. Option 2 and 3 defines an explicit list of health data domains for reuse that should be in scope of the common legal basis (see above). Therefore, they would raise potential for pooling data at EU level and would effectively address the divergence in scope across Member States.	Option 2
Data altruism (SO3)	Option 1 would rely on the provisions set out in the DGA. Therefore, it would not address the specificities of the health sector (e.g. sensitivity of health data, specific data formats and standards). Option 2 and 3 would ensure that data altruism practices are supervised by health-specific entities, such as Health Data Access Bodies in cooperation bodies established under the DGA. Therefore, the latter options provide the most effective grounds to address data altruism in health.	Option 2
Digital infrastructure for secondary uses (SO3)	Option 1 extends the current service for cross-border sharing of patients’ data (MyHealth@EU) to secondary uses of health data. However, the necessary changes in MyHealth@EU to accommodate the use cases and data exchange patterns for secondary use cases would require significant transformations in the existing infrastructure. Additionally, the Digital Health Bodies and Health Data Access Bodies play significant distinct functions at national level and combining them under one single infrastructure would limit the efficiency on how these fucntions are performed. Option 2 builds on the mandatory participation in a new decentralised EU-wide infrastructure (i.e. peer-to-peer network) for secondary uses connecting Health Data Access Bodies. Option 3, proposes a different architecture (i.e. centralised network) where European Health Data Access Body (EHDAB) act as an orchestrator, intermediating the communications between participants. While both Option 2 and 3 propose a feasible technical solution for the specific requiremens forsecondary use of health data, Option 2 presents a federated approach (i.e. peer-to-peer network topology) that is more coherent with the distribution of competences in health and the data protection principles whereby data should stay where it was collected and the queries travel to the data.	Option 2
Data quality (SO3)	Opion 1 builds on voluntary label for data quality, while Option 2 relies on mandatory label and Option 3 proposes mandatory requirements to be checked through certification. The voluntary nature of Option 1 will insufficiently address the need for transparency of data consumers and therefore it could undermine the trust on the data ecosystem. Option 3 could be too stringent due to the associated costs to pass a certification. This burden could lead to fewer data products to be made available for secondary use. Therefore, Option 2 is expected to be the most cost-efficient option.	Option 2
Support for AI development and verification (SO3)	Option 1 is a soft law measure relying on the promotion of codes of conduct in line with Article 69 of AIA. Options 2 and 3 would assign specific tasks to Health Data Access Bodies to support the development and verification of AI and work on data standardisation. The latter measures are considered necessary to effectively support AI in health.	Option 2
Governance and EU cooperation	Option 1 proposes that no specific sectoral governance mechanism established at national level other than what is indicated in the DGA. In Option 2, Member States are required to apoint a national body entrusted with decision-making powers on health data access for secondary use. Option 3, proposes an EU regulatory body tasked to act as a European Data Access Body (EHDAB) granting access to health data held in transnational databases and registries. While Option 1 risks to not address the specificities of health data sensitiveness, Option 3 would require an existing or a new EU body to be tasked with such function. However, existing EU health-related bodies (ECDC and EMA) have specific mandates in subdomains in health that do not match the transversal nature of the EHDAB function, and creating a new body would require a large investment (over EUR 300 million over 10 years) making this option cost-inefficient. Option 2 is aligned with the trend of creating national Health Data Access Bodies, and is proportional with respect to the responsibilities and functions performed by national authorities and cost-efficient, as it provides flexibility for Member States to choose the most appropriate organisational arrangement.	Option 2

(1) https://joinup.ec.europa.eu/collection/nifo-national-interoperability-framework-observatory/european-interoperability-framework-detail

(2) EHR is a comprehensive medical and cross-institutional record or similar documentation of the past and present physical and mental state of health of an individual in electronic form and providing for ready availability of these data for medical treatment and other closely related purposes. EHRs are real-time, patient-centred records that provide immediate and secure information to authorised users. EHRs typically contain a patient’s medical history, diagnoses and treatment, medications, allergies, immunizations, as well as radiology images and laboratory results. A National EHR system is most-often implemented under the responsibility of a national health authority and will typically make a patient’s medical history available to health professionals in healthcare institutions and provide linkages to related services such as pharmacies, laboratories, specialists, and emergency and medical imaging facilities (epSOS definition).

(3) Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures ( EU definition ).

(4) A Patient Summary is an identifiable dataset of essential and understandable health information that is made available “at the point of care to deliver safe patient care during unscheduled care (and planned care) with its maximal impact in the unscheduled care; it can also be defined at a high level as: the minimum set of information needed to assure Health Care Coordination and the continuity of care (eHealth Network GUIDELINE on the electronic exchange of health data under Cross-Border Directive 2011/24/EU).

(5) ePrescription consists of electronic prescribing and electronic dispensing: ePrescribing is defined as the electronic prescribing of medicine with the use of software and the electronic transmission of said prescription data to a pharmacy where the medicine can then be dispensed (epSOS definition).

(6) eDispensing is defined as the electronic retrieval of a prescription and the dispensing of the medicine to the patient as indicated in the corresponding ePrescription. Once the medicine has been dispensed, the dispenser is to report the dispensation information using the ePrescription software (epSOS definition).

(7) Semantic interoperability means the precise meaning of exchanged information which is preserved and understood by all parties ( Refined eHEIF ).

(8) Clinical terminologies are structured vocabularies covering complex concepts such as diseases, operations, treatments and medicines. Clinical terminologies can be used in clinical practice to aid health professionals with more easily accessible and complete information regarding medical history, illnesses, treatments, laboratory results, and similar facts ( https://www.digitalhealth.gov.au/ ).

(9) A set of terminological resources that can be implemented in software applications to represent clinically relevant information in a semantically structured form that can be used by automated applications. These codes represent explicit formal definitions of meaning and are based on a consensus of actual use by clinicians (DigitalHealthEurope definition).

(10) An electronic service normally provided for remuneration which consists of: (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or (b) the creation, verification and validation of certificates for website authentication; or (c) the preservation of electronic signatures, seals or certificates related to those services. ( EU definition )

(11) This commonly refers to a unique number or chip card to electronically identify the patient (epSOS definition). Patient identification is necessary to correctly match a patient to an intended treatment and prevent harm due to potential mistreatment.

(12) A Patient Summary is an identifiable dataset of essential and understandable health information that is made available “at the point of care to deliver safe patient care during unscheduled care (and planned care) with its maximal impact in the unscheduled care; it can also be defined at a high level as: the minimum set of information needed to assure Health Care Coordination and the continuity of care” (eHealth Network GUIDELINE on the electronic exchange of health data under Cross-Border Directive 2011/24/EU).

(13) The eHealth DSI is a health data infrastructure offering services for cross-border health data exchange under the Connecting Europe Facility (CEF). Its core and generic services, as defined in the CEF, are the exchange of Patient Summaries and ePrescriptions. The generic services are the necessary implementation of data exchange at country level, the core services at EU level. These together will enable the provision of Cross Border eHealth Information Services (CBeHIS) (EU definition).

(14) IHE Profiles organise and leverage the integration capabilities that can be achieved by coordinated implementation of communication standards, such as DICOM, HL7 W3C and security standards. They provide precise definitions of how standards can be implemented to meet specific clinical needs (Integrating the Healthcare Enterprises definition).

(15) ePrescription consists of electronic prescribing and electronic dispensing: ePrescribing is defined as the electronic prescribing of medicine with the use of software and the electronic transmission of said prescription data to a pharmacy where the medicine can then be dispensed. (epSOS definition).

(16) eDispensing is defined as the electronic retrieval of a prescription and the dispensing of the medicine to the patient as indicated in the corresponding ePrescription. Once the medicine has been dispensed, the dispenser is to report the dispensation information using the ePrescription software (epSOS definition).

(17) “Routine use” as defined for this study refers to the use of assets or data that are relevant for the day-to-day business of all healthcare workers, therefore used routinely and not occasionally in uncommon situations.

EUROPEAN COMMISSION

Strasbourg, 3.5.2022

SWD(2022) 131 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Health Data Space

{COM(2022) 197 final} - {SEC(2022) 196 final} - {SWD(2022) 130 final} - {SWD(2022) 132 final}

Table of contents

Annex 12: Evaluation of Article 14 of Directive 2011/24/EU (cross-border healthcare directive)

1Introduction

1.1Purpose and scope

2Background to the intervention

2.1The problem

2.2Description of the intervention

2.3Points of comparison

3Implementation / state of Play

3.1Description of the current situation

3.2Overview of the impacts of the Directive’s provisions related to eHealth

3.3The eHealth Network’s contribution to the fight against the COVID-19 pandemic

4Analysis and answers to the evaluation questions

4.1Analysis and evaluation

5Conclusions

End-notes

Annex 12: Evaluation of Article 14 of Directive 2011/24/EU (cross-border healthcare directive)

1Introduction

2Purpose and scope

This evaluation has been launched in January 2021 as part of the Commission’s work on the European Health Data Space (EHDS). It is a back-to-back exercise which informs the Impact Assessment on the EHDS that has been developed in parallel.

The evaluation has been performed in accordance with the European Commission’s Better Guidelines 1 and builds on the Study on Health Data, Digital Health and Artificial Intelligence in Healthcare (hereinafter also “the Study”), carried out by a consortium led by Open Evidence 2 , and other sources as indicated throughout the document.

The Cross Border Healthcare (CBHC) Directive 3 (hereinafter also “the Directive”) seeks to facilitate access to safe and high-quality care across borders as well as to promote the cooperation on healthcare between EU Member States, including cooperation on the use of information and communication technology in health (eHealth). This evaluation focuses on the provisions of the Directive related to eHealth 4 , such as the cross-border cooperation and exchange of information on eHealth among the competent national authorities, the establishment of the eHealth Network (eHN) and patients’ rights in relation to health records.

Article 14 of the Cross Border Healthcare Directive sets up a voluntary network connecting national authorities responsible for eHealth designated by the Member States (eHealth Network). The eHealth Network facilitates cooperation among the Member States authorities on various issues, in particular on interoperability of the national information and communications technology systems and cross-border transferability of electronic health data in cross-border healthcare,
on sharing of health data between Member States and empowering citizens to access and share their own health data. It also facilitates the exchange of good practices concerning the development of different digital health services, such as telemedicine, m-health, or new technologies in the area of big data and artificial intelligence. However, other Articles also influence on the deliverables on digital health: Article 3(d) for the rules on telemedicine; Article 4(2)(f), 5(d) on the access to a written or electronic medical record for patients that have received treatment; Article 11 on the recognition of prescriptions issued in another Member State

The Commission also adopted implementing measures necessary for the establishment, management and transparent functioning of this network, which are taken into account in the present evaluation. 5

The Cross-Border Healthcare Directive was adopted more than ten years ago. This evaluation assesses the effectiveness, efficiency, coherence, relevance and EU added value of the EU digital health system. The time period falling within the scope of this evaluation covers the period from the adoption of the Directive (2011) until the present day in the 27 Member States.

3Background to the intervention

3.1The problem

The rapid uptake of new technologies and digital tools have the potential to offer relevant evolving solutions for health and healthcare services and products, providing the possibility to overcome the current main challenges of the different national healthcare systems. The ability of healthcare providers and patients to communicate effectively with each other is one of these challenges and requires the facilitation of the provision of digital health services in a cross-border setting. EU citizens have the right to access healthcare (including through digital means) in any EU Member State, as well as to be reimbursed for care abroad by their home country, within the limits provided for by the applicable EU legislation.

3.2Description of the intervention

Overview of the intervention logic

For illustrative purposes, the approach through which Article 14 of the Cross Border Healthcare Directive operates has been summarised in the intervention logic provided in Figure 1. It presents an overview of the sequence of the intervention, from its needs and objectives to the inputs, activities, outputs, impacts and other relevant EU policies affecting the intervention.

Figure 1. Intervention logic framework

Objectives of the Cross Border Healthcare Directive

The Cross Border Healthcare Directive sets out the conditions under which a patient may access healthcare in another EU Member State and be reimbursed and clarifies issues concerning the responsibility of the Member States for ensuring quality and safety of cross-border healthcare and provision of information concerning cross-border healthcare. In addition, it aims to foster European cooperation on healthcare in specific areas, including in the area of eHealth under the Article 14.

Objectives of the provisions on eHealth

“The Union shall support and facilitate cooperation and the exchange of information among Member States working within a voluntary network connecting national authorities responsible for eHealth designated by the Member States” (Article 14 of the Cross Border Healthcare Directive). This resulting eHealth Network 6 has the following general objectives :

·facilitate cooperation in the European Union (EU) in the use of information and communication technology (ICT) to provide more efficient healthcare;

·facilitate the exchange of patients’ health data across borders to enable continuity of care and patient safety;

·support the consistent and interoperable use of ICTs in healthcare and achieve the interoperability of ICT between Member States;

·support the innovative use of health data for secondary purposes including across borders 7 .

To achieve these objectives the eHealth Network aimed to (1) specify and implement semantic, legal and technical requirements for the interoperability of eHealth and (2) develop and implement standards for patient summaries, electronic prescriptions and other domains (as part of the interoperability of electronic health records), and (3) to develop other EU-wide interoperable infrastructures and applications in the area of health. To do so, the network had to develop and implement a common identification and authentication system allowing patients and healthcare providers to exchange health data. This was enabled by the eHealth Digital Service Infrastructure (eHDSI) launched in 2017, which has been named MyHealth@EU. Furthermore, the eHealth Network aimed to (4) define and deploy effective methods and requirements to enhance the use of data for secondary purposes.

The mandate of the eHealth Network was defined rather broadly in the Directive. This enabled the eHealth Network to intensify its collaboration on new subjects in the context of the public health COVID-19 crisis and, in this particular context, to achieve increased standardization at Member States level and cross-border interoperability (e.g. for COVID-19 contact tracing and warning applications and EU Digital COVID Certificates). The expected achievements of the collaboration through the eHealth Network was the increased interoperability of the respective national eHealth systems and seamless cross-border exchanges of health data between the Member States participating in the eHealth Network (in particular through the exchanges of electronic Patient Summaries and ePrescriptions via MyHealth@EU) in order to ensure appropriate continuity of care of patients even if this care was provided across borders. In addition, the eHealth Network was expected to contribute to achievement of greater harmonisation of health data among the Member States and consequently for better use of this health data for the purposes of research, innovation and informed decisions of health authorities.

3.3Points of comparison

As the Directive entered into force in 2011, the points of comparison for the evaluation are the situation prior to its implementation. The impact assessment accompanying the proposal 8 did not provide sufficient quantitative data on the situation at the time, nor enough information on the expected outcomes. For these reasons, the baseline has been developed in the Study.

A study from 2008 9 , highlighted that while patient data were stored electronically in many European General Practitioner (GP) practices and that computers were available in most GP consultation rooms, use rates of electronic connections to other healthcare providers were low as were the use rates in the area of electronic transfer of patient data.

Administrative patient data were stored electronically in 80% of the EU27 GP practices. In some countries, usage rates were below the 50% level (Greece, Romania, Lithuania), going down as far as 26% (Latvia). The highest use rates were found in Finland and Hungary (100%), Estonia (98%), Denmark and the Netherlands (97%) and Sweden (96%). While computers were found in the consultation room of 78% of the European GP practices, they were not always used during consultation with a patient: 66% of the practitioners did so, while in 12% of the practices the computer was not used while a patient was present.

About 21% of European GP practices connected to other primary care providers, i.e. other GPs. Between GP and hospitals and specialist practices there was a noticeable gap. While about one fifth of GP practices connected to hospitals, only somewhat more than one tenth (12%) did the same with specialist practices. Connections to pharmacies were considerably less frequent (used by about 7% of the practices). Medical data were transmitted digitally to care providers or other professionals by 10% of the EU27 GP practices, ePrescription was practiced by 6% of the EU27 GP practices.

The implementation of the provisions related to eHealth was initially aimed to improve the interoperability of eHealth across Member States 10 . However, it is very important to note that at the time of the adoption of the Directive, Member States had low use rates of electronic connections and electronic transfer of patient data within their systems. Since this initial exercise, other benchmarks have been conducted 11 showing an increase in the digitalisation of health systems over time, including an increased interoperability within each Member State and to less extent between Member States.

Interoperability of digital health services systems

Prior to the Directive, lack of technical and semantic interoperability of digital health services systems was identified as a major obstacle for realising the social and economic benefits of eHealth in the EU and a source of market fragmentation in eHealth.

ICTs in health and standards used in Member States were often incompatible. Although some digital health registries were already available at national or local level, the different systems were not always interoperable at national level and even less in a cross-border healthcare setting.

Therefore sharing of health data for continuity of care nationally, but also after seeking health services abroad, were often carried out in a manual fashion by requesting hard copies and translations of patient summaries to the respective healthcare providers.

In terms of concrete targets, the eHealth Network has set in the eHDSI Monitoring Framework that:

·By end 2020, 8 Member States should be interoperable with MyHealth@EU

·By end of 2020, 12 operational ePrescription services 12 (A and B) and 20 operational Patient Summary services (A and B) should be available.

Identification and authentication system

A few EU financed projects 13 started testing the possibility to share certain digital health data (patient summary and ePrescription) and started to develop a framework for cross-border electronic identification and authentication (eID). The results of these initiatives constituted a starting point for the development of the eHealth Network activities although they have been revised multiple times since then.

Guidelines and requirements for personal health data

At that time, no network or other cooperation structure was in place to deal with the complex set of framework conditions, organisational structures and implementation procedures required to achieve and maintain national and cross-border interoperability of digital health services. In 2008 the Commission adopted the Commission Recommendation on cross-border interoperability of electronic health record systems (2008/594/EC) 14 , in which it identified technical, semantic, and organisational interoperability as essential to build and ensure interoperable digital health services that could ensure continuity of care. This Recommendation was intended to contribute to data quality, trust and security of personal data.

Guidelines and requirements for public health and research data

Furthermore, quality pan-European health data for secondary purposes (research, innovation and public health) were very limited due to national fragmentation. Some exceptions can be found in few key areas such as rare diseases, where the European Union has supported since 2007 ad-hoc projects under the Seventh Framework Programme 15 .

4Implementation / state of Play

4.1Description of the current situation

Implementation of the relevant provisions of the Directive

There were no significant delays in terms of the formal implementation of the Article 14. The Directive entered into force in March 2011 and the first meeting of the new eHealth Network established on the basis of Article 14 took place already in May 2012, with the participation of all the Member States.

Financial investments

In terms of financial investments, EU financial instruments managed by the European Commission (and its agencies) and co-funded by Member States in some cases have supported the activities carried out by the eHealth Network. These include the financing of Joint Actions and grants from the Connecting Europe Facility (CEF) 16 .

Joint Actions were the main instrument financing the eHealth Network activities, which are co-financed by Member States and the Commission. The financing of the Joint Actions has increased overtime: € 2 503 791 for the first Joint Action (2012-2014), € 4 000 000 in the following Joint Action (2015-2018) and € 4 499 963 in the last Joint Action (2018-2021). In addition, while the Commission contributed to slightly over 50% of the financing of the first Joint Action, the Commission increased its contribution to 60% of the total budget in following two Joint Actions, the rest being paid by Member States. The eHealth Network carried out its activities based on the priorities set out in its Multiannual Work Plan (MWP). Each of the MWPs covered the periods corresponding to the periods of the three Joint Actions.

The European Commission also provided direct financial support to 25 Member States 17 in the area of eHealth through the Connecting Europe Facility (CEF), amounting € 31.5 m in between 2015 and 2020. CEF funds in eHealth are used to support, among others, cross-border services at MyHealth@EU platform (formerly known as eHealth Digital Service Infrastructure).

Priorities and outcomes of the eHealth Network activities

(a)Patient Summary and ePrescriptions

Two electronic cross-border health services are currently progressively introduced in the Member States and exchanged through the MyHealth@EU platform: Patient Summary and ePrescription. Patient Summary enables healthcare providers to access patient’s essential health information (part of the electronic health record) in their own language when the patient comes from another Member State. ePrescription allows EU citizens to retrieve their medication in a pharmacy based on the prescription issued in another Member State.

The eHealth Network aimed at defining guidelines and formats for Patient Summary and ePrescriptions. This was achieved during the first Joint Action (2012-2014), as the eHealth Network produced and adopted the first guidelines:

·on a non-exhaustive list of data to be included in patient's summary;

·for cross-border electronic exchange of patients' summary data set;

·on the interoperability of ePrescriptions.

During this period, the activities of the eHealth Network were also supported by the work of the epSOS project 18 . The epSOS project was a European large-scale pilot testing the cross-border sharing of certain health data: a summary of a patient's most important health data in case of unplanned care (Patient Summary) and the electronic prescription (ePrescription).

These guidelines have been further refined (and updated when applicable) during the two following Joint Actions. An example is the “Guideline on Electronic exchange of health data under the Cross-border Directive” adopted in 2016 19 .

(b)EU infrastructure (eHDSI/MyHealth@EU)

In order to enable services for cross-border health data exchange, the Commission developed a platform “eHealth Digital Service Infrastructure”, which was launched in 2017 and later renamed as “MyHealth@EU”. The platform was based on the conceptual framework previously developed by the epSOS project.

Therefore, the work of the eHealth Network first aimed at defining the prerequisites and key elements necessary to the establishment and deployment of the platform. In total, 15 policy documents of different nature were elaborated by the JAseHN Joint Action. Among them, key outputs developed and adopted by members of the eHealth Network are the guidelines used for the participation in MyHealth@EU:

·The Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth (NCPeHs) on the Criteria required for the participation in Cross-Border eHealth Information Service adopted in 2017 20 . Based to this agreement, Member States can join the NCPeHS and exchange health data cross borders, if it is set out in national law.

·The governance and operating principles of the NCPeHs have been outlined in the Guideline on an Organisational Framework for eHealth National Contact Point adopted in 2015. Based on this guideline, the NCPeH constitutes a Member States’ communication gateway providing the interface between the national infrastructure and the EU network of other Member States’ NCPeH, as well as with the central EU services. When a patient is travelling abroad, NCPeHs can either act as the country of affiliation (i.e. the country holding information about a patient, where the patient can be univocally identified and where the personal data may be accessed; Country A) or as the country of treatment (i.e. the country where cross-border healthcare is provided or a pharmacy is visited; Country B).

This resulted in the deployment of the MyHealth@EU infrastructure, and in the 2017 Council Conclusions on Health in the Digital Society 21 , enabling the exchange of eHealth information services for the Member States participating in the eHealth Network, and approving the role of the NCPeHs.

In addition and during the third Joint Action (2018-2021) the main activities of the eHealth Network aimed at supporting the deployment of MyHealth@EU 22 , as well as other aspects such as interoperability of electronic health records (in line with the Commission Recommendation on Electronic Health Record Exchange Format 23 ), cybersecurity, e-identification, capacity building, empowerment of patients via tele-health.

ØOutcomes of the above-mentioned activities (a) Electronic Health Records, ePrescriptions and (b) MyHealth@EU)

Although the guidelines and common requirements for personal health data (i.e. ePrescription and Patient Summary) and guidelines and formats for Member States' ICTs interoperability with MyHealth@EU were adopted by the eHealth Network members, these have been implemented only partly so far:

·By the Q3 2021, 9 Member States reached interoperability with MyHealth@EU and joined the system of cross-border health data exchanges 24 , which means that they can exchange ePrescriptions and/or Patient Summaries among themselves. Appendix IV summarises the services that are currently supported by the MyHealth@EU platform and the countries that are interoperable.

·In the early Q4 2021 there were 11 unique pairs of Member States, which were able to exchange the ePrescriptions (country with A 25 and country B 26 ) and 21 unique pairs of Member States able to exchange Patient Summary (as country A and country B) services 27 . This means that the eHMSEG decision to start new services exchange was issued after 64 unique tests on Production Environment Testing (each country is obliged to test each service with every available country).

·In terms of hospitals that enabled MyHealth@EU services as Countries of Treatment, 3 Member States already provide a full national coverage (Luxembourg, Czechia, and Croatia). In addition, in Malta, only one of the two hospitals present in the country (Mater Dei Hospital on the island of Malta) enabled the service. Nevertheless, since the other hospital is located on the island of Gozo, where only 8% of inbound tourists spend at least one night, the actual coverage in terms of cross-border healthcare is rather high. In the case of Portugal, only a minority of hospitals (5 out of 247) enabled MyHealth@EU services.

·In terms of pharmacies that enabled MyHealth@EU services as countries of treatment, 3 Member States already provide a full national coverage with 100% of pharmacies enabling the services (Estonia, Croatia and Finland). On the other hand, in the case of Portugal only one pharmacy (of the 2972 present in the country) was reported to have enabled MyHealth@EU services.

This results in a growing level of platform usage between 2019 and 2021, period during which the first data have been recorded (Figure 2).

·21 352 ePrescriptions were dispensed to the patients by the end of Q2 2021. The vast majority of ePrescription exchanges and dispensations happened between Finland and Estonia.

·There are still relatively few exchanges of Patient Summaries, (346 by the end of Q2 2021) and no clear pattern can be identified among participating Member States.

Figure 2. MyHealth@EU usage: number of ePrescriptions dispensed and Patient summaries exchanged

Source: EC 28

(c)Security / electronic identification and authentication (eID)

The eHealth Network also aimed at developing the necessary guidelines and format for the electronic identification and authentication (eID) of citizens and businesses in the EU. The eHealth Network produced and adopted in 2017, among others, guidelines called “Policy paper on eID specific framework for eHealth” 29 and further updated them subsequently.

The activities of the eHealth network in this area built on the STORK 2.0 project 30 and previous STORK framework for cross-border eID of citizens and businesses 31 . The STORK 2.0 project provided solutions allowing citizens to identify themselves across-borders by using identity-related data from authentic and reliable sources (attribute providers) or to represent other natural or legal persons, in the context of different business domains.

ØOutcomes of the activities related to a common eID approach

Although the work on eID in eHealth is far from recent as early projects started in 2008 (epSOS and STORK), it has not yet been fully implemented in the currently operational MyHealth@EU services. At the EU level, there is no mainstream standard used. Identification of patients as part of the MyHealth@EU services is based on paper or plastic ID documents and national authorities can define and use their own identification mechanisms. In addition, 5 Member States do not employ the identification means according to the Regulation on electronic identification and trust services (eIDAS Regulation) 32 , 3 Member States lack unique patient identifiers and 2 Member States lack health care staff identifiers 33 .

(d)Mobile health

During the period of the second Joint Action, the eHealth Network activities aimed at developing a common framework and principles for the safe use of m-health apps. mHealth apps refer to health and wellbeing mobile applications and services which support self-management and measure vital signs such as heart rate, blood glucose level, blood pressure, body temperature and brain activity and are used by citizens. As Member States were setting up schemes and criteria to assess these apps, providing guidance to professionals and consumers, or seeking to integrate these apps into mainstream healthcare provisions, the eHealth Network started working on a coordinated approach at EU level addressing these challenges.

ØOutcomes of the activities related to m-health

A dedicated subgroup of the eHealth Network focused on m-health 34 and produced, for example, a report on national mHealth strategies 35 . The objective of the report was to collect experiences on approaches in dealing with mobile health apps, to identify common challenges and recommend possibilities for future collaboration among Member States. This report is based on the responses received to the survey conducted among the sub-group members provides an overview of the existing strategies, activities and perspectives on mHealth in the Member States.

(e)Use of health data for secondary purposes

Besides the activities of the eHealth Network related to the primary use of health data for the purposes of delivering healthcare to patients described above, one of the aims of the eHealth Network was also to define and deploy effective methods and requirements to enhance the use of health data for secondary purposes. This refers to reuse of health data for purposes other than delivery of healthcare, such as medical research and innovation, informed decisions of health authorities in the area of public health or regulatory activities in the health sector.

ØOutcomes of the activities on secondary use of health data

The activities carried out by the eHealth Network related to the secondary use of health data were very limited and no specific outcomes can be identified. Other EU initiatives (often funded through Horizon 2020 and Horizon Europe) did support projects dealing with the reuse of health data for research and innovation.

Appendix II provides a detailed description of all the activities and outputs of the eHealth Network for the periods covered by the different MWPs.

4.2Overview of the impacts of the Directive’s provisions related to eHealth

The box below summarises the expected impacts associated with the outcomes of the eHealth Network activities and other Directive’s provisions related to eHealth, in particular with regard to healthcare provision and patient mobility but also with regard to research and innovation.

Box 1. Expected impacts

•Patients have access to safe and high-quality cross-border eHealth products and services, improving health outcomes.

•Continuity of care for patients is ensured after treatments and/or services are provided by healthcare providers abroad, improving health outcomes.

•Increased harmonised health data for research, innovation and public health.

When in 2021 eHealth Network members were enquired about the achieved impacts, different opinions emerged (Figure 3). More than half of the respondents believed that they only partially achieved a digital service infrastructure supporting the exchange of health data (MyHealth@EU) as well as guidelines on an interoperable eco-system for digital health and investment programmes for a new/updated generation of digital infrastructure in Europe. While almost half of the respondents believed that they fully developed interoperability of contact tracing and warning apps as well as of EU DCC.

Figure 3. Self-assessment of eHealth Network members of achieved objectives of Article 14 (a)

Survey Question: In your opinion, to what extent did the eHealth Network achieve the above-mentioned objective of Article 14 (a) set out in the legislation "work towards delivering sustainable economic and social benefits of European eHealth systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of care and ensuring access to safe and high-quality healthcare”, by delivering: (n=19)

Access to cross-border healthcare

There are essentially two cross-border healthcare situations: (1) cross-border healthcare that becomes necessary during a temporary stay outside of the patient’s home Member State (hereinafter “unplanned healthcare”) 36[1]; (2) planned cross-border healthcare received in a Member State other than the patient’s home Member State where the patient purposely seeks healthcare abroad. 37[2]

In the case of unplanned healthcare, the European Health Insurance Card (EHIC) proves the entitlement of the insured person to necessary healthcare treatment during a temporary stay in a Member State other than the competent Member State. Furthermore, there is an overall constant increase in patient mobility across Europe in the case of unplanned healthcare. In 2019, a total of 2,679,756 forms/claims were issued across Europe, for a total amount paid by the competent countries to the countries of treatment of € 1,280,450,122 38 .

In addition, requests for information on cross-border care received by National and Regional Contact Points in 2019 accounted to 115,459 across the EU28, Norway and Iceland. More than half of the Member States received less than 1,000 requests. Estonia, Lithuania, Poland and Sweden stand out in receiving over 10,000 requests for information each. The 2019 data also show an increase in requests for information since 2018. However, this is due to the fact that Sweden reported data for 2019, which in previous years was not possible. If the data from Sweden is excluded from the analysis, the total number of requests for information remains relatively stable between 2018 and 2019 (95,565 in 2018 and 95,689 in 2019). However, some countries did see significant variation between the years 39 .

Furthermore, the 2019 data demonstrated the number of requests for reimbursement of cross-border healthcare costs under Directive 2011/24/EU. 23 Member States reported having received a total of 283,719 requests for reimbursement. Of these, 85% were granted, with 11% being refused and less than 1% withdrawn.

Access to cross-border eHealth products and services

Available evidence 40 show that when available, electronic health records are often only accessible locally, or at the regional level. In terms of patients’ access to safe and high-quality cross-border eHealth products and services, the use of MyHealth@EU is still very limited in absolute terms. Although EHRs exist in two-thirds of Member States, by the end of 2020 only 7 Member States offered services (Patient Summary and/or ePrescriptions) on the MyHealth@EU platform. 41 All together, these 7 countries account for 32 997 906 people which represents only 7.38% of the overall EU population 42 that can access at least some of MyHealth@EU services.

In addition, two thirds of countries detail measures for technical interoperability and exchange measures in their legislative framework. 18 study countries indicate that data sharing of EHRs across national borders is permitted by law.

However, the level of alignment between national and EU-level initiatives on eHealth is limited. 9 Member States indicate to not refer to EU-level guidelines and documents on the Patient Summary and ePrescription/eDispensation in national policy documents and 19 do not refer to these resources in legislation documents. Seven countries do not have a standalone technical interoperability strategy. 17 countries have implemented an interoperability strategy focusing on semantics through a national terminology centre.

Medical prescriptions in electronic format are currently used in almost two-thirds of the Member States.

Improved continuity of care across borders

The low use of the MyHealth@EU so far and the limited cross-border patient mobility overall also affect any potential impact on the improved of continuity of care for patients after treatments and/or services provided by healthcare providers abroad. Given the relatively low level of platform usage and cross-border mobility, no major impacts on national healthcare systems could be observed. In general, according to Azzopardi-Muscat (2018), the Cross-border healthcare directive did not have so far a major transformative effect on national health systems.

Patients’ empowerment and enhanced digitalisation of Member States’ healthcare systems

It is also important to consider to whether the relevant provisions of the Directive contributed to patients’ empowerment and to what extent changes in the digitalisation of Member States’ healthcare systems and the level of interoperability can be attributed to the activities of the eHealth Network. A detailed analysis of the digitalisation at national level has been carried out in the study conducted for the European Commission by Empirica and Open Evidence 43 and the main findings are summarised below.

Although enabling citizens to take an active role in the management of their health was included among the topics to be addressed in the last Joint Action supporting the eHealth Network, the impact of the relevant Directive’s provisions on the access of patients to their electronic health records was limited as no outputs impacting this area were produced:

·Only a handful of countries provides electronic formats when ensuring the right to receive a written or electronic medical record of the treatment(Article 4.2 (f) of the Directive) and the right to have remote access to or have at least a copy of patient’s medical record (Article 5 (d) of the Directive). Only 4 Member States have rules to provide digital access to a copy of the medical record/s for patients affiliated to their healthcare system seeking cross-border healthcare in another Member State (Croatia, Czechia, Greece and the Netherlands). Finland is planning to implement such rules over the upcoming three years. More details are available in Appendix VII.

·In terms of rules to provide digital access to a copy of the medical record/s of received treatment/s for patients affiliated to a different healthcare system that used cross-border healthcare in their Member States, only three countries provide such rules (Germany, Greece and the Netherlands) and three are planning to do so over the coming three years (Czechia, Finland and Poland). More details are provided in Appendix VIII.

In terms of citizens’ control over their personal health data and patients’ empowerment:

·citizens cannot choose which healthcare professional or other party can access their EHR in 12 study countries;

·GPs often act as 'data gatekeepers', allowing additional parties to access a patient's EHR, while in other countries the technical readiness of health data systems is not yet advanced enough to realise this option;

·Most study countries specify conditions for alteration and archiving of electronic health data but only around one third allow patients to correct data entered in their EHR by themselves;

·In terms of awareness actions and citizen information campaigns, 23 study countries claim to actively promote EHR system uptake and utilisation;

·17 study countries have organised access to health information for citizens, with 6 Member States reporting ongoing pilots. Patient access to health data is not a reality in 3 Member States

·Access to EHR data via an online portal is by far the most common mode of access, with 4 study countries reporting they offer mobile access and 2 study countries still use paper print-outs

·In 18 study countries citizens can manage EHR data access at the document level

This analysis has shown that 80% of the study countries have adopted national legislation on EHRs, on data safety and technical security measures less than five years ago.

While 26 study countries generally provide their citizens with access to EHR data by law, there are still some limitations as only 20 study countries have a law requiring that citizen can have access to their personal health data independent of place and technology.

Uniformly, one-third of study countries indicate that their eHealth policy is not integrated into general healthcare policy and that it does not contain planning measures for patient safety and quality of care, suggesting that eHealth policy is somewhat isolated in the respective countries.

The abovementioned study made also the following findings on organisation at Member States’ level:

·27 study countries have set up a competent authority for eHealth;

·24 study countries report that competent authorities aim to facilitate semantic and technical interoperability;

·18 study countries report that competent authorities translate international standards into the local language;

·16 study countries have a forum similar to the National Digital Health Network envisaged by the European Commission;

·Most study countries have not yet implemented a terminology server;

·4 Member States do not have a fully functioning EHR system.

4.3The eHealth Network’s contribution to the fight against the COVID-19 pandemic

Exchange of personal health data in times of pandemic: legal & technical gaps

As a consequence of the COVID-19 pandemic, the need to exchange specific personal health data to manage and reduce public health risks and guarantee the free movement of persons across the EU became a key priority for the Commission. However, no previous guidelines, infrastructure or governance mechanisms existed at EU level to address specific needs in times of a public health emergency.

New eHealth objectives in the context of a pandemic

The Commission therefore leveraged the potential of the eHealth Network to bring together Member States’ experts in order to address these issues. The specific objectives of the eHealth Network in this context were to support development and interoperability of contact tracing in the EU by enabling the interoperability of contact tracing mobile applications (apps) and support the development and interoperability of EU Digital COVID Certificates (DCC).

The expected outcomes of the related ad-hoc activities were that information about public health risks and contract tracing is available to citizens across the EU, while specific personal health data of citizens is available wherever they travel across the EU.

A high level of investments made by the European Commission and Member States

The types of investments considered in this analysis are twofold; they cover the funding provided by the European Commission in the new pan-European eHealth services delivered, as well as the human capital needed (especially at national level) to carry out these tasks.

The European Commission invested €12.9 m in the work related to the interoperability of contact tracing apps, especially by the creation and deployment of an infrastructure (the European Federated Gateway Service). The European Commission invested €53 732 m 44 in the development and introduction of the DCC.

In addition, an important amount of human capital from Member States has been invested in these activities. eHealth Network members met in a plenary setting on a weekly basis (through online meetings), while before the COVID-19 pandemic the Network organised plenary meetings twice a year only. Technical and semantic working groups also set-up additional meetings, with the most relevant groups meeting up to 5 times a week. Although no data are available on the overall Man-Days (MD) invested by Member States in these activities, the stakeholders consulted generally agreed that the commitment varied among the national members of the eHealth Network. A total of 254 online meetings have been organised from the beginning of the COVID-19 pandemic until June 2021. Considering that a meeting lasts in average 1 hour, and includes the participation of one representative per Member State, around 857.25 MD are estimated to have been invested in participation in eHealth Network meetings alone. This does not take into account human capital required for additional activities at national level to produce the different digital infrastructures and applications.

Providing an EU-wide rules and platform for the interoperability of contact tracing apps

As Member States were starting developing mobile apps to support contact tracing, the European Commission with the support of the eHealth Network took measures to support the development and deployment of national COVID-19 contact tracing apps beyond national borders and enable their interoperability. A contact tracing app is a tool which would allow app users to take appropriate action (such as testing or self-isolating) after being informed of having been potentially exposed to the virus through proximity to another user of this application, who has reported a positive diagnosis.

The eHealth Network supported:

·the development and adoption by Member States of a Common EU toolbox for Member States on mobile applications to support contact tracing 45 ;

·the development and adoption by Member States of interoperability guidelines for approved contact tracing mobile apps in the EU 46 ;

·the creation of the European Federation Gateway Service (EFGS), a European digital infrastructure that enables the exchange of personal health data across borders between the national contact tracing apps;

·the agreement on other technical specifications for the mobile apps and the European digital infrastructure.

This work resulted in the adoption by the European Commission of an Implementing Decision in July 2020 47 , which puts forward specific rules for the cross-border exchange of data between national contact tracing and warning mobile apps with regard to combatting the COVID-19 pandemic. It also lays down provisions on the role of the participating Member States and of the Commission for the functioning of the EFGS for the cross-border interoperability of the apps.

So far there has been a high level of uptake of the guidelines, as by the end of July 2021, 20 apps out of 22 existing apps in the EU have been developed following the guidelines and can potentially support interoperability. 19 apps were already interoperable with the EFGS. More details are provided in Appendix V.

However, their impact is limited by the unequal pick-up rates of these apps across EU countries. The apps connected to the EFGS were downloaded over 70 m times. From mid-October 2020 to mid-September 2021, Member States exchanged 6.7 m keys of users that tested positive through the EFGS. Assuming each user uploads 10 keys, this means that the EFGS transmitted, across borders, information from around 670 000 users that tested positive to alert other European users of their high-risk contact.

Enabling the development and interoperability of EU Digital COVID Certificates

Efforts of the eHealth Network in 2021 focused on supporting the creation of interoperable EU Digital COVID Certificates (EU DCC) based on the Regulation (EU) 2021/953 48 . An EU Digital COVID Certificate is a digital proof that a person has been vaccinated against COVID-19, has recovered from COVID-19 or has a negative test result. It seeks to lift lockdown measures such as the ability to travel across borders or access to certain services at national level.

The eHealth Network supported:

·the development and adoption by Member States of guidelines on verifiable vaccination certificates (basic interoperability elements) 49 ;

·the agreement on a minimum dataset of COVID-19 citizen recovery interoperable certificates 50 ;

·the creation of a trust framework composed of national infrastructures and back-end and an EU gateway, that enables the interoperability of EU Digital COVID certificates 51 .

This work resulted in the adoption by the European Commission of an Implementing Decision in June 2021, which sets out technical specifications and rules of the implementation of a framework for EU DCC 52 . This framework entered into applicable on 1 July 2021 across the EU 53 .

All Member States have issued and are able to verify the certificates (for vaccination, recovery or tests) of the other Member States. By September 2021, 30 EU and EEA countries and 13 third 54 countries were are connected to the EU gateway enabling EU Member States to check in a simplified manner the COVID certificates issued by these third countries. Additional third countries are expected to join the process too. More details are provided in Appendix VI.

The results are positive, as over 460 million certificates have been issued by September 2021. This number is even higher in countries that put measures requesting the use of DCC for accessing other types of services such as events, etc. In practice, the certificates issued in a Member State can be used in others, not only when travelling across borders but also for national use when requested to access other types of services, and contributed to the lifting of measures restricting travels in a coordinated manner.

5Analysis and answers to the evaluation questions

5.1Analysis and evaluation

Effectiveness

The eHealth Network developed guidelines for the identification of patients and healthcare professionals to enable cross-border exchange of health data in the framework of MyHealth@EU, and specified semantic, legal and technical requirements for the standardisation of patient summaries and ePrescriptions. Guidelines and standards on ePrescriptions and Patient Summary were implemented in the MyHealth@EU platform. More services are planned to be covered by the platform, such as medical images, laboratory results and hospital discharge letters. While the platform can facilitate the exchange of patients’ health data across borders to enable continuity of care and patient safety across borders, its uptake has been so far limited to 8 Member States. Since many Member States so far have not implemented the developed standards and guidelines, lack of interoperability of digital health services systems remains one of the major obstacles to access to safe and high-quality cross-border healthcare. According to the finding of the study supporting this evaluation, one of the reasons behind the relatively low adoption of the platform lies in the voluntary nature of the eHealth Network that had no binding mandate towards Member States as well as the voluntary participation of the Member States in MyHealth@EU. Nevertheless, in quantitative terms, the volume of information exchanged on the platform was higher than the targets set by the eHealth Network in the eHDSI Monitoring Framework 55 . As the number of Member States taking up the platform will increase 56 , so will the effectiveness of the platform. Ensuring a higher up-take level of the platform will increase the impact in terms of patients’ access to safe and high-quality cross-border eHealth products and services, as well as continuity of care for patients receiving cross-border healthcare or benefitting from free movement within the EU.

The eHealth Network did not directly support patients in accessing their health data in other Member States. Although the MyHealth@EU platform can support these evolutions, as of today only 4 Member States have in place national rules requiring digital access to a copy of the medical record/s for patients affiliated to their healthcare system seeking cross-border healthcare in another Member States and 3 Member States provide digital access to a copy of the medical record/s of received treatment/s for patients affiliated to a different healthcare system. The lack of eHealth Network activities in the area combined with the low level of priority of the issue within the Member States resulted in a very low level of effectiveness.

When it comes to the support of national digitalization of healthcare, interoperability and access of patients to their health data, progress has been made at national level since 2011. It is difficult to attribute this directly to the work of eHealth Network (except for the progress made in the area of COVID-19 contact tracing apps and EU Digital COVID certificates), as not all the Member States implemented eHealth Network guidelines at national level. Despite the fact that the General Data Protection Regulation (GDPR) has specific provisions on the access of data subjects to their data and portability of this data, eHealth Network took limited measures at EU level to implement these provisions. Nevertheless, some measures were taken at national level 57 .

·26 Member States generally provide their citizens with access to electronic health record data by law.

·18 Member States indicate that data sharing of EHRs across national borders is permitted by law.

·27 Member States have a digital health authority, with different tasks related to interoperability, security, data protection, tele-health and m-health.

·24 Member States report that competent authorities aim to facilitate semantic and technical interoperability.

Also, some Member States implemented the Commission Recommendation on Electronic Health Record Exchange Format, complemented by the eHealth Network investment guidelines 58 , as well as the eHealth Network recommendation on National Digital Health Networks 59 developed with the support of eHAction. The eHealth Network had, for a very long time, mainly a political or strategic profile in view of the fact that its members represented mostly the ministries of health. The eHealth Member States Expert Group (eHMSEG) was established as a permanent subgroup of the eHealth Network in relation to specific tasks related to MyHealth@EU. Only recently, with the creation of the semantic and technical subgroups, the technical expertise has been brought forward more strongly, allowing for technical discussions on digitalisation to feed directly the main decisions of the eHealth Network. Whilst a subgroup of the eHealth Network on m-health recommended to set up an assessment framework that would support Member States in their work in this area, the temporary character of this group did not ensure a proper follow-up and is not reflected, for example, in any guidelines of the eHealth Network in this area. In any case, as the eHealth Network guidelines were voluntary, their impact on national development was rather limited and the effectiveness of eHealth Network actions was low.

Innovative use of health data has been developed during the COVID-19 crisis (i.e. Contact tracing apps, EU Digital COVID Certificates), guaranteeing the free movement of persons and allowing and promoting public health through digital means. This had a positive impact on the public health of the Union, providing crucial new tools in times of a public health crisis. These tools also helped to lift Member States temporary restrictions to the free movement of people, supporting the protection of an EU citizenship right. The digital infrastructure on contact tracing apps based on the Commission Implementing Decision (EU) 2020/1023 and on the guidelines of the eHealth Network was built on a voluntary approach (not all the Member States developed such apps and two Member States developed centralised approaches different from the general decentralized approach taken by the majority of the Member States). However, the eHealth Network managed to bring important coordination at EU level and changes at national level, done in rather similar way in several Member States. Such national and European transformation was even more visible for the EU Digital COVID Certificate, which had a strong legal basis (a Regulation (EU) 2021/953 based on free movement of persons legal basis which was adopted in extremely short time). Given the very high level of expertise brought forward in the semantic and technical subgroups of the eHealth Network and the coordination role of the eHealth Network plenary, Member States managed to deploy in few months an EU wide infrastructure, with a strong national rollout. The Commission also provided a strong support for EU interoperability. Therefore, on actions related to the public health crisis the effectiveness of the eHealth Network was very high.

In terms of secondary use of health data, no actions have been taken to boost secondary use of health data in research. In this area the eHealth Network was not effective. Some eHealth Network members explained the lack of action in the area as the result of several factors. On the one side, the prioritisation of developing ePrescriptions and patients’ summary together with the infrastructure to run such services across Member States (MyHealth@EU) took most of the capacity not allowing to focus on other topics. On the other side, up until 2020 the issue was lacking political support at Member States level and given the voluntary structure of the network, that represented an obstacle to moving forward in the area. The digital health agencies, represented in the eHealth Network had in many cases a national mandate focused on the use of data for healthcare. While no activities on secondary use of data were carried out by the eHealth Network, other EU initiatives (often funded through Horizon 2020 and Horizon Europe) did support the reuse of health data for research and innovation. A relevant example is the work carried out in the field of rare diseases 60 . Therefore, some impacts have been reached in the area, but they were not linked to effective eHealth Network activities.

Since the adoption of the Directive in 2011, the need for better management of data for policy making, research and innovation purposes has been recognised by some Member States. This resulted in the set-up of different new national institutions such as Health Data Access Bodies or national health institutes (e.g. Findata, French Data Hub, etc.). The need for action in this area is also reflected in the work on the European Health Data Space that became one of the priorities of the Commission and is supported, among others, through a new Joint Action (TEHDaS). With the setting up of a European Health Data Space, THEDAS future activities are likely to impact the amount and availability of harmonised public data for research, innovation and public health across the Union. Within the scope of secondary use of data, it is important to note that the entry into application of the GDPR brought not only a framework to guarantee safe processing of personal data, but also provided a framework for secondary use of personal data. Reasons of public interest in the area of public health, such as protecting against serous cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (on the basis of Union or Member State law) have been considered by the GDPR (Article 6(1)(e) and 9(2)(i) GDPR).

ØConclusions regarding Effectiveness:

As of today, after almost 10 years of activities, the effectiveness of the eHealth Network action has been rather limited and concentrated in enhancing the use of health data for primary use in the context of cross-border healthcare and more recently in promoting public health. More specifically, most of the activities focused on drafting guidelines for ePrescriptions and patient summaries and to support the development of the MyHealth@EU infrastructure to enable electronic cross-border health services. The MyHealth@EU platform has been implemented in 8 Member States so far. Member States with decentralised healthcare systems and lower levels of digitalisation appeared to have a lower level of readiness to implement the tools developed in the context of the eHealth Network activities. The platform currently supports two services (ePrescriptions and Patient Summaries), use of which has exceed the expected targets as set in the eHDSI Monitoring Framework (KPIs) 61 . In the future the platform may be used to extend the number of services provided and could constitute a starting point for the development of the European Health Data Space for primary use of health data. The very limited activities in the areas of patients’ access to their health data, telemedicine and secondary use of data resulted in a very low effectiveness in these areas.

While the eHealth Network recommended Member States to use the standards and specifications from Electronic Health Record Exchange Format in procurements, in order to build interoperability, their real uptake was limited and the outcome remains very fragmented.

Following the outbreak of the COVID 19 pandemic in Europe, the eHealth Network provided support in developing interoperability for the contact tracing apps as well as supported the development of an interoperable EU Digital COVID Certificate.

However eHealth Network activities in the field of mHealth were limited only to the above-mentioned actions on contact tracing apps and EU digital COVID certificate.

Support from the eHealth Network to Member States in developing effective methods for enabling the use of medical information for public health and research was not effective. Some general documents on big data were produced by the eHealth Network, but they were not followed up by additional specific implementing actions. At the EU level, some relevant activities in the area have been carried out by research projects funded by the Commission. Since February 2021, the establishment of the TEHDaS Joint Action has reinforced the EU intervention in the area. The Data Governance Act and the forthcoming European Health Data Space initiative will be important policy instruments in this area.

Efficiency

As a general rule, the benefits of EU interventions are expected to justify the costs they generate, although those who bear the costs do not always reap the benefits. This is a common situation in the health domain, where final beneficiaries are supposed to be citizens and patients. Furthermore, due to a lack of accounting of man-days and other inputs, it was not always feasible to quantify exactly the costs sustained by certain stakeholders. Nevertheless, this section seeks to identify the factors that are driving these costs and benefits and how these factors impacted the activities of the eHealth Network.

In terms of costs, the major contributors to eHealth Network activities have been the European Union and the Member States. The European Commissionwas a major contributor to the different Joint Actions. The table below summarises the European Commission’s financial contribution to the Joint Actions supporting the eHealth Network since its creation.

Table 1: Financing of eHealth Network Joint Actions

European Commission

Member States

Total JA budget

eHGI JA

(2012-2014)

EUR 1 001 895

(50% of total budget)

EUR 1 001 895

(50% of total budget)

EUR 2 003 791

JAseHn

(2015-2018)

EUR 2 400 000

(60% of total budget)

EUR 1 600 000

(40% of total budget)

EUR 4 000 000

EHAction

(2018-2021)

EUR 2 699 989.67

(60% of total budget)

EUR 1 799 985.38

(40% of total budget)

EUR 4 499 963

Source: European Commission

Overall the European Commission provided more than €6 m in Joint Actions since 2012. The Commission has increased greatly its contribution from the first to the second Joint Action while its contribution has increased only slightly from the second to the third Joint Action. Member States, have also co-financed a sizable percentage of the budget for the first and second Joint Action. The Joint Action budgets covered:

·Support for development of policy documents to support the different priority areas identified in the MWPs

·The dissemination of content produced within Member States and Stakeholder Groups;

·The dialogue with relevant EU eHealth stakeholder groups and standardisation organisations;

·In addition, the European Commission ensured the eHealth Network secretariat, the preparation and reimbursements of eHealth Network meetings, its subgroups and of the meetings of the eHealth Stakeholders Group.

The financial inputs that contributed to the work of the eHealth Network, were not limited to the already mentioned Joint Actions and support provided from the Health Programme, but included also the CEF which supported the development of the MyHealth@EU and the initial elements used for the set-up of primary data standards and interoperability. For the purpose of this analysis, other grants and projects that were generally linked to the development of eHealth in Europe, but not to the implementation of the eHealth Network specifically, have been excluded.

As mentioned above, the Commission supported the development of the MyHealth@EU platform mainly via the Connecting Europe Facility (2015-2020). Between 2015 and 2020, the Commission managed approximately EUR 31.5 million funds for eHealth activities. 62

The CEF funds have contributed to development and running of the MyHealth@EU platform by supporting the National grants for setting up National Contact Points for eHealth, Management and governance of the platform, Requirements and specifications, Configuration services, Terminology services, Test and Audit services, NCPeH Reference Implementation, Operations orchestration, Hosting.

The Commission also provided support from the financial instruments implementing the main research and innovation programmes (i.e. FP7, Horizon 2020, Horizon Europe, etc.). Over the years, these grants co-financed several projects relevant for the activities of the eHealth Network.

Before the setting up of CEF, different projects already started to build the groundwork to deliver digital cross-border eHealth services, by defining eID formats, as well as formats and frameworks for the digital exchange of Patient Summaries and ePrescriptions. The most relevant projects funded by EU are summarised in the following table:

Table 2: EU projects on cross-border eHealth services preceding CEF

	Topic	Budget	EU contribution
epSOS	Patient Summary and e Prescriptions	EUR 38 008 793	EUR 17 999 000
STORK & STORK 2.0	Cross-border authentication and identification (eID)	EUR 26 453 042 € 18 655 793	EUR 13 073 335 8 762 939
EXPAND	Deploying cross-border eHealth services	EUR 989 988	EUR 989 988
e-SENS	Deploying cross-border eHealth services	EUR27 358 005	EUR 13 678 995
Total		EUR 111 465 621	EUR 54 504 257

Source: European Commission

As highlighted in the previous two tables, Member States have also financially contributed to Joint Actions and projects. Furthermore, according to the stakeholders involved in the study, particular effort was required by the 8 Member States that are already operational on MyHealth@EU to join the platform. Furthermore, there are significant differences across Member States that need to be considered.

Financial support to some Member States has been provided by the European Commission to offer technical support to design and implement structural reforms. These are targeted, time limited projects, which usually take place at the request of a Member States. Technical support includes context specific study visits and best practice exchange between the Member States/Regions. Digital health is one of the areas where technical support is provided. For example, support was provided to Croatia for development of the 2021-2027 Croatian eHealth Strategic Development Plan and Croatian eHealth Business Implementation Plan 2021-2022. Bulgaria, Belgium, Estonia, Greece and Slovenia also receive support to develop their eHealth strategies and future proof ICT governance frameworks. Czechia received technical support for the creation and implementation of the national eHealth centre. The eGovERA project (eGovernment Enterprise Reference Architecture) also received support and has developed expertise in the area of eHealth.

On top of these financial inputs, additional human capital has been invested to ensure the execution of the eHealth Network activities. This includes especially the time spent by national experts and representatives, who on top of participating in semi-annual meetings, also organised and carried out their work in thematic sub-groups. Unfortunately, upon request no information was provided on an estimation of these costs. As a result, it was not possible to gather evidence on the estimation of the overall Man-Days (MD) invested by the different Member States. Nevertheless all stakeholders agreed that the commitment varied greatly among the eHealth Network members, hinting that some Member States invested far more than others. Furthermore, according to eHealth Network members, more sub-groups and frequency of meetings and activity was carried out since the start of the COVID 19 pandemic. As summarised in the Appendix IX, a total of 330 online meetings have been organised since the start of the COVID 19 pandemic until June 2021. Considering an average of 1 hour per meeting and the participation of one representative per Member State, we can estimate around 990 MD invested since the start of the pandemic until June 2021 on meetings alone (without considering the investments carried out nationally to produce and sponsor the different digital infrastructures and applications). Detailed overview of the number of eHealth Network meetings organised in the relevant period is provided in Appendix IX.

The voluntary cooperation structure of the network resulted in different levels of commitments and investments from Members that could be justified by different Member States’ priorities as well as different level of readiness to adopt the developed tools and guidelines.

In addition, Member States that already implemented the MyHealth@EU platform such as Finland and Estonia already had very digitalised healthcare systems at the time they joined the platform. On top of that, the population of both countries is concentrated in the capital regions of Helsinki and Tallinn respectively. Separated by the 65-kilometre-wide Gulf of Finland, the twin-city region of Helsinki-Tallinn is already a highly integrated region with relevant mobility flows across the gulf. These pre-existing conditions are likely to have played an important role not only in gathering the political support needed to adopt the MyHealth@EU platform, but also to be the two regions with the highest frequency of exchange of cross-border data. Furthermore, as highlighted by Portuguese representatives, having Portugal already a centralised national health data system, made it easier (and relatively cheaper) for the country to adopt all the standards required to uptake the MyHealth@EU platform compared to countries such as Spain, Germany and Italy with regional systems that already present interoperability issues within the countries.

Although the MyHealth@EU infrastructure is up and running, its adoption by Member States is so far limited to 8 Member States. Nevertheless, the exchanges on the platform have exceeded the targets set by the eHealt Network for 2019 and 2020. Compared to the 2011, Member States have now at their disposal a platform to exchange health data (ePrescription and eSummary) with other Member States in a secure and trustworthy manner. As more Member States will join the platform, more beneficial the tool will be for the countries that have already implemented it.

Limited commitment by Member States within a voluntary cooperation structure played an important role in limiting the effectiveness of the investments carried out in the area since 2011. The COVID 19 pandemic brought a change in policy focus and commitment by Member States. Whilst it is acknowledged that there has been an increase in the number of meetings and therefore human resources invested in the activities of the eHealth Network during the COVID-19 crisis in 2020 and 2021, the amount and quality of activities and concrete outcomes delivered within this short timeframe in the field of contact tracing apps and EU Digital COVID Certificate, are a proof to the fact that when there is political convergence and support among the different stakeholders of the voluntary network and, ideally, a stronger legal basis, the efficiency of the eHealth Network can increase greatly. From the beginning of 2020, the eHealth Network developed guidelines that supported the development of 19 interoperable contact tracing apps across the EU, as well as the development of the EU Digital COVID certificate launched across the EU in July 2021. It is important to note that in the case of the EU Digital COVID certificate, the initiative was legally based on a regulation 63 , while in the case of the MyHealth@EU platform, the cooperation was carried out mainly within a voluntary cooperation framework. This was probably another factor that increased the effectiveness of the activities carried out for the EU Digital COVID certificate.

Appendix X summarises in detail the different costs and benefits by stakeholder group.

It is important to highlight that, when enquired, none of the eHealth Network members was able to quantify the costs and benefits provided by the participation to the network, although the majority believed the network to be run in a cost-efficient manner. Future administrative procedures to participate to the eHealth Network activities should improve the accounting of the different costs (i.e. Man-Days, national investments, etc.) to allow for a better ex-post estimation of the costs carried out.

When Member States were enquired about the extent to which the eHealth Network activities contribute to a more cost-efficient development of cross-border digital health resources, the large majority did not have any strong position. The figure below summarises the results of the survey.

Figure 4. To what extent do you agree that the eHealth Network support contributes to a more cost-efficient development of cross-border digital health resources

(n=27)

Source: Author’s elaboration

ØConclusions regarding Efficiency:

The lack of data collected for certain cost categories (MD and national investments to implement developed tools) resulted in difficulties in assessing the costs incurred by the different stakeholders. Nevertheless, the analysis of the activities carried out against the input and resources provided by the Commission and the Member States suggests that there is scope for improvement with regard to the efficiency of the routine activities of the eHealth Network. So far only 8 Member States have implemented the MyHealth@EU platform and within these 8 Member States, the number of healthcare providers that are connected to the MyHealth@EU platform through NCPeHs also differs significantly.

However, the eHealth network proved to be fairly efficient in times of political convergence following the COVID 19 pandemic outbreak when it delivered high-quality concrete results and solutions within an extremely short period of time, in particular on contact tracing apps and EU DCC.

Different levels of commitment by different Member States are partially linked to different national priorities as well as different levels of readiness to introduce digital solutions. When Member States were enquired about the extent at which the eHealth Network support contributes to a more cost-efficient development of cross-border digital health resources, the large majority did not have any strong position.

As more Member States implement the developed tools and platforms, the more efficient their development and maintenance will be. Currently, all Member States are expected to implement the MyHealth@EU platform by 2025.

Relevance

Barriers to exchange patient’s health data across borders to enable continuity of care and patient safety across borders are still present. Digitalisation can support the continuity of care across borders, an important aspect for those who spend time abroad for business or leisure purposes. In terms of relevance, while some issues such as the development of eID, the MyHealth@EU platform and common guidelines for patients summary and ePrescriptions have been addressed, most of the initial needs and objectives remain relevant as barriers to interoperability remains. Only 7 Member States have implemented the MyHealth@EU platform so far. In addition, Nalin (2019) identified several barriers towards the actual adoption and implementation of data exchange initiatives, namely;

·Not all EU Member States are aligned with the JASeHN agreement (and the IDAS regulation)

·Different consent mechanisms exist among Member States

·Lack of standard EHR systems in Member States.

·Different implementation of EU regulations among Member States 64

·Different information workflows among National Infrastructure and healthcare organisations

·Lack of harmonisation in rules, processes, and safeguards

·National Contact Point for eHealth deployments in Member States are still in early stages

·Lack of the budget to address security aspects by healthcare organisations.

The recent COVID 19 pandemic has highlighted more than ever the relevance and need of a more integrated and interoperable European eHealth system. Facilitating the exchange of patients’ health data across borders to enable continuity of care and patient safety across borders remains highly relevant. In terms of semantic, legal and technical requirements for the interoperability of eHealth improvements have been made. The MyHealth@EU platform is up and running and is able to support cross-border transfer of health data (ePrescription and Patient Summary).

In the future, the same platform especially after the eID system will be integrated could be used to support other health services and enhancing accessibility to new cross-border digital health services such as tele-medicine, tele-health and tele-monitoring.

The eHealth Action Plan 2012–2020 – Innovative healthcare for the 21st century 65 evaluated the development of eHealth and defined the main objectives. In 2012, despite the economic crisis, the telemedicine market was booming, at an annual rate of 18.9% between 2010 and 2011. However, the complexity of the European legal framework was already a heavy burden. Most of the obstacles hampering the deployment of eHealth at the time are still not addressed:

•lack of awareness of, and confidence in eHealth solutions among patients, citizens

•and healthcare professionals;

•lack of interoperability between eHealth solutions;

•limited large-scale evidence of the cost-effectiveness of eHealth tools and services;

•lack of legal clarity for health and wellbeing mobile applications;

•inadequate or fragmented legal frameworks including the lack of reimbursement schemes for eHealth services;

•high start-up costs involved in setting up eHealth systems;

•regional differences in accessing ICT services, limited access in deprived areas.

The four actions defined to address these barriers were

•Achieving wider interoperability in eHealth Services;

•Supporting research, development, innovation and competitiveness in eHealth;

•Facilitating uptake and ensuring wider deployment of eHealth;

Promoting policy dialogue and international cooperation on eHealth at global level.

The use of common standards for health data transferred across borders through one platform could potentially also be relevant in the future to better grasp new technologies such as the use of Big Data and Artificial Intelligence in the field of healthcare.

Finally, supporting the pooling of the EU's data resources and to facilitate their use for research, innovation and policy making (secondary use of data) remains a major need that the eHealth network was not able to address. Not only enhancing secondary use of data (Article 14(b)(ii) of the Directive) remains a major need, but further reflection is needed on how to coherently address this issue with the different EU policies implemented. To ensure better secondary use of data, some Member States have set up different governance structures and strategies. The need to enhance secondary use of data resulted in the 2019 announcement of the Commission’s work towards creation of a European Health Data Space 66 , which is supported by the TEHDAS Joint Action. Secondary use of data solutions being developed under TEHDAS would help promote the use of health data for research, which would support research for the improvement of healthcare, taking away current existing barriers for the secondary use of health data.

ØConclusions regarding Relevance:

Digital solutions for healthcare can increase the well-being of millions of citizens and radically change the way healthcare services are delivered to patients, if designed purposefully and implemented in a cost-effective way.

The digitalisation of healthcare has actually increased the need for greater interoperability and data flow also in the context of tele-health and mHealth. This is also a need for the secondary use of data, which has only been recently started to be tackled by the TEHDaS Joint Action.

Coherence

First, this section analyses to what extent the provisions related to eHealth are coherent internally.

In terms of patients’ access to data, ad-hoc electronic medical record/summary of the treatment received supporting the continuity of care across borders have rarely been implemented, nor is required by Articles 4 and 5 of the Directive. While the Directive does not impose an obligation on Member States to ensure issuing of electronic copies of medical records/treatment received, a potential revision of the Directive could consider the possibility to foster more remote access to medical record in the context of cross-border healthcare.

At the same time, whilst eHealth Network issued guidelines supporting the implementation of the Commission recommendation on European Electronic Health Record Exchange Format and national interoperability, their voluntary status limited their impact on national interoperability.

This section also analyses the coherence of the eHealth provisions with other key EU policies, especially with regard to the GDPR and the work on the digital Single Market (the Commission Communication on Digital Transformation of Health and Care, The Data Governance Act, EU e-Government Action Plan), the needs emerging as part of the pandemic, and finally with national structures put in place for secondary services.

The work of the eHealth Network and especially the activities related to the primary use of health data via the MyHealth@EU platform has been brought forward in full respect of the applicable data protection rules and the GDPR in particular. The Commission adopted in 2019 the Implementing Decision 2019/1765 providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth. This Implementing Decision has clarified the responsibilities of the relevant national authorities or other designated bodies as controllers of personal data they process through the MyHealth@EU. On that basis the Member States authorities should clearly and transparently allocate the responsibilities between them as controllers. The Implementing Decision also clarified that the Commission acts as the data processor for patients’ personal data processed through MyHealth@EU.

The Communication on a Digital Single Market Strategy for Europe 67 , which was adopted in 2015, includes eHealth and telemedicine under the section on “Boosting competitiveness through interoperability and standardisation”. Based on the work carried out within the Digital Single Market Strategy for Europe, and more specifically the EU e-Government Action Plan 2016-2020 communication 68 as well as the communication on the priorities of ICT standardisation for the Digital Single Market adopted in 2016, in 2018 the EC published a Communication on Digital Transformation of Health and Care 69 . The communication identified three priorities for future action:

•Citizens' secure access to their health data, including across borders, enabling citizens to access their health data across the EU;

•Personalised medicine through shared European data infrastructure, allowing researchers and other professionals to pool resources (data, expertise, computing processing and storage capacities) across the EU;

•Citizen empowerment with digital tools for user feedback and person-centred care using digital tools to empower people to look after their health, stimulate prevention and enable feedback and interaction between users and healthcare providers.

The proposal for a Regulation on European data governance (Data Governance Act) 70 , is the first of a set of measures announced in the 2020 European strategy for data 71 . The Data Governance Act aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The Data Governance Act refers to the sectoral data spaces, including in the health sector, and should be complemented in the health domain by creating a harmonised framework for health data exchanges, the European health data space (EHDS) for primary and secondary use of health data. The objectives of the Data Governance Act are therefore coherent with the objectives of the provisions of the Cross-border healthcare directive concerning eHealth. However, as mentioned above, in the area of secondary use of health data the implementation of these objectives by the eHealth Network was rather limited.

The eHealth Network activities set out in its MWPs have been largely coherent with the policy evolution that took place over the last few years and set out in the Digital Single Market Strategy, and more specifically the EU e-Government Action Plan 2016-2020. However, contrary to the guidelines set forward in the “eHealth Action Plan 2012–2020-Innovative healthcare for the 21st century”, only limited activities have been carried out by the eHealth Network in the field of telehealth (only few policy documents developed by the eHAction Joint Action). In the field of mHealth the eHealth Network seems to be more aligned with the objectives of the eHealth Action Plan 2012-2020 as it set up a temporary working group, which delivered recommendations on mHealth, including on guidelines for evaluating tele-health applications. However, their follow-up and implementation was limited at the end of the mandate of this group.

The COVID-19 pandemic brought an increase of the activities in the area of m-health and public health (contact tracing apps and EU Digital COVID Certificates) and the digital solutions developed in this light seem to be coherent with Member States policies and infrastructures developed to fight the COVID-19 pandemic.

As already mentioned, so far the majority of the activities of the eHealth Network only focused on primary use of health data while only limited activities were carried out in the field of secondary use of data, partly due to the fact that the institutions participating in the eHealth Network may have not been the ones responsible for the secondary use of health data at the national level. As demonstrated above, the Commission supported financially several projects in the area of secondary use of health data through various funding programmes, but there seems to be insufficient or very limited coherence of this work with the work of the eHealth Network.

There are different governance structures and strategies for managing health data in the Member States, with a particular focus on reusing data for research purposes. These include national agencies or bodies authorized to grant permits for the use of data already collected for another specific purpose, as well as any other mechanisms for providing access to health data for research and public policy purposes, including by means of initiatives to further enhance data altruism. There are currently thirteen data governance bodies at a Member States level that currently have a central role within their Member State for providing access to health data for research. However, these bodies often existing in parallel to other bodies and data controllers that are entrusted with similar responsibilities or are providing similar services within the Member States. The ongoing Joint Action TEHDAS can help to address these existing incoherencies.

The evolution of national agencies specialised in secondary use of data and Health Data Access Bodies means that there are new actors and stakeholders that need to be engaged to ensure the coherent development of the future European Health Data Space and aligning the respective national policies in this area. The current structure of the eHealth Network was not able to promote cooperation between Member States in the field of secondary use of health data, nor was it able to engage with these new institutions. Therefore, to ensure the implementation of the European Health Data Space in its entirety a different structure should be developed to ensure the appropriate coordination of the work on secondary use of health data.

Moreover some other stakeholders such as health insurers, representatives from the medical device and pharmaceutical industry flagged during the consultation activities (interviews) that they were not invited to monitor and provide input to eHealth Network’s activities in a systematic way, although they represent key players in healthcare. These stakeholders have been invited to several meetings of the eHealth Network in the past years on an ad-hoc basis but better engagement with eHealth Network activities could be further considered.

ØConclusions regarding Coherence:

In terms of coherence, the eHealth Network has been, at least on its intentions reflected in the MWPs, coherent with the policy evolution that took place over the last few years, especially with the development of the Digital Single Market Strategy, and more specifically the EU e-Government Action Plan 2016-2020. However, some areas were rather neglected, such as telehealth and eHealth. Member States national policies were not always aligned with eHealth Network activities and that may partially explain the current low pick up rates of some of the tools developed (i.e. MyHealth@EU platform). The recently launched TEHDaS Joint Action focusing on use and reuse of health data and involving new actors in the process, should help to ensure better coherence with Member States’ policies and initiatives carried out at the national level. That would be in line with the requirement of the Directive for the eHealth Network to develop guidelines on effective methods for enabling the use of medical information for public health and research. The current situation calls for expanding the cross-border services offered to include secondary use of health data to develop the planned European Health Data Space.

EU added value

Healthcare is a national competence in the EU, as Member States have the primary responsibility for organising and delivering health services. Therefore EU action must complement national policies and encourage cooperation between Member States (Article 168 of the TFEU). EU intervention contributes only where Member States cannot act individually or where coordination is the best way to move forward.

While looking at activities and results, the evaluation assessed changes which can reasonably be argued are due to the EU intervention, over and above what could have been expected from national actions by the Member States.

According to Azzopardi-Muscat et al. (2018) the impact of the Directive (EU) 2011/24 varies between countries and is smaller in countries where a large degree of adaptation had already taken place in response to the European Court of Justice Rulings 72 . Nevertheless, most of the reforms analysed did not addressed eHealth issues.

Regarding eHealth and the cross-border exchange of health data for healthcare, it would be hard to imagine the development of a platform such as MyHealth@EU without EU intervention. According to the different experts interviewed (external experts as well as some eHealth network members), Member States showed different levels of involvement in the different eHealth Network initiatives that is reflected in the varying up-take rate of the platform ranging from the early adopters to the Member States that have not yet even indicated their intention to join the exchanges via MyHealth@EU. In terms of interoperability and eID, the Member States with regional healthcare systems (i.e. Spain, Germany, Italy), still suffer from lack of national interoperability and may not consider the EU level interoperability neither as a priority nor as an opportunity to foster national interoperability within the country. Furthermore, given the relatively low volume of cross-border healthcare, compared to healthcare provided to national patients, when it comes to developing formats for ePrescriptions and Patient Summary some countries would have had less incentive to factor in the interoperability across the EU.

Having an established network in place played an important role in reacting quickly to the COVID 19 pandemic by setting up common standards for contact tracing app and COVID certificates and establishing a European infrastructure to enable interoperability. The COVID 19 pandemic stressed the need to coordinate and ensure better flow of health data across Europe and demonstrated greatly the added value of the EU action in the area of digital health.

When it comes to secondary use of health data, the involvement of new national agencies and Health Data Access Bodies will be crucial to develop better data usage for research and policy making. The limited activity of the eHealth Network in the field of secondary use of data provides an example of insufficient coordination and common action among Member States. This could be partly improved by the setting up of the TEHDAS Joint Action but a potential long-term solution could be to have two different networks, one focusing on primary use of data and involving the stakeholders currently involved in the eHealth Network and the second one focusing on secondary use of data and involving Health Data Access Bodies as well as national data agencies. The two networks would need to be interconnected and well coordinated to avoid duplication and ensure common use of certain tools and formats such as eID. Together, the two networks would provide the two pillars on which to build the future European Health Data Space, ensuring the control of citizens over their own personal health data and the use of data for medical diagnosis, public health and research. However, attention should be paid to the extent that the TEHDAS replicates the same path taken by the eHN.

ØConclusions regarding EU added Value:

In terms of evaluating the EU added value of the intervention, the result is mixed. While there are clear potential benefits of the cross-border collaboration on eHealth and digital health, the number of healthcare providers and patients that can actually take advantage of this possibility is currently low although increasing. This is due to the continuing insufficient interoperability across the different national systems, but also due to a relatively low demand for cross-border healthcare compared to national demand. While the EU contributed to the development of common standards for ePrescriptions, Patients Summary and eID, the pick-up rate in the Member States remains low for the time being, although it should improve in the years to come. Furthermore, while the political support of most Member States for greater interoperability have been fairly low since the establishment of the Network, the outbreak of the COVID 19 pandemic not only brought the greater effectiveness of the network when there is political convergence, but it also highlighted EU added value of having an integrated system that can enable effectively the use of medical information for public health and research.

6Conclusions

The present evaluation was carried out more than 10 years after the adoption and entry into force of the Cross Border Healthcare Directive and its provisions related to eHealth. The Directive provides that that Member States work within a voluntary network connecting national authorities responsible for eHealth designated by the Member States. In this regard, the eHealth Network has been operational for more than a decade. The analysis carried out above, and in particular the voluntary nature of actions, indicates that the effectiveness and efficiency of the eHealth Network actions has been rather limited and its routine activities were restricted to enhancing the use of health data for primary purpose in the context of cross-border healthcare (primary use of health date). As shown in the analysis carried out, the advancements in eHealth in recent years call for a more coordinated action at EU level. The MyHealth@EU platform has been so far implemented only in 8 Member States and the platform currently supports two services (ePrescriptions and Patient Summaries). The low and slow uptake is partly related to the fact that the Directive, whilst establishing the right of patients to receive a written record of the treatment carried out, does not require this medical record to be provided in electronic form (see Article 4(2)(f) and Article 5(d)). Currently, most Member States are expected to implement the MyHealth@EU platform by 2025. Only when more Member States will implement the MyHealth@EU platform and the developed tools, their use, development and maintenance will become more efficient across the EU.

Nevertheless, following the outbreak of the COVID-19 pandemic in Europe, the eHealth Network provided effective and efficient support in developing and implementing two important initiatives and digital infrastructures within an extremely short period of time: the contact tracing apps for the EU’s fight against COVID-19 as well as supporting the development of interoperable EU Digital COVID-19 Certificate. These activities provided important contributions to achieving objectives related to protection of public health, interoperability of applications and free movement of persons. Therefore while eHealth network actions related to the routine operations regarding health data for primary use in the context of cross-border healthcare presented some limitations in terms of efficiency, the eHealth network proved to be very effective and efficient in times of public health crisis and political convergence following the COVID-19 pandemic outbreak.

With regard to the use of health data for purposes of research, innovation, policy making and regulatory decisions of health authorities (secondary use of health data), it can be concluded that the eHealth Network activities were limited and not very effective. Some non-binding documents on big data were produced by the eHealth Network, but they were not followed up by further specific actions and implementation of these guidelines in practice remains very limited. This lack of effectiveness was also related to the fact that few members of eHealth Network had at national level tasks related to secondary use of health data, while some Member States set up different bodies to deal with this file. Most of these new bodies participate in the Joint Action TEHDaS. However, neither the Joint Action TEHDaS, nor the numerous funds provided by the Commission to support the secondary use of health data have insufficiently been realized in coherence with eHN activities.

Based on the abovementioned analysis the following measures may be considered further in order to address the identified issues and gaps.

To ensure the development of the European Health Data Space for both primary and secondary use of health data, the current structure of the eHealth Network does not appear to be appropriate anymore as it is not able to address in particular the needs related to the secondary use of health data in an effective and efficient manner. Its revision or adaptation could be therefore considered. Options to address the limitations related to the voluntary nature of the eHealth Network should be further considered and taken forward in the future initiative on the European Health Data Space, especially in order to support the creation of a digital single market in the health sector.

In order to achieve higher acceptance of the outputs and more efficient coordination with the stakeholders involved, the eHealth Network activities should be better coordinated with the different stakeholders and existing activities including:

-Projects directly affecting the eHealth Network’s objectives and supported, for example, through the Digital Europe Programme, Horizon Europe or EU4Health programmes;

-Health Data Access Bodies and national health institutes (and in particular with the TEHDAS Joint Action);

-Industry and other non-governmental organisation representatives.

Further actions are also needed to facilitate the access of health data to patients, ensuring the control of citizens over their own personal health data and the use of data for medical diagnosis and treatment (primary use), but also for research, innovation and policy making (secondary use). A potential solution could be making the data on the MyHealth@EU platform accessible and available to patients and at the same time extending the number of services available on the platform to all healthcare providers in the Member States.

In order to ensure secure and efficient access to and use of patient’s data on the MyHealth@EU, the efficient implementation and uptake of the developed eID format on the MyHealth@EU platform and its binding adoption and application by Member States should be ensured. Binding measures in this area could be considered.

The objectives mentioned in Article 14 of the Directive on secondary use of health data require stronger intervention from the European Commission. The development of a European infrastructure should be considered, along with the strengthening of the legal base for the use of health data for secondary use and stronger coordination of activities relating to the various investments in this area under e.g. Horizon Europe.

Furthermore, in order to better achieve the availability and accessibility of electronic health records, the repeal of the provisions in the Directive related to digital Health, especially its Article 14 is considered in order to strengthen digital access to patient’s data. This could incentivise the application of rules to provide digital access to a copy of the medical records for patients affiliated to their healthcare system seeking cross-border healthcare in another Member State, as well as a copy of the medical record(s) of received treatment(s) for patients affiliated to a different healthcare system that used cross-border healthcare in another Member States. This could also potentially contribute to enhanced interoperability of applications available in the Member States and therefore to the strengthening of the Digital Single Market.

In order for the Member States to achieve the identified policy objectives they need to make efforts to build sufficient capacity and infrastructure nationally to implement the measures agreed and adopted at the EU level. The support for the Member States in this area is currently available, for example, from the Recovery and Resilience Facility (RRF). The support for the capacity building provided by the RRF should target in particular the Member States with lower levels of readiness in adopting the different tools already developed (such as the MyHealth@EU). Member States would need to remove legal barriers for the exchange of health data across borders.

Finally, another issue identified during the evaluation concerns the difficulties to quantify or even estimate the inputs provided by the Member States for the activities of the eHealth Network. To ensure better future evaluation of the activities carried out in the area, Member States and the eHealth Network members should consider keeping record of financial and non-financial inputs (including quantification of human resources involved) provided for the eHealth Network activities.

The findings of the evaluation confirm that the abovementioned issues should be further considered and addressed as part of the initiative on development of the European Health Data Space.

Appendix I: Evaluation matrix

Criteria	Research questions (RQ)	Indicators	Source
Application of Art. 14 and accompanying acts (A16)	·How effective was the setting up of the eHealth Digital Service Infrastructure in stimulating interoperability and cross-border exchange of health data?	·Number of Countries with Operational NCPeH ·Number of transactions between Countries	·eHDSI Monitoring Framework (KPIs)
	·To what extent was the intervention of the eHealth Network effective in stimulating the use of health data for research and policy making?	·Number of publications using health data generated as a result of eHealth Network activities ·Number of policies and initiatives using health data generated as a result of eHealth Network activities	·Desk research
	·To what extent was the intervention of the eHealth Network effective in stimulating the primary and secondary use of health data?	Primary use of data: ·Number of ePrescriptions exchanged ·Number of Patient Summaries exchanged ·Number of Operational eP-A services ·Number of Operational eP-B services ·Number of Operational PS-A services ·Number of Operational PS-B services Secondary use of data: NA	·eHDSI Monitoring Framework (KPIs)
	·To what extent was the eHealth Network effective in supporting the use of health data for medical diagnosis and treatment, public health (including planning, provision of healthcare, management of health or social care systems and services, regulatory purposes, certification of medical devices, protecting against cross-border health threats) and for scientific or historical research and innovation?	·Number of publications using health data generated as a result of eHealth Network activities	·Desk research
	·What were the factors that influenced the observed achievements and to what extent?	·Factors affecting the up-take rate of the developed tools and guidelines	·Focus Group ·Interviews
	·Which factors hindered the attainment of the objectives and to what extent? How do these factors link to the actions carried out under Article 14? To what extent were there external factors that influenced the results?	·Factors affecting the up-take rate of the developed tools and guidelines	·Focus Group ·Interviews
Effectiveness (A17)	·To what extent were the objectives reached, as they were set out in Article 14 (2) of the Directive?	·Number of information exchanged ·Number of guidelines produced on patient’s summary and medical information for public health and research	eHealth Network deliverables
	·What were the qualitative and quantitative effects of the eHealth Network on the cooperation and exchange of information between MS? How were these effects achieved?	·Adoption of guidelines on ePrescription, patient’s summary and eID ·Number of Countries with Operational NCPeH ·Number of transactions between Countries ·Number of services offered on the MyHealth@EU platform	eHDSI Monitoring Framework (KPIs)
	·To what extent can they be attributed to the eHealth Network, e-Prescriptions and Patient Summaries, European Electronic Health Record exchange format, etc.?	·Number of ePrescriptions exchanged ·Number of Patient Summaries exchanged	eHDSI Monitoring Framework (KPIs)
	·How effective was the setting up of the eHealth Digital Service Infrastructure in stimulating interoperability and cross-border exchange of health data?	·Number of Operational eP-A services ·Number of Operational eP-B services ·Number of Operational PS-A services ·Number of Operational PS-B services	eHDSI Monitoring Framework (KPIs)
	·To what extent was the eHealth Network instrumental to deliver sustainable economic and social benefits of e-health systems? To what extent was the eHealth Network instrumental to achieve a high quality of trust and security, enhance continuity of care and ensure access to safe and high quality healthcare?	·Number of e-health agencies in Member States ·Member States with legislation in the area of electronic health records ·Member States implementing electronic health records ·Member States implementing Electronic Health Records Exchange Format to ensure the interoperability of health data	Desk research
	·To what extent was the intervention of the eHealth Network effective in stimulating the use of health data for research and policy marking?	·Number of publications using health data generated as a result of eHealth Network activities ·Number of policies and initiatives using health data generated as a result of eHealth Network activities	·Desk research
	·To what extent was the intervention of the eHealth Network effective in stimulating the primary and secondary use of health data?	Primary use of data: ·Number of Countries with Operational NCPeH ·Number of transactions between Countries Secondary use of data: NA	eHDSI Monitoring Framework (KPIs)
	·To what extent was the eHealth Network effective in supporting the use of health data for medical diagnosis and treatment, public health (including planning, provision of healthcare, management of health or social care systems and services, regulatory purposes, certification of medical devices, protecting against cross-border health threats) and for scientific or historical research and innovation?	·Number of publications using health data generated as a result of eHealth Network activities	·Desk research
	·What were the factors that influenced the observed achievements and to what extent?	·Factors affecting the up-take rate of the developed tools and guidelines	·Focus Group ·Interviews
	·Which factors hindered the attainment of the objectives and to what extent? How do these factors link to the actions carried out under Article 14? To what extent were there external factors that influenced the results?	·Factors affecting the up-take rate of the developed tools and guidelines	·Focus Group ·Interviews
Efficiency (A18)	·To what extent have the actions carried out under Article 14 been realised in a cost-effective way?	·Costs of Joint Actions ·CEF funds ·Costs of DG RTD projects directly related to eHealth Network activities ·MD of eHealth Network members ·MS cost of implementation of developed tools ·DG REFORM capacity building budget ·Estimated benefits for the EU, Member States, Patients, HCP, Researchers, Industry. ·Funding for digitalisation under EU and national funds	·eHealth Network Joint Action budget ·CEF budget ·Relevant DG RTD projects’ budget ·Accounting of MD spent (currently not monitored) ·Accounting of funds invested by MS in implementing the tools developed (currently not monitored) ·Estimation of benefits: https://ehealth-impact.eu/
	·Looking closely at both the costs and benefits of Article 14 as they accrue to different eHealth stakeholders, how efficient has the implementation of Article 14 been for each type of stakeholder (citizens, patients, healthcare professionals, policy makers, researchers, companies (pharmaceutical sector, AI) etc.)?	·Analysis of costs and benefits	·Funding for digitalisation under EU and national funds ·Survey
	·To what extent are the costs justified and proportionate given the effects observed/objectives achieved/ benefits obtained in general? How proportionately were the costs of the intervention borne by different stakeholder groups taking into account the distribution of the associated benefits?	·Costs of Joint Actions ·CEF funds ·Costs of DG RTD projects directly related to eHealth Network activities ·MD of eHealth Network members ·MS cost of implementation of developed tools ·Funding for digitalisation under EU and national fundsDG REFORM capacity building budget ·Estimated benefits for the EU, Member States, Patiens, HCP, Researchers, Industry.	·eHealth Network Joint Action budget ·CEF budget ·Relevant DG RTD projects’ budget ·Accounting of MD spent (currently not monitored) ·Accounting of funds invested by MS in implementing the tools developed (currently not monitored) ·DG REFORM funds invested on capacity building ·Estimation of benefits: https://ehealth-impact.eu/
	·If there are significant differences in costs (or benefits) between MS, what is causing them? How do these differences link to the intervention?	·MD of eHealth Network members ·MS cost of implementation of developed tools ·DG REFORM capacity building budget ·Estimated benefits for the EU, Member States, Patiens, HCP, Researchers, Industry.	·Accounting of MD spent (currently not monitored) ·Accounting of funds invested by MS in implementing the tools developed (currently not monitored) ·DG REFORM funds invested on capacity building ·Estimation of benefits: https://ehealth-impact.eu/
	·What factors influenced the efficient functioning of the intervention and to what extent? What factors hindered it and to what extent? What is the connection between these factors and the actions laid out in Article 14?	·Regulations linked to eHealth Network activities	·EUR-Lex ·MWP
	·Which factors influenced the cost side and which ones influenced the benefit side? To what extent? To what extent were these factors linked to the intervention described in Article 14? To what extent were there external factors that influenced the results?	·Internal and external factors affecting the efficiency of the developed tools and guidelines	·Focus Group ·Interviews
Relevance (A19)	·To what extent are the objectives and provisions of Article 14 still relevant, considering current needs and how they have evolved since the adoption of the Directive?	·Revision of intervention logic needs and objectives	·The intervention logic developed in this report should be used as a baseline
	·How relevant is Article 14 to EU citizens? How did the Article contribute to supporting citizens to access their own health data and ensure portability of these data?	·Mapping of rules to provide digital access to a copy of the medical record/s for patients affiliated to a healthcare system seeking cross-border healthcare in another Member State ·Mapping of rules to provide digital access to a copy of the medical record/s of received treatment/s for patients affiliated to a different healthcare system that used cross-border healthcare in another Member State	·Tables developed for this report should be used as a baseline (based on countries self-declaration in survey)
	·To what extent the provision of Article 14 are relevant for the secondary use of health data (for policy making, regulatory purposes, research and innovation)?	·Analysis of the needs relevant for the secondary use of health data and the objectives of Article 14	·Desk research ·Interviews ·Focus Groups
	·To what extent have the original objectives proven to be appropriate to facilitate the cooperation and exchange of information between MS?	·Level of achieved objectives and observed impacts	·The results of this study should be used as a baseline
	·How well adapted is Article 14 to subsequent technological or scientific advances (e.g. the use of Big Data and Artificial Intelligence in the field of healthcare)?	·Analysis of the needs evolution inked to technological change and the objectives of Article 14	·Desk research ·Interviews ·Focus Groups
	·To what extent does Article 14 facilitate both the processing of health data for treatment (e.g. through the eHealth Digital Service Infrastructure and the National Contact Points for eHealth), and further compatible processing of health data for research and policy-making?	·Analysis of MWPs and subsequent activities carried out	·Desk research ·Interviews ·Focus Groups
Coherence (A20)	·To what extent are the provisions of Article 14 coherent with wider EU policy and with the European Health Data Space (especially the use of data for medical diagnosis, public health (including planning, provision of healthcare, management of health or social care systems and services, regulatory purposes, approval of medical devices, protecting against cross-border health threats) and for scientific or historical research and innovation)?	·Documentation and overview of other EU policies have been collected ·Objectives ·Activities and outputs carried out	·Additional stakeholder/expert inputs on coherence with other EU policies should be collected
	·To what extent is the cooperation described in art 14 coherent with other activities supporting the access to health data, interoperability, tele-health, m-health, Electronic Health Record Exchange Format?	·Amount of activities aimed to implement Electronic Health Record Exchange Format ·Amount of activities aimed to implement m-health, tele—health	·eHealth Network deliverables
	·To what extent is the cooperation described in art. 14 coherent with other Networks/cooperation possibilities which have similar objectives (especially for the use of data for policy making, research and innovation – e.g. Findata, French Data Hub, etc.)?	·Amount of activities on cooperation with other networks	·eHealth Network cooperation with other networks
	·To what extent is Article 14 coherent with international obligations?	·Amount of activities on international cooperation	·eHealth Network deliverables on international cooperation
	·To what extent is the eHealth Network coherent internally (e.g. there is coherence between its actions/activities/tasks)?	·Analysis of MWP	·MWP
	·To what extent is the eHealth Network able to implement the European Health Data Space in its entirety, as requested by the mission letter of Commissioner Kyriakides?	·Analysis of Output with respects to the European Health Data Space objectives	·This report can be used as a benchmark
	·To what extent can Article 14 and the eHealth Network ensure that citizens have control over their own personal health data?	·Discussion on policy evolution (GDPR) and on Article 4.2 (f) and Article 5 (d) of the directive.	·Focus Groups
EU added value (A21)	·What is the added value produced by the provisions of Article 14, compared to what could reasonably have been expected from the MS acting in the absence of the network at national or regional level?	·If common identification and authentication measures and platform running cross-border services would have been developed without eHealth Network. ·If yes, it would have been more or less effective.	·Study Survey
	·What would be the most likely consequences of stopping the eHealth Network/ repealing Art. 14?	·If common identification and authentication measures and platform running cross-border services would have been developed without eHealth Network. ·If yes, it would have been more or less effective.	·Study Survey
	·How should the eHealth Network and Article 14 be modified to increase their impact, especially in the light of new technological developments and the use of data, including for digitalisation, access of citizens and control over their data, interoperability, provision of digital health services (e.g. m-health, tele-health), but also scientific research, policy making, reporting, protecting against cross-border health threats etc.?	·Discussion on new technological trends, digitalisation, control of citizens over their data, interoperability, provision of digital health services (e.g. m-health, tele-health), cybersecurity and use of data for research, policy making and regulatory purposes (secondary use of data)	·Focus Groups
	·How should the tasks of the eHealth Network and Article 14 be modified to increase their impact, especially in relation to setting up the European Health Data Space, supporting digitalisation, ensuring the control of citizens over their own personal health data, interoperability, provision of digital health services (e.g. m-health, tele-health), and the use of data for medical diagnosis, public health (including planning, provision of healthcare, management of health or social care systems and services, regulatory purposes, approval of medical devices, protecting against cross-border health threats) and for scientific or historical research and innovation)?	·Discussion on policy evolution and on Article 4.2 (f) and Article 5 (d) of the directive.	·Focus Groups

Appendix II: Multiannual Work Plan activities and outputs of the eHealth Network

Multiannual Work Plan (MWP) 2012-2014 (eHGI JA)

Objectives	Activities	Outputs
Adopt common measures on eIdentification and authentication for eHealth under the Cross Border Healthcare Directive, art.14	Policy paper "Conclusions on eID EU Governance for eHealth Services” - May 2012	Common identification and authentication measures based on national solutions to support electronic transferring of data in cross-border healthcare settings.
	eID & Authentication practices for eHealth in the EU Member States based on a questionnaire - November 2012
	Position paper on the Commission proposal for an eID Regulation - May 2013
	Road map giving a strategic approach to common measures on eID for eHealth under Directive 2012/24/EU and analysis of its implications (Risks, legal challenges, cost, benefits) - November 2013
	Development of Common identification and authentication measures based on national solutions to support electronic transferring of data in cross-border healthcare settings.
Addressing semantic and technical barriers to interoperability	Discussion paper on semantic and technical interoperability - November 2012	Guidelines on semantic and technical interoperability
	Semantic and technical interoperability roadmap (stepwise approach and intermediary milestones) - May 2013
	development of Guidelines on semantic and technical interoperability
Addressing legal barriers to interoperability, including data protection issues	Network's report on the Commission proposal for a Regulation on data protection November 2012	Guidelines on legal interoperability
	Legal Interoperability Roadmap for cross border exchange of electronic Health Records and ePrescriptions -2014
Guidelines on patients’ summary set of data for cross border electronic exchange, under the Cross border Directive	Non-exhaustive data set for patients’ summary that can be exchanged across borders - November 2013	Guidelines on non-exhaustive list of data to be included in patient's summary
	Guidelines on technical and semantic interoperability of the selected data set, including the coding, classification and terminologies set and their semantic transformation process in a multilingual environment - 2014	Guidelines for cross-border electronic exchange of patients' summary data set
Guidelines on interoperability of ePrescriptions (art 11 of the Cross border Directive)	Discussion of the Network on interoperability of European and national databases for medicinal products - November 2012	Guidelines on interoperability of ePrecriptions
	Roadmap on interoperability of electronic prescriptions - 2013
	Discussion paper on guidelines for electronic prescriptions - May 2014
Sustainability	Development of recommendations on the governance of the Connecting Europe Facility (CEF) – May 2013	Recommendations on the governance of the Connecting Europe Facility (CEF)

Multiannual Work Plan (MWP) 2015-2018 (JAseHn)

Objectives	Activities	Outputs
Interoperability and standardisation;	Trusted eHealth National Contact Points. Propose an organisational framework to prepare, establish and govern eHealth National Contact Points in the scope of cross border care services deployed under the Connecting Europe facilities work plan.	Organisational Framework for National Contact Points for eHealth and several specific policy papers serving as the main basis for the preparation, deployment and operation of the National Contact Point for eHealth
	Electronic Identification for eHealth. Activities include the elaboration of an eID specific framework for eHealth representing an agreement primarily under the scope of the eID Regulation. This shall also include a set of common identification, authentication and access measures based on national solutions to allow trusted electronic transfer of patient data in cross-border care. Further activities refer to the elaboration of guidelines on the interoperability of electronic professional registries and reports on notification of national eID under the scope of the eID Regulation.	·(Legal) Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in CrossBorder eHealth Information Services ·Organisational Framework for National Contact Points for eHealth and several specific policy papers serving as the main basis for the preparation, deployment and operation of the National Contact Point for eHealth ·Refined eHealth European Interoperability Framework (ReEIF)
	Update & revision of EU eHealth Guidelines: Update and revise guidelines for Patient Summary, ePrescription and Patient Registries, which have been developed following former projects and been adopted by the eHN (except the Patient Registries guideline). The updating and revising process is necessary to ensure that requirements from the Member States and other stakeholders (incl. the input gathered by WP6) are taken into account for the development of further revisions. The aim is to maintain and provide a set of guidelines to foster semantic interoperability for cross-border exchange and to inform about the Member States’ plans for national implementations.
	Alignment of standardisation
Exchange of Knowledge;	Analysis of the implementation of eHealth guidelines: The implementation analysis reflect various conditions in the Member States concerning the eHealth infrastructure in terms of legal, organisational and technical prerequisites for full guidelines adoption.	·(Legal) Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross Border eHealth Information Services ·Refined eHealth European Interoperability Framework (ReEIF)
	Development of legal interoperability in a cross-border context: This task concentrates on the creation of a sustainable legal basis for cross-border exchange of personal health data.
Assessment of implementation;	Sharing of National eHealth Strategies and Action plans	9 Documents on assessment of Member States policies and guidelines implementation
	Secondary use of Health Data: This task focused on: ·The pros and cons of the use of cloud computing in health, ·Publication of a code of conduct on how to handle secondary use of health data. ·Recommendation on de-identification of data for secondary use.
	·Research on added value of eHealth Tools: This task explored and reported on the most up-to-date studies on the added value of eHealth services to health services
Global cooperation and positioning.	Participation, Liaison and Influence in global eHealth: This task is divided into the following sub-tasks: ·Overview of OECD studies on eHealth and core outcome ·Prepare for preparatory convergence meetings to coordinate input before WHO and OECD meetings on eHealth ·Information paper on main eHealth activities outside of the EU	6 Documents on main eHealth activities outside of the EU and global eHealth specifications
	Evaluation of global eHealth specifications

Multiannual Work Plan (MWP) 2018-2021 (EHAction)

Objectives	Activities	Outputs
Empowering people: enabling citizens to take an active role in the management of their health;	mHealth and health apps reliability. ·Perform desk research including input from a consultation round with external stakeholders and input from JAseHN, and other projects. In addition, investigate ways to motivate or create incentives for patients to participate in their healthcare process by adopting and using mHealth services. · Analyse the findings and define a common understanding on the subject. ·Develop a state of play/positioning report (common framework for the assessment/endorsement of health apps) with regard to mHealth and health apps reliability in relation to Patient Empowerment. ·Participation to workshops to implement the MWP and coordinate dissemination activities.	Develop a common framework and principles for facilitating safe and reliable use mHealth apps.
	Patient access and use of data. ·Perform desk research; input from the consultation round with external stakeholders, JAseHN and other projects. In addition, investigate ways to motivate or create incentives for patients to participate in their healthcare process by accessing and using their health data. ·Analyse the findings and define common understanding on the subject ·Develop a state of play/positioning report with regard to patient access and use of data in relation to Patient Empowerment. ·Participation to workshops to implement the MWP and coordinate dissemination activities.	Synergetic and coherent approach to patient access, sharing, and reuse of health data in the EU.
	Digital health literacy of patients. ·Starting with desk research including input from the consultation round with external stakeholders and input from JAseHN and other projects. In addition, investigate ways to motivate or create incentives for patients to participate in their healthcare process by increasing their digital health literacy. ·Analyse the findings and define common understanding on the subject ·Consult existing coalitions, such as https://ec.europa.eu/digital-single-market/en/national-local-coalitions ·Develop a state of play/positioning report with regard to digital health literacy in relation to patient empowerment. ·Participation to workshops to implement the MWP and coordinate dissemination activities.	Increase digital health literacy for EU-citizens by sharing best practices and tools
	TeleHealth. ·Perform desk research including input from the consultation round with external stakeholders.	Facilitate the adoption of telehealth taking available evidence into consideration.
Innovative use of health data: exploring the use of health data to develop knowledge for healthcare policy and other purposes;	Mapping, awareness raising and policy relevant actions on innovative use of big data in health. ·Compile policy relevant documentation including the EU Study and the effects of GDPR and review Member States/C policy level efforts on governing big data in health. ·Also assess the implications of FAIR data principle. ·Identify obstacles preventing Member States/C policies from being replicable either in another Member States/C or on EU level and investigate how to overcome these. ·Provide an initial set of enabling actions for the information of the eHN by translating recommendations of the EU Study into operationalized solutions that can be communicated for increased awareness.	Increase awareness on the possible impacts, challenges, risks and directions of Big Data in healthcare.
	Sharing and learning best practices on European level. ·Define and use methods to identify underlying needs and barriers experienced by stakeholders (pros & cons) affecting efficient and effective sharing of best practices in order to reach the objectives of the WP and the JA. ·Investigate already formalized cross-border use cases such as European Reference Networks for rare diseases as well as practical solutions in R&D including analytics in order to identify new possibilities for innovative use of big data on the European scale, to assess feasibility of network optimization to cross-border IT infrastructure and data flow management and to enhance interdisciplinary and openness, the most potential usage and stakeholders that could benefit.	Common vision and priorities for innovative use of data in healthcare.
	Towards an attempt to define common principles for practical governance. ·Make available guidance on practical governance for eHN and Member States. ·Provide a framework for the implementation of common principles for practical governance of big data including privacy protection and security aiming at improving health data transferability across borders with a special focus on data to be used in public health, research and quality assurance in healthcare on a European scale. ·The guidance will include guidance on implementation of data access and focus on helping Member States to utilize the potential of harnessing new opportunities arising from big data and improved data analytics capabilities, as well as from personalized medicine, use of clinical decision support systems by health professionals and use of mobile health tools for individuals to manage their own health and chronic conditions, in order to: ofacilitate preparation of actions to improve the comparability, accuracy and reliability of health data and to encourage the use of health data to enable more transparent and patient-centred health systems focusing on health outcomes and evidence-based health policy and decision-making, as well as to promote data-driven innovation; oto enable the use of health data for research and innovation, in full compliance with data protection requirements and FAIR data principle; oapply network optimization to cross-border IT infrastructure and data flow management; ofoster patient-centred interoperability; oimprove service effectiveness for the individual patient in which benefits are experienced locally; oenhance interdisciplinary and openness that removes barriers between data sources and infrastructure to provide 'fit for purpose' data platforms.	Common principles to facilitate the development of innovative use of data projects at European Level.
Enhancing continuity of care: improving the uptake of cross-border eHealth services;	Support of MyHealth@EU uptake. Support countries through eHMSEG for long term policy development in MyHealth@EU by facilitating the uptake of current use cases PS and eP/eD and especially the new European Reference Networks use case and by shaping an overall roadmap for MyHealth@EU use cases and additional features for a sustainable and continued usage of the NCPeH.	Full exploitation of the CBeHIS services.
	Support of legal MyHealth@EU matters. Support countries through eHMSEG by facilitating the national implementation of the MyHealth@EU legal environment (including but not limited to the eIDAS regulation, GDP regulation, NIS directive and the Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross-Border eHealth Information Services) by providing a forum for sharing expertise, problems and solutions and by synthesising shared elements into an MyHealth@EU legal report for an non-lawyer audience.	Identifying and developing new use cases and the sustainability of MyHealth@EU.
	eSkills for Professionals. Support countries through eHMSEG by developing a process to ensure that the eSkills necessary to gain full advantage from the implementation of European eHealth Strategies and cross-border healthcare services, identifying current challenges and appropriate actions that can be taken to build the necessary eSkills framework for healthcare professionals.	Equip healthcare professionals with eSkills for eHealth services.
	Implementation of the Electronic Health Record Exchange Format	Investment guidelines on the implementation of the Electronic Health Record Exchange Format National Networks for the implementation of EEHRxF
Overcoming implementation challenges: addressing transversal enabler issues crossing the abovementioned categories.	Recommendations on how to implement interoperability guidelines in large health-care organisations. Interoperability has long been identified as the fundamental facilitator of communication, exchange and use of patient information between healthcare providers, hospitals, government, insurers etc., especially in the context of cross-border health services. During the past decades various standards have been developed regarding messaging (HL7, DICOM, ASC-X12, IEEE 1073 etc.), terminology (ICD-10, ICD-11 which is due by 2018, LOINC, SNOMED CT etc.), documents, conceptual frameworks, application and architectures, both for syntactic interoperability, and for semantic interoperability. Nevertheless, and despite the efforts, interoperability is still considered as an “open field” in the healthcare ecosystem, especially when striving to provide cross-border health services. The aim of this task is to exploit any previous work in the field of interoperability as described in the Digital Agenda, the eHealth Action Plan, the "Refined European eHealth Interoperability Framework” (reEIF), the epSOS project, SemanticHealthNet, JAseHN and more, in order to facilitate patients’ rights in cross-border healthcare. All previous work will be combined to produce recommendations for IT Management on how to implement interoperability guidelines in large healthcare organisations (e.g. hospitals). The main purpose is to align all work done about various EU regulations/common frameworks and provide it to IT Management of hospitals for implementation. The deliverables of this task will provide recommendations, guidelines to facilitate implementation of the interoperability framework by hospital IT management staff taking into consideration the recommendations included in the new European Interoperability Framework (EIF). Hospital experts will contribute to this task with F2F Workshops. The task will be implemented in the following steps: ·Review of previous work, interoperability frameworks and standards that can be implemented from the IT departments in healthcare organisations ·IT challenges in implementing interoperability in/ between large healthcare organisations ·Recommendations, guidelines and priorities for IT Management on implementing interoperability actions in healthcare organisations. ·Interoperability guidelines for hospital IT management staff in the following cases: oSoftware supply oSoftware building oSoftware deployment	Interoperable digital infrastructure (software and hardware) of healthcare providers using a common format for cross-border exchange of health data.
	Data protection. This task will focus on the GDPR implementation and its implications in cross border healthcare. The aim of this task will be to share best practices and approaches on data protection at national level. Situation regarding data protection and the new requirements GDPR brings in eHealth. It is proposed to implement the topic in 5 steps: 1.Review of the GDPR topic in general and view of its impact on the healthcare stakeholders. 2.Characteristics of main points and requirements of GDPR adoption in the healthcare sector. 3.Proposal of the set of relevant recommendations/policies for successful completion of GDPR adoption in the healthcare sector. 4.Sketches of collaborative instruments for related information and education in current and future dealing with GDPR topic in the healthcare settings. 5.Foresight – vision and mission - of the future fulfilment and development of the GDPR. The task is motivated by both urgent needs for correct GDPR adoption in the healthcare sector and the utilization of GDPR potential for comprehensive respecting human rights for the healthcare provision practice in long-term run. In topics No. 2, 3 and 5 the cooperation with public interest groups (patient and healthcare professionals’ organisations) will be actively sought and utilized.	Increase trust in eHealth by overcoming the implementation challenges of the relevant EU legal frameworks on data protection, security, authentication of the actors, and privacy.
	Data and systems security. The aim of this task is to create a common Framework for cyber security for eHealth systems

Appendix III: CEF funding for eHealth

year	Indicative budget spent (EUR)	Call ID
2015	7.5 million	CEF-TC 2015-2
2017	9 million	CEF-TC-2017-2
2018	5 million	CEF-TC-2018-4
2019	5 million	CEF-TC-2019-2
2020	5 million	CEF-TC-2020-2
2015-2020	31.5 million	-

Source: Innovation and Networks Executive Agency (INEA)

Appendix IV: eHealth services availability across EU Member States

Doctors from the countries below:	Number of Hospitals (% over total)	can access health data of citizens coming from:
Croatia	80 (100%)	Czechia (Sept. 2019), Malta (Feb. 2020) and Portugal (Feb. 2020)
Luxembourg	4 (100%)	Czechia (Jun. 2019), Malta (Dec. 2019)
Malta	1 (50%)	Portugal (Feb. 2020)
Portugal 73 , 74	5 (2%)	Malta (Jan. 2020)
Czechia	37 (100%)	Croatia (Dec. 2020)
Health data of citizens from the countries below:	can be consulted by doctors from the countries below, using the Patient Summary:
Czechia	Luxembourg (Jun. 2019), Croatia (Sept. 2019)
Malta	Luxembourg (Dec. 2019), Portugal (Jan. 2020), Croatia (Feb. 2020)
Portugal	Malta (21 Feb. 2020), Croatia (Feb. 2020) and Luxembourg (March 2020)
Croatia	Malta (17 Dec. 2020), Portugal (17 Dec. 2020), Czech Republic (21 Dec. 2020)
ePrescriptions of citizens from countries below:	can be retrieved in pharmacies in:
Croatia	Finland (August 2020), Portugal (August 2020)
Estonia	Finland (June 2020), Croatia (August 2020)
Finland	Estonia (January 2019), Croatia (September 2019), Portugal (August 2020)
Portugal72, 73	Estonia (June 2020), Finland (August 2020), Croatia (August 2020)
Pharmacists of countries below:	Number of Pharmacies (% of total)	can dispense ePrescriptions presented by citizens from:
Croatia	1147 (100%)	Finland (September 2019), Estonia (August 2020), Portugal (August 2020)
Estonia	500 (100%)	Finland (January 2019), Croatia (March 2020), Portugal (June 2020)
Finland	819 (100%)	Estonia (June 2020), Portugal (August 2020), Croatia (August 2020)
Portugal	1 (0.03%)	Finland (August 2020), Croatia (August 2020)

Source: https://ec.europa.eu/health/ehealth/electronic_crossborder_healthservices_en

Appendix V: Mobile contact tracing apps in EU Member States

Countries	App	Interoperable - is this app potentially interoperable?	Interoperable - can this app already talk to another app?
Austria	Stopp Corona App	Yes	Yes
Belgium	Coronalert	Yes	Yes
Bulgaria	Not foreseen	-	-
Croatia	Stop COVID-19	Yes	Yes
Cyprus	CovTracer-EN	Yes	Yes
Czechia	eRouška	Yes	Yes
Denmark	Smittestop	Yes	Yes
Estonia	HOIA	Yes	Yes
Finland	Koronavilkku	Yes	Yes
France	TousAntiCovid	No	-
Germany	Corona-Warn-App	Yes	Yes
Greece	Under development	Yes	-
Hungary	VirusRadar	No	-
Ireland	COVID Tracker	Yes	Yes
Italy	Immuni	Yes	Yes
Latvia	Apturi Covid	Yes	Yes
Lithuania	Korona Stop LT	Yes	Yes
Luxembourg	-	-	-
Malta	COVIDAlert	Yes	Yes
Netherlands	CoronaMelder	Yes	Yes
Norway	Smittestopp	Yes	Yes
Poland	ProteGO Safe	Yes	Yes
Portugal	StayAway COVID	Yes	No
Romania	-	-	-
Slovakia	-	-	-
Slovenia	#OstaniZdrav	Yes	Yes
Spain	Radar Covid	Yes	Yes
Sweden	-	-	-

Source: European Commission 75

Appendix VI: Member States and third countries effectively connected to the EU Digital COVID Certificate Gateway

(15 September 2021, Panama not visible on the map)

Source: European Commission 76

Appendix VII: Member States with applicable or planned rules to provide digital access to a copy of the medical record/s for patients affiliated to the Member State’s healthcare system seeking cross-border healthcare in another Member States

	Yes/Planned*/No		Yes/Planned*/No
Austria	No	Italy	No
Belgium	No	Latvia	No
Bulgaria	No	Lithuania	No
Croatia	Yes	Luxembourg	No
Cyprus	No	Malta	No
Czechia	Yes	Netherlands	Yes
Denmark	No	Poland	No
Estonia	No	Portugal	No
Finland	Planned	Romania	No
France	No	Slovakia	No
Germany	No	Slovenia	No
Greece	Yes	Spain	No
Hungary	No	Sweden	No
Ireland	No

*Planned within the next three years

Source: Country survey results

Appendix VIII: Member States with applicable or planned rules to provide digital access to a copy of the medical record/s of received treatment/s for patients affiliated to a different healthcare system that used cross-border healthcare in that Member State

	Yes/Planned*/No		Yes/Planned*/No
Austria	No	Italy	No
Belgium	No	Latvia	No
Bulgaria	No	Lithuania	No
Croatia	No	Luxembourg	No
Cyprus	No	Malta	No
Czechia	Planned	Netherlands	Yes
Denmark	No	Poland	Planned
Estonia	No	Portugal	No
Finland	Planned	Romania	No
France	No	Slovakia	No
Germany	Yes	Slovenia	No
Greece	Yes	Spain	No
Hungary	No	Sweden	No
Ireland	No

*Planned within the next three years

Source: Country survey results

Appendix IX: Number of meetings of the eHealth Network 2012-2021

Total number of eHealth Network meetings 2012- 2021

YEAR

eHealth Network, eHealth sub-groups, eHDSI/eHMSEG, eHealth JA, eHealth Stakeholder Group, CBHC Committee

COVID-19 - Contact tracing and EU DCC related

2012

2

0

2013

2

0

2014

9

0

2015

16

0

2016

20

0

2017

22

0

2018

13

0

2019

17

0

2020

7

116

2021

7

200

115

316

Total number of meetings B3 - 2012- 2021

431

Appendix X: Overview costs and benefits

	European Commission		Member States		Citizens		Healthcare Professionals
	Qualitative	Quantitative / monetary	Qualitative	Quantitative / monetary	Qualitative	Quantitative / monetary	Qualitative	Quantitative / monetary
Costs
Direct costs	Low	€6 m in JAs since 2012 € 1.2 m - Health budget for meetings organisation MD:NA	Low	€4.4 m in JAs since 2012 MD: NA	-	-	-	-
Indirect costs	Medium	€ 31.5 m € 54,5 m	Medium	European Commission research projects: € 57 m Implementation of MyHealth@EU solution: NA Development of tracing apps: NA	-	-	-	-
Benefits
Direct benefits	Better monitoring of cross border healthcar for policy making at the EU level.	-	Better monitoring of cross border healthcare for policy making at the Member States level. Better public policy making and management of public health and epidemiological measures (tracing app and digital pass)	-	Patients have access to safe and high-quality cross-border eHealth products and services, improving health outcomes. Continuity of care		Caregiving is simplified.
Indirect benefits	Support freedom of movement across the Union	Number of temporary restrictions in the different Member States	-	-	Lifting of temporary restrictions of free movement.	Number of temporary restrictions in the different Member States	Less administrative burden.	-

(1) https://ec.europa.eu/info/law/law-making-process/planning-and-proposing-law/better-regulation-why-and-how/better-regulation-guidelines-and-toolbox_en

(2) Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S., Febrer, N., Folkvord, F., Chabanier, L., Filali, N., Hamonic, R., Achard, E., Couret, H., Arredondo, M. T., Fernanda Cabrera, M., García, R., López, L., Merino, B., Fico, G. (2022). Study on Health Data, Digital Health and Artificial Intelligence in Healthcare, Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/179e7382-b564-11ec-b6f4-01aa75ed71a1/language-en

(3) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, OJ L 88, 4.4.2011, p. 45–65: EUR-Lex - 32011L0024 - EN - EUR-Lex (europa.eu)

(4) This covers mainly Article 4.2 (f), Article 5 (d), Article 11.2 (b) and Article 14 of Directive 2011/24/EU.

(5) In particular, the Commission Implementing Decision 2019/1765 of 22 October 2019 providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU (C/2019/7460), that is also part of this evaluation.

(6) https://ec.europa.eu/health/ehealth/policy/network_en

(7) Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S., Febrer, N., Folkvord, F., Chabanier, L., Filali, N., Hamonic, R., Achard, E., Couret, H., Arredondo, M. T., Fernanda Cabrera, M., García, R., López, L., Merino, B., Fico, G. (2022). Study on Health Data, Digital Health and Artificial Intelligence in Healthcare, Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/179e7382-b564-11ec-b6f4-01aa75ed71a1/language-en

(8)

Commission staff working document - Accompanying document to the proposal for a Directive of the European Parliament and of the Council on the application of patients' rights in cross-border healthcare - Impact assessment, COM(2008) 414 final.

(9) https://op.europa.eu/en/publication-detail/-/publication/7d72981d-f924-4977-a032-37361bb8b4b3

(10) As well as patients and healthcare providers’ safe access to the transferred health data.

(11) Codagnone, C., and F. Lupiáñez-Villanueva.(2011) "A Composite Index for the Benchmarking of eHealth Deployment in European Acute Hospitals Distilling reality into a manageable form for evidence-based policy Strategic Intelligence Monitor on Personal Health Systems phase 2 (SIMPHS 2)." JRC-IPTS EUR 24825Sabes-Figuera, Ramon, and I. Maghiros. (2013) "European hospital survey: benchmarking deployment of e-Health services (2012–2013)." European Comission Codagnone, C., and F. Lupiañez-Villanueva. (2013) "Benchmarking deployment of eHealth among general practitioners. Final report." European Union. Luxembourg. Publications Office of the European Union: European Commission. Directorate-General of Communications Networks. Content & Technology.Lupiáñez-Villanueva, F et al. (2018) Benchmarking Deployment of Ehealth Among General Practitioners: Final Report European Union. Luxembourg. Publications Office of the European Union: European Commission. Directorate-General of Communications Networks. Content & Technology

(12) It is considered a separate service when a Member State acts as a sending country (Member State of affiliation or “Country A”) and when it acts as a receiving country (Member State of treatment or “Country B”).

(13) Examples:

(14) https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:190:0037:0043:EN:PDF

(15) https://ec.europa.eu/info/research-and-innovation/research-area/health-research-and-innovation/rare-diseases_en

(16) https://ec.europa.eu/inea/en/connecting-europe-facility

(17) Among these, 22 Member States received support from the CEF for cross-border exchanges of ePrescription and patient summary through MyHealth@EU, namely: Austria, Cyprus, Czech Republic, Germany, Estonia, Greece, Finland, France, Croatia, Hungary, Ireland, Italy, Luxembourg, Malta, Portugal, Sweden, Belgium, Spain, Lithuania, Netherlands, Poland, Slovenia.

(18) https://digital-strategy.ec.europa.eu/en/news/cross-border-health-project-epsos-what-has-it-achieved

(19)

https://ec.europa.eu/health/sites/health/files/ehealth/docs/ev_20160607_co05_03_en.pdf

(20) https://ec.europa.eu/health/sites/default/files/ehealth/docs/ev_20170509_co06_en.pdf

(21)

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2017:440:0003:0009:EN:PDF

(22)

https://webgate.ec.europa.eu/fpfis/wikis/x/Zt7zN

(23) Commission Recommendation on a European Electronic Health Record exchange format (C(2019)800) of 6 February 2019: https://digital-strategy.ec.europa.eu/en/library/recommendation-european-electronic-health-record-exchange-format

(24) https://ec.europa.eu/health/ehealth/electronic_crossborder_healthservices_en

(25)

Country of affiliation

(26)

Country of treatment

(27)

https://webgate.ec.europa.eu/fpfis/wikis/x/g-zzN

(28)

https://webgate.ec.europa.eu/fpfis/wikis/x/g-zzN

(29) ev_20170509_co04_en.pdf (europa.eu)

(30) https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/STORK+2.0+Project

(31) https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/STORK+Project

(32) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, OJ L 257, 28.8.2014, p. 73–114: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG

(33) Thiel, R., Lupiáñez-Villanueva, F., Deimel, L., Gunderson, L. and Sokolyanskaya A. (2021). eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU. https://ec.europa.eu/newsroom/dae/redirection/document/79897

(34) ev_20170509_co09_en.pdf (europa.eu) ;

(35) ev_20161121_co22_en.pdf (europa.eu)

(36) [1] With regard to the reimbursement of this type of cross-border healthcare, this is primarily addressed in Regulation (EC) No 883/2004 of the European Parliament and of the Council of 29 April 2004 on the coordination of social security systems.

(37) [2] This type of cross-border healthcare can be reimbursed either based on the Cross-Border Healthcare Directive or on the Regulation (EC) No 883/2004.

(38) https://ec.europa.eu/social/main.jsp?pager.offset=10&advSearchKey=ssc_statsreport2020&mode=advancedSubmit&catId=22&doc_submit=&policyArea=0&policyAreaSub=0&country=0&year=0

(39) https://ec.europa.eu/health/sites/default/files/cross_border_care/docs/2019_msdata_en.pdf

(40) Den Exter (2015)

(41) During 2021, one more Member State joined the exchanges at MyHealth@EU.

(42)

EUROSTAT 2019 data

(43) Thiel, R., Lupiáñez-Villanueva, F., Deimel, L., Gunderson, L. and Sokolyanskaya A. (2021). eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU. https://ec.europa.eu/newsroom/dae/redirection/document/79897

(44) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0130

(45) https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf

(46) https://ec.europa.eu/health/sites/health/files/ehealth/docs/contacttracing_mobileapps_guidelines_en.pdf

(47) Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 amending Implementing Decision (EU) 2019/1765 as regards the cross-border exchange of data between national contact tracing and warning mobile applications with regard to combatting the COVID-19 pandemic, OJ L 227I, 16.7.2020, p. 1–9: https://eur-lex.europa.eu/eli/dec_impl/2020/1023/oj

(48) Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic, OJ L 211, 15.6.2021, p. 1–22: https://eur-lex.europa.eu/eli/reg/2021/953/oj

(49) https://ec.europa.eu/health/sites/default/files/ehealth/docs/vaccination-proof_interoperability-guidelines_en.pdf

(50) https://ec.europa.eu/health/sites/default/files/ehealth/docs/citizen_recovery-interoperable-certificates_en.pdf

(51) https://ec.europa.eu/health/sites/default/files/ehealth/docs/trust-framework_interoperability_certificates_en.pdf

(52) https://eur-lex.europa.eu/eli/dec_impl/2021/1073/oj

(53) Between 1 July and 12 August 2021 there was a phase-in period to allow Member States that were not ready to issue the new certificate to use other formats.

(54) EU Digital COVID Certificate | European Commission (europa.eu)

(55) https://webgate.ec.europa.eu/fpfis/wikis/x/g-zzN

(56) It is expected that by 2025 all Member States will be connected to MyHealth@EU.

(57) Thiel, R., Lupiáñez-Villanueva, F., Deimel, L., Gunderson, L. and Sokolyanskaya A. (2021). eHealth, Interoperability of Health Data and Artificial Intelligence for Health and Care in the EU. https://ec.europa.eu/newsroom/dae/redirection/document/79897

(58) eHealth Network Guidelines to the EU Member States and the European Commission on an interoperable eco-system for digital health and investment programmes for a new/updated generation of digital infrastructure in Europe: ev_20190611_co922_en.pdf (europa.eu)

(59) eHealth Network Recommendation for the Development of National Digital Health Networks inn the EU Memmber States: eHAction_eHN-Recommendations-National-Digital-Health-Networks-_-for-adoption_19th-eHN.pdf

(60) https://ec.europa.eu/info/research-and-innovation/research-area/health-research-and-innovation/rare-diseases_en

(61) https://webgate.ec.europa.eu/fpfis/wikis/x/g-zzN

(62) As of 2021, funding of activities in these areas will largely move under the EU4Health Programme.

(63) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0130

(64) Regulation 2014/910/EU and Regulation 2016/679/EU

(65) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, eHealth Action Plan 2012-2020 - Innovative healthcare for the 21st century; COM/2012/0736 final: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A52012DC0736

(66) https://ec.europa.eu/health/ehealth/dataspace_en

(67) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A Digital Single Market Strategy for Europe. COM/2015/0192 final: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52015DC0192

(68) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: EU eGovernmeny Action Plan 2016-2020 Accelerating the digital transformation of government. COM/2016/0179 final: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016DC0179

(69) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society. COM/2018/233 final: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2018%3A233%3AFIN

(70) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act), COM/2020/767 final: EUR-Lex - 52020PC0767 - EN - EUR-Lex (europa.eu)

(71) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European strategy for data, COM/2020/66 final: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066

(72) The analysis was carried out in seven EU Member States. Namely: Belgium, Estonia, Finland, Germany, Malta, Poland and The Netherlands.

(73) https://www.sns.gov.pt/sns-saude-mais/cuidados-de-saude-no-estrangeiro-2/

(74) https://www.spms.min-saude.pt/a-minha-saude-na-europa/

(75)

https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/travel-during-coronavirus-pandemic/mobile-contact-tracing-apps-eu-member-states_en

(76)

https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/eu-digital-covid-certificate_en

	Findata, Finland
Description	Findata is the brand new Finnish Health Data Access Body, acting as ‘one-stop-shop’ for health and social data access, in operation since January 2020 (www.findata.fi). The services Findata provides are to 1) grant data permits to data from multiple registers; 2) collect the requested data from the controllers and then combining, pseudonymising and anonymising the data or producing statistical data, and 3) deliver the data for use to the requestor for use in a secure remote IT environment, potentially also by converting and combining the permit holder’s own data.
Background	Findata was set up with the goal to enable fast, easy and safe access to health and social personal data. Before, one had to request access to all data controllers separately, which was a very time-consuming and administrative process. On top of that, data was not processed in a secure and controlled way. Findata started operating in steps. Since January 2020, data requests for statistical data can be made. Since April 2020, data permit applications can be issued. From January 2021, Kanta services, where medical records are stored, will be included. Up to 12 October 2020, a total of 230 data applications were received, of which 143 data permits for personal data and 35 data requests for statistical data.
Legislation	The Act on the Secondary Use of Health and Social Data (552/2019) specifies the purposes for which one can request data access. It applies to register based research, and not to clinical trial data. Genome and biobank legislation are on its way. The Act among others also specifies that personal data can be used for the following purposes, even if the data was not collected for that purpose: 1) statistics, 2) scientific research, 3) development and innovation activities, 4) education, 5) knowledge management, 6) steering and supervision of social and health care by authorities, and 7) planning and reporting duty of an authority. Further details of the implications of the act on services provided are described below. From this list of purposes, the purpose of ‘development and innovation’ only allows for the use of statistical data.
Tasks and activities	Findata is a completely new system but builds on a long history of registries and a digitalised society. The main tasks relate to the three services described above. Findata offers services for those needing data (customers) and for those controlling data (controllers), all relate to the secondary use of health and social data. To make a data request for personal rather than statistical data, it is possible since April 2020 to apply for a data permit to access pseudonymised personal data for all above mentioned purposes, including e.g. function 2 purposes of authorities’ planning and reporting duties. Only exception is the purpose of ‘development and innovation’, which only allows for the use of statistical data. Findata serves users of data by compiling a dataset and providing access to a secure environment to process the data. Findata cooperates with data controllers to standardize data descriptions. It also provides an anonymisation service and a permit processing service if the controller authorises Findata to do so. The Act also describes the responsibilities and tasks of both Findata, as Health Data Access Body, plus a predefined set of authorities and organisations, for the secondary use of data in the registers (being eleven different authorities and organisations such as the Ministry of Social Affairs and Health, the National Institute for Health and Welfare (THL), the Finnish Medicines Agency (Fimea) and public service organisers of health and social care) regarding the following elements: a)Data set descriptions b)Advisory service c)Collection, combination and pre-processing service for data d)Identifier administration service e)Data request management system f)Secure hosting service The Act also demands the IT-systems used for secondary use of social and health data to be audited against Findata’s regulations by a Data Security Assessment Body. Findata is currently preparing to give regulations on the requirements for secure IT-environment for using and managing data for secondary use.
Governance	Findata is an independent central agency which falls under the responsibility of the Finnish Institute of Health and Welfare (THL). A steering group, consisting of representatives from data controllers whose data Findata provides access to, develops and guides Findata’s operations. The Data Protection Ombudsman, Parliamentary Ombudsman and Valvira1 supervise the operations of Findata and compliance with the Secondary Use Act. 1 Valvira is a national agency operating under the Ministry of Social Affairs and Health, charged with, amongst others, the supervision of the social and health care.
Organisation and budget	The budget of Findata is set by the temporary steering group who was preparing the implementation of the Act on the Secondary use of Health and Social Data. After a start-up budget in the beginning years 2019-2021, the annual budget is about 1 million euros per year, with the main expense items being personnel costs and ICT-systems. Since it is a new system, there is no data yet about the real yearly costs and gains of running Findata, but it is anticipated that the set budget will not be sufficient, and may be raised to over 2 million annually.
Staff and functions	There are currently 15 staff working for Findata, and recruitments are going on. It is expected that in a few years 20-25 staff will be employed. Functions of the staff are in the field of ICT, communications, law (DPO), metadata and data services.
Data sources and types of data	Via Findata social and health data can be accessed from various public institutions, private institutions and registries. The sources of data for which Findata can issue permits are specified in the Secondary Use Act. Findata grants permissions for data collected both in public and private sector services which are part of the relevant data sources. According to Finnish legislation, only an official authority can grant permission to use Finnish citizen’s personal data. Therefore, even if the data is collected at private doctor’s surgery, the private health clinic does not have the power to grant permits for secondary use. Data granted by Findata can be combined with data from other countries, and this can be done in two directions: it is possible to transfer Finnish data to secure environments in other countries, and it is possible to import data from other countries to Finland, either to Findata remote access system or to a secure audited environment maintained by some other organisation. Both forms have already been applied in several cases. Data can only be taken out of the remote access environment and disclosed to another secure user environment in exceptional cases. However, this is sometimes necessary due to restrictions from other remote access environments when data needs to be combined.
Foreign data users	In Finland currently, the submission of a data permit application is possible for persons who have a personal identity code registered in the Finnish Population Information System. Findata is mapping alternative secure identification applications for its international users. Hence, in the future, it should also be possible for foreign stakeholders to request a data permit, however, there is not yet a standardized way to control the identity of the foreign applicant. When applying is possible, there will be no additional protective restrictions for non-Finnish data users (such as having a Finnish research partner). Processing data in the remote access environment of Findata when being in a third country (outside the EU/EEA) is possible if there are appropriate safeguards in accordance with Chapter V of the GDPR. Non-EU stakeholders applying require more paperwork and possibly (EU standard) agreements, and the fee is higher.
User fees	The price of Findata services are defined in the Valtion maksuperustelaki ( State Basis of Payment Act ) and detailed in the Decree of the Ministry of Social Affairs and Health Fees for the services of the Social and Health Information Licensing Authority of 30 December 2019. For its public services, a processing fee is charged that must correspond to the amount of the total cost to the state of producing the performance (cost value). The fee (of 115 EUR per working hour) is determined based on the hours worked to produce the output (by means of data aggregation, pre-processing, pseudonymisation and anonymisation). The fee may be below the cost value of the service or may not be charged at all if there are justified reasons related to health and medical care, other social purposes, the administration of justice, environmental protection, educational activities or general cultural activities. In the above mentioned decree, a fixed fee based on the average cost value applies for the following services: ·A data permit for a permit applicant established in Finland or another EU or EEA country of 1,000 EUR; ·A data permit for an applicant established in a non-EU or non-EEA country of 3,000 EUR, ·a change of data permit for a permit applicant 350 EUR. ·a decision concerning a data request with a fee of 1,000 EUR. ·A data permit related to a thesis and a decision on the information request for an applicant who is domiciled in Finland or another EU or EEA country of 500 EUR. 62 In addition, Findata provides remote access environment services, which are commercially priced services subject to a fee (VAT +24%). Such packages can range from a Small Package (8 GB) of 2,250 EUR/year to an XL Package (90 GB) of 8,500 EUR/year.
Pseudony-misation/ anonymisation	One can access statistical level data via a data request and individual level data via a data permit. In principle, individual level data is available in a pseudonymised or anonymous format, dependent on what is requested. Access to data with direct identifiers is not excluded, but only granted under strict conditions and fitting with the data applicant’s processing purposes.

	Health Data Hub (HDH), France
Description	The Health Data Hub (HDH) is a unique gateway to health data in France. The HDH’s vision is to ensure a simple, unified, transparent and secure access to health data for public interest research with the goal to improve the quality of care and patient support. The HDH is a platform where pseudonymised health data from different sources is duplicated and made available. It is both an infrastructure and a health database catalogue, and offers related services, allowing project coordinators to access data and/or link different databases. The role of the HDH is to give access to health data, promote the collection and consolidation of data, to accompany data exploitation, to support the research community and to ensure the link with civil society. The aim of the HDH is to federate all health data stakeholders, and to facilitate access to various data sources (public/private) while ensuring high standards of transparency and privacy.
Background	The origin of the HDH stems from a report written in 2018 ‘For a meaningful AI’, where deputy and Fields Medal mathematician Cédric Villani recommended a single point of entry to access health data, as health was defined to be a key strategic sector for the development of AI in France. Following the report, President Macron announced the creation of the HDH. An in-depth study mapped the obstacles in the secondary use of health data in France, which resulted in a roadmap ‘code of conduct’ for the HDH. The HDH aims to become the single entry point to French health data. This system is being implemented to harmonize health data access in France and to address quality and interoperability issues of the various databases are a key part of the HDH governance model.
Legislation	The Law of July 24th 2019 on the Organisation and Transformation of the Health System is the main legislative text which sets up the HDH as a public interest group (GIP) to be the main gateway to operate public interest research on the National Health Data System (SNDS). The scope of the latter has been increased by that same law to all health data fully and partially reimbursed by national solidarity. In addition, the HDH hosts an independent Ethical and Scientific Committee for Research, Studies and Evaluations (CESREES).
Tasks and activities	The missions of the HDH can be summarized in four main areas: -Supporting data controllers in the collection, consolidation and development of their assets; -Offering all project coordinators simplified and fast access to health data; -Guaranteeing transparency towards civil society and ensuring respect for citizens’ rights; -Innovating alongside research and industry players.
Governance	The HDH takes the legal form of a public interest group (GIP) governed by public law. The HDH takes over the missions of its predecessor, the National Institute for Health Data (INDS) as the single entry point for health data access in France. It is also responsible for health data access governance as it hosts the secretariat of the CESREES, the ethical and scientific committee for health research, studies and evaluations, which evaluates requests for access to the data catalogue. The missions of the HDH are determined through article L. 1462-1 of the Public Health Code. The health data platform, with its governance set up by decree, is composed of 56 entities that represent the State, organisations ensuring representation of patients and users of the health system, producers of health data, public and private users of health data, including health research organisations, among others.
Organisation and budget	The HDH is a single point of entry data governance model, providing access for all researchers to data currently stored in the HDH (and SNDS). The data remains stored with the original data controller. The Health Data Hub is a central body, but does not incorporate all data. For example, biobanks and registries have their own systems. The project results are made public on the website of the HDH, with due respect for academic and industrial competitiveness. As for budget, the HDH is currently funded by the public sector. Before the official creation of the public interest group, the Health Data Hub project was conducted under the direction of the Ministry of Solidarity and Health (Directorate of Research, Studies, Evaluation and Statistics (DREES)) and was selected in the Big Data and Artificial Intelligence call for projects of the Fund for the Transformation of Public Action (FTAP). In this context, it was granted initial funding of 36 million euros for four years. A further 40 million euros came from the national health insurance expenditure target (L’Objectif national de dépenses d’assurance maladie, ONDAM).
Staff and functions	As of end of 2020, around 50 people are working for the Health Data Hub. The Hub is planned to grow further.
Data sources and types of data	The HDH can provide access to any pseudonymised health data that is reimbursed partially or fully by national public solidarity in France. This includes the national claims database, as well as in the future numerous other databases to be included in its catalogue, such as cohorts, clinical data, genomics data etc.
Data users	Data access is only allowed for public interest research, with a strictly defined project duration and a limited scope upon approval by the Scientific and Ethics Committee (CESREES) and the national DPA (CNIL). Data is accessible via a customized secure project space, containing only the needed dataset and offering a variety of data analytics tools. The data processor cannot directly retrieve data from the platform. Any private actor requesting access to the data will have to prove that the project is of public interest, for the benefit of citizens, in the same way as public actors.
Foreign data users	Data access can be granted to data users from other EU countries. The HDH contributes to the dissemination of international standards and best practices as well as to improve interoperability, in order to enable quality data aggregation and linkage. The HDH is actively looking to encourage cross-border research collaborations on health data, primarily with research structures and data controllers.
User fees	In the future, the HDH could charge fees for access to its services such as the use of the secure project space for for-profit actors. As the Hub is in its start-up phases the exact rates are still under development.
Pseudony-misation/ anonymisation	The HDH only stores pseudonymised data and citizens have a right to opt out of the secondary use of their health data through the HDH. Citizens cannot object to uses made compulsory by law, or necessary to carry out a mission of public interest, for example for health monitoring purposes.

	Research Data Centre at the BfArM (Federal Institute for Drugs and Medical Devices), Germany
Description	The Centre serves as a research data hub for claims data of all statutory insured people in Germany (currently covering approx. 90% of the German population). It is currently being reorganised, expanding its range of data and services. Within the next few years it will also serve as a research hub for EHR data for which patients have granted access to for research purposes.
Background	The Centre was originally based at the German Institute for Medical Documentation and Information (DIMDI), responsible for medical information classification and management. To strengthen its role, the institute was brought together with the Federal Institute for Drugs and Medical Devices (BfArM) in May, 2020 to form one authority.
Legislation	The main legislation describing the mandate of the Research Data Centre at BfArM are the §§303a-f of the Social Code Book 5 (Sozialgesetzbuch, SGB V, Statutory Health Insurance; https://www.sozialgesetzbuch-sgb.de/sgbv/303a.html ). It has been updated with the Digital Care Act in December 2019 to accommodate the new role, and the Patient Data Protection Act in July 2020 to, as of 2023, also include EHR data on a voluntary basis. Based on the new §§303a-f of the Social Code Book 5 the Data Transparency Ordinance (DaTraV) ( http://www.gesetze-im-internet.de/datrav_2020/ ) was revised in 2020. It describes the tasks of the Research Data Centre at BfArM in more detail.
Tasks and activities	As described in § 303d SGB V the Research Data Centre is tasked to handle data that is transmitted to it by the German Federal Association of Health Insurance Funds (GKV-SV) and to promote the scientific secondary use of the data for specified research and public health purposes. It, among others, includes carrying out quality assurance of the data, examining requests for data use and making it available to authorised users while balancing re-identification risks and intended scientific benefits. As separate entity, the Robert Koch Institute (RKI) performs the duties of a trust agent managing a two-layered pseudonymisation process to ensure that the pseudonymised claims data provided by the GKV-SV are correctly linked to the longitudinal data at the Research Data Centre. The data used for assigning the respective cross-period insured person pseudonyms to the transmission work numbers are deleted; only the algorithms are kept.
Governance	The legal supervision of both the Research Data Centre and the trusted agent has been assigned to the Federal Ministry of Health (BMG), but each maintain an operational independence.
Organisation	The Research Data Centre is based at the Federal Institute for Drugs and Medical Devices (BfArM) with an independent IT infrastructure. A dedicated trust agent unit is based at the Robert Koch Institute (RKI). The statutory health insurance companies reimburse the Federal Institute for Drugs and Medical Devices and the Robert Koch Institute for the costs of performing the task of data transparency.
Staff and functions	The staff of the Data Research Centre is currently being extended to accommodate the new duties. Within the next few years it is expected that the staff will expand to about 15 full time staff members comprised mostly of IT specialists, data engineers and data scientists.
Data sources and types of data	As defined in the DaTraV, the research centre receives pseudonymised claims data from the statutory health insurance companies for each calendar year (reporting year) per statutory insured person (covering approx. 90% of the German population). It will include among others diagnoses, prescriptions and treatment data from medical care, including in- and outpatient care, dentistry, aids and remedies.
Data users	As defined in § 303e SGB V a pre-defined list of authorised institutions can request permission to access data, and no further distinction is made between applicants. These for example include health reporting institutions at the federal and state levels, health insurance providers, relevant umbrella organisations of service providers or patients at federal level, and universities as well as university hospitals recognized under state law. This also includes publicly funded non-university research institutions and other independent research institutions, provided the data serves independent scientific projects. Commercial research institutes and industrial companies can thus not request permission for data access. Authorized users may work together with third parties and transfer query results, i.e. anonymised and aggregated data received from the Research Data Centre, to further project partners only with prior permission of the Research Data Centre. This will facilitate research collaboration undertaken between the public and the private sector.
Foreign data users	§ 303e SGB V does not explicitly list researchers or institutions from other Member States as authorised users, but also does not restrict research institutes to domestic institutions. In principle these can also be based in other Member States, as long as the data are used for scientific research, and applicable law is respected.
User fees	User fees are defined in the Data Transparency Fee Ordinance ( DaTraGebV ; http://www.gesetze-im-internet.de/datragebv/ ). Underlying principle is that the fees are determined based on the amount and complexity of the data rather than the time spent on the applications. The fee for standardized data queries amounts to 300 euros. To provide data by means of a query pre-formulated by the authorized user, the fee amounts to an additional 300 euros per evaluated year. In addition, a fee of 50 to 1,600 euros will be charged for each consultation, each preparation of preliminary evaluations and for interim results depending on the scope and complexity of the request and the associated use of personnel and material benefits. For the provision of pseudonymised individual data records in future secure, physical or virtual surroundings of the centre, an additional fee of 100 to 3,000 euros is charged, again depending on the scope and complexity of the request and the associated use of personnel and material services calculated.
Data altruism	Currently, data include claims data of all statutory insured citizens without requiring their permission. As part of the "Patient Data Protection Act" (Patientendaten-Schutz-Gesetz, PDSG) in 2020, patients can voluntarily make use of an electronic patient record (elektronische Patientenakte, ePA). From 2023 onwards, insured persons will have the option of voluntarily making the data stored in the ePA available to research via the Research Data Centre (source: BMG 2020 ) 63 . This has also been adjusted in § 363 IV SGB V: Insured persons can voluntarily release the data in their ePA for the research purposes listed in § 303e II Nos. 2, 4, 5 and 7 SGB V to the Research Data Centre. Insured persons may also make the data in their ePA available for a specific research project or for specific areas of scientific research on the sole basis of informed consent.
Pseudony-misation/ anonymisation	The Research Data Centre shall provide authorised users with data that is anonymised and aggregated to the extent required for the specific research question.

	Statistics Netherlands (CBS)
Description	Statistics Netherlands (CBS) is the independent national statistics agency, providing statistical information on social issues, including health. Within CBS, the microdata services department was set up to allow researchers to obtain health and other data for research purposes.
Background	CBS is the central agency to access data for research and other types of secondary use of health and administrative data. However, access to health data is very fragmented in the Netherlands and there are also many other access points (e.g. regional biobanks). CBS was established in 1899 in response to the need for reliable and independent statistical information on social issues. The CBS statistics should support the public debate and policy-making and reduce social inequality by collecting, processing and publishing statistical data. CBS microdata services provides access to (linked) data for third parties for research purposes.
Legislation	The Statistics Netherlands Act forms the legal basis for CBS and precludes that any data recorded and collected in the Netherlands with public funding, may be used by CBS for their statistical tasks. Permission is needed from some of the data sources for secondary use by other parties.
Organisation and budget	CBS is an autonomous administrative authority which is financed by the state. Standard fees apply for anyone using the data. Fees are based on the number of datasets to be linked, a monthly access fee for each user, and the size of the dataset.
Data sources	The Healthcare Market Regulation Act requires health care providers to submit pseudonymised data about treatment codes to the Healthcare Authority (HCA). The HCA further processes the data and sends statistics to the Department of Health and CBS. Only treatment codes which are based on a fee for service (instead of a lump sum based on the number of enrolled patients) are sent regularly to the HCA. Health care providers are also obliged to submit pseudonymised data about treatments etc. to CBS. However, this obligation is balanced against the administrative burden of submitting data. If CBS can derive sufficient information from a representative sample of health care providers, it will not require all similar health care providers to provide data. Types of data that can be accessed through CBS are: electronic health records, both from primary care and hospitals, social care data, long-term care data, health insurance claims data, prescribing and dispensation records, disease registries, health data linked with social and environmental data. Such data can be from private or public sources. For some sources of data, separate permission has to be obtained from data sources (e.g. extracts from hospital and primary care electronic health records, claims data from health insurers). For other data sources permission from CBS suffices (e.g. socioeconomic data).
Data users	Authorised institutes can use microdata sets of CBS for research purposes, which consist of linkable data sets at individual level. Authorised organisations are Dutch universities, scientific research institutes, policy advice and analysis organisations, statistical authorities from European Member States, and other institutions that have been granted access through an application form. In order to work with the data, the following conditions must be met: a) The primary mission of the institution (or the relevant part thereof) is to conduct statistical or scientific research, b) results of the research will be published, and c) the institution has a good name and reputation.
Foreign processors	Foreign institutions can apply for access and should preferably have working relations with a Dutch authorised institution.
Data fees	The fees which apply to microdata research depend on the number of participating researchers, the number of dataset subjects and the duration of the project, among others. Services during the project start-up consist of a basis starting up cost of 1,800 EUR and an additional fee of 180 EUR per dataset topic. Importing one’s own data will depend on the level of encryption, from simple (250 EUR) to complicated (1,300 EUR). Services during an ongoing research project are in part variable, depending on the data set topics (18 EUR support costs per topic) and output checking (220 EUR per output).
Pseudony-misation/ anonymisation	Pseudonymised data is accessible in a secure remote environment with a personal token. The researcher can link CBS data with other datasets upon request. Only statistical output can be exported, and CBS checks whether results imply a risk of re-identification.

	BIGAN Health Research Infrastructure, Aragón, Spain
Description	BIGAN integrates a technological infrastructure and a data lake gathering individual population and patient data from the regional health service and health related information systems from Aragón. Specifically, for research, BIGAN has put together healthcare data from 1.3 million lives – Aragón population, more than 800 million records in a data lake of pseudonymised patient data and renders it accessible to the scientific community as a one-stop shop service. The holistic approach gathering not only health data but also health related data (social, environmental, geographical) provides cross-fertilisation from various research areas which in turn might provide insight to future research policies.
Background	First mention of the ideas supporting the project BIGAN was introduced within the policy agenda through the Plan “Aragón Health-2030”. This plan included a regional strategy for the common exploitation of all the health and health related information systems in Aragón with big data and AI tools; thus, harnessing the potential of the reuse of real-world (big) data (RWD) in Aragón for population health research.
Legislation	BIGAN was created as a new subsystem within the existing health information system in Aragón. Executive order (SAN/1355/2018) established the Aragón Regional Health Authority BIGAN platform. BIGAN platform is a data infrastructure implemented to reuse any kind of existing data for planning, quality management and health research. As an element of the health information system in Aragón, BIGAN platform is governed by the Health Law of Aragón (Law 6/2002), the Decree on social and healthcare information system (Decree 164/2000) and the Law on Research and Innovation in Aragón (Law 17/2018). Furthermore, BIGAN research complies with Law 41/2002 Governing Patient Autonomy and Law 14/2007, on biomedical research, and with national and European data protection legislation.
Tasks and activities	BIGAN overcomes research fragmentation and duplication by integrating health and health related data from the Aragón region into a single centrally managed infrastructure based on the modular design of the BIGAN platform that allows for increasing numbers of data sources to be integrated. BIGAN offers different portals according to its goals and required functionalities: Planning and Quality Management, Research, and Training. They are being deployed at different timespans. BIGAN Planning and Quality Management services started off in 2019, while BIGAN research and BIGAN training services are scheduled to be fully operational in 2021. From inception (2017) to full operation and evaluation (expected 2022), the deployment project has a forecasted duration of 5 years.
Governance	BIGAN is led by the Health Sciences Institute in Aragón (IACS). IACS was created by the Regional Health Law (6/2002), and is a public independent entity within the Health System in Aragón responsible for overseeing, promoting and managing biomedical research and innovation and producing evidence-based guidance on health technology, health policy assessment, and medical practice guidelines. BIGAN Oversight Committee controls and follows up BIGAN development according to its goals while IACS is in charge of the day-to-day operations. The Ethics Committee for Research in Aragón (CEICA) is responsible for ensuring the correct application of the methodological, ethical and legal principles in BIGAN activities including the assessment of the implications for individual and civil rights, distributive justice, health and safety and quality of life. In BIGAN, patients are able to view and change their data opt-out choice at any time (and without any justification needed).
Organisation and budget	BIGAN data controllers are the Aragón Regional Health Authority (Department of Health) and the Aragón Health Service (SALUD). Contracts between controllers and processors are in place, the last of them signed in February 2020. BIGAN infrastructure has an available budget of 1.06 million EUR for the period 2018-2020 divided in 3 categories (HHRR, IT and Subcontracting), HHRR being around 90% of the overall budget.
Staff and functions	The IACS Biocomputing unit (four members) is responsible for the design, operational management, development and maintenance of BIGAN infrastructure with the support of IACS staff on the IT, Legal, Ethical, and HHRR departments and with the assistance of researchers from the Health Services and Policy Research group.
Data sources and types of data	BIGAN research infrastructure data lake gathers individual level data from all the population registered as beneficiaries of the Aragón Health System (virtually 100% of the population) and the regional health service information systems, including primary care, specialised care, hospitalisations, ER episodes, drug prescription, drug reimbursement, image diagnosis, laboratory analytical determinations, diagnostics, vaccination, anamnesis and demographics. Data from these sources are updated according to their specific generation dynamics, in most cases daily.
Data users	According to the Protocol approved by the BIGAN Oversight Committee (December 2019), within the context of a research project, the pseudonymised data is accessible, directly to researchers within the “R&D Aragonese system” (as defined by regional law 17/2018); and indirectly accessible by other researchers (either public or private), when an agent of the R&D Aragonese system actively participates. Accessing BIGAN health research infrastructure includes a transparent approval process for health research projects which favours trust and accountability and fosters public-private partnerships and collaboration between public and private researchers, always under the assumption of the societal benefit of this collaboration.
Foreign data users	Favouring a seamless health data exchange in the European Research Area is an important objective of BIGAN research infrastructure and multi-country projects funded by national or European institutions are able to access to BIGAN research platform. Within the context of cross-border research projects, pseudonymised data is accessible by researchers (either public or private), when an agent of the R&D Aragonese system actively participates in the project. Non-R&D Aragonese agents can have granted direct access to the data although it requires a specific access by the BIGAN Oversight Committee in the light of the criteria of relevance, security and social interest.
User fees	Basically the fees are composed of four categories, namely data extraction and data processing; computing; basic storage; advance storage, as follows: 1. Data extraction and data processing: 37.72 / 31.43* / 13.16** EUR/hour 2. Computing: 0.12 / 0.10* / 0.08** EUR/ hour /CPU 3. Basic storage: 0.93 EUR/year/GB 4. Advance storage: 2.67 EUR/year/GB * Reduced fee 1: applied to research projects managed by public research bodies or other public organisations. ** Reduced fee 2: applied to research projects managed by IACS, University of Zaragoza or the IIS Aragon Foundation Please notice that BIGAN research and training services are scheduled to be fully operational in 2021.
Pseudony-misation /anony-misation	The BIGAN data lake contains already externally pseudonymised data only. Re-identification of data at origin may take place only when, in the course of a research using pseudonymised data, it becomes apparent that there is a real and specific danger to the safety or health of a person or a specific group of people, or a serious threat to their rights, or that it is necessary to ensure proper health care.

	Danish health data governance landscape
Introduction	Denmark is a digitalised and data-intensive country and promotes actively data based research. As Denmark has a very rich and diverse health data governance landscape, this box outlines the main national infrastructural access points. In Denmark there is a difference between clinical access points and research access points. Sundhed.dk is the access point to EHRs for patients and also for health professionals for clinical purposes. A stakeholder needing data for research has several access points, and can go to the Danish Clinical Quality Program (RKKP) for quality databases, the Serum Institute for health data, and to Statistics Denmark for registry data combined across sectors.
Clinical care data	Primary care data must be accessed through the municipalities (for homecare and nursing homes) and DAK-E/KIAP from the Danish Quality Unit for General Practice for GP-data. Sundhed.dk is an independent agency governed by the Regions and the Government and contains the national EHR. At the sundhed.dk platform patients can access personal health information from EHR, laboratories, personal choices (e.g. organ donor), and the national patient registry. The patients can access their record, but they cannot report data or control the data. Health professionals also have access to the EHR.
Registry data	The two main national data governance bodies that host health data are: Statistics Denmark, storing data about the wider Danish population, and the Danish Health Data Authority (Sundhedsdatastyrelsen), hosting disease registers and data bases with health related information. Statistics Denmark is a public independent agency and holds copies of register data and can extract health data and combine it with social conditions when the researcher requests it. Researchers can apply for access to data locally with data custodians, or for the whole country through the Researcher Service (Forsker-service) at Serum Institute (when it is health data only) and through Statistics Denmark, if the researcher wants to combine health data with other data types. The Danish Health Data Authority holds all health registers, and provides research support service (Forskerservice) for researchers who wish to access health data. It is also responsible for national coordination of data exchange systems and infrastructures for the provision of healthcare. The Danish Clinical Quality Program (RKKP) is the cross-regional network organisation of the five Danish regions that constitutes the infrastructure of clinical quality registries and coordinates access to the data for researchers. The decision regarding access is made by the steering group of the individual data base. There is a fee for accessing data for research that must be paid to Statistics Denmark, the Serum Institute, or DAK-E but that only covers the hours spent on setting up the specific data set, and for DAK-E also the commercial vendor fee. It is not the cost of the infrastructure. Registry data are available for research with no informed consent (“solidarity by law”).
Biobank data	The National Biobank, hosted by the Staten Serum Institute, and the Regional Biobank Program provide access to tissue samples. The National Genome Centre provides access to genomic data. The Health Act specifies that all genomic data from comprehensive genetic analyses is stored in a national genomic database and that patients have the right to opt-out of further use of the data.
Data exchange	All data is exchanged via the platform Sundheddatanettet. Data are not stored there but it is a secure space where you need authentication and approval to be linked up through VPN-access so that you can exchange data. MedCom is responsible for developing and setting standards for data exchange and testing supplier products before they are released to ensure data compatibility.
Data altruism	In Denmark Sundhed.dk mentions in their strategy for the coming two years that they wish to open up safe spaces for storage of citizen generated data, and potentially they can be marked as available for research too, but this is not operating yet.
Access by foreign researchers	Statistics Denmark has been involved in several working groups to facilitate data exchange between different countries. Data from Statistics Denmark is as a main rule only available for Danish researchers, but foreign researchers can get access to micro data through an affiliation to a Danish authorised environment. The Danish Health Data Authority applies the same rules.
User fees	There is a fee for accessing data for research that one has to pay to Statistics Denmark, the Danish Health Data Authority, the Serum Institute, or DAK-E (for GP data) but that only covers the hours spent on setting up the specific data set, and for DAK-E also the commercial vendor fee. It is not the cost of the infrastructure. While the exact situation is difficult to assess, a direct consultation with Statistics Denmark about calculation of prices does not suggest differentiated prices. However, public entities rarely pay for data access; they use the data they already have in-house, and do not order data sets through research service portals.
Pseudony-misation /anony-misation	All public agencies store data of citizens using the patient’s ID number (PIN) and they can be linked at Statistics Denmark. They also link data from different sectors. Data held in the data access infrastructures are marked with a pseudonym of the patient’s ID number (PIN).

A1: Legislation and national rules enable access to and sharing of electronic health data through EHRs 2 , requiring high standards for data security and privacy
Indicator A1 surveys legal aspects of EHRs with regard to access and sharing of EHR data. Important components of a legal framework are the opportunity to legally store health data electronically, requirements for data security and data confidentiality, a sufficient level of technical security, logging and audit trailing, up-to-date legislation, and the opportunity to have health data shared among all relevant healthcare providing parties. Almost 4 of 5 of countries passed national legislation on EHRs regulating data safety and technical security measures less than five years ago. Logging of health data processing is not mandatory in nine countries.
A1-1: In your country, does legislation exist that enables the electronic storage of patient data?	A1-2: Does this legislation clearly regulate safety and confidentiality of personal health data?		A1-3: Do legislation and national rules exist that are dedicated only to personal health data and that prescribe technical security measures for EHR systems?

A1-4: Does this legislation prescribe logging of any health data processing to enable audit trailing 3 ?	A1-5: Was the latest relevant legislation passed less than five years ago?		A1-6: Does your current legislation inhibit in any way health data exchange via EHRs?


A2: Legislation and national rules guarantee patients' right to access their own electronic health data
Indicator A2 focuses on legal aspects of EHRs with regard to patients’ access to personal health data. Important components of a legal framework are wide-ranging patient rights to be able to electronically access their personal EHR data and to be allowed to decide to whom to provide access to their health data. While 26 countries do provide their citizens with access to their EHR data by law in general, only 20 states record by law that citizen access must be possible independent of place and technology. Lastly, 43% or 12 countries indicate that their citizens are not entitled to decide which healthcare professional or other party can access their EHR. Often general practitioners act as 'data gatekeepers', allowing additional parties to access a patient's EHR, while in other countries the technical readiness of health data systems is not yet advanced enough to realise this option.

A2.7: Do legislation and national rules in general allow and facilitate individuals to access their health- related data when held in an EHR?		A2.8: Do legislation and national rules allow and facilitate individuals to access their health-related data when held in an EHR, independent of place and technology?		A2.9: Do legislation and national rules allow citizens to choose whom to provide access to?

A4: Cross-border sharing of EHR data is legally facilitated
Indicator A4 surveys whether EHR data sharing across national borders is legally facilitated. 18 study countries indicated that data sharing from EHRs across national borders is permitted by law.
A4-13: Do legislation and national rules facilitate the sharing of EHR data cross-border?

B5: National competent authority with clinical/terminology and technical competence is institutionalised
Indicator B5 examines, in addition to B4, whether a competence authority exists that proposes technical and semantic standards, terminologies, publishes stakeholder guidelines and maintains archives of active and past standards (can be the same authority as in B4). 24 countries report that competent authorities aim to facilitate semantic and technical interoperability, but only slightly more than half of all countries also publish guidelines, maintain terminology archives, or perform mapping activities to international standards.
B5-40: Does a national competent authority propose technical standards with the aim to facilitate organisational interoperability and communication?	B5-41: Does a national competent authority propose clinical terminologies (like SNOMED CT, LOINC, WHO terminologies, etc.) with the aim to facilitate semantic interoperability and data exchange?	B5-42: Does the national competent authority in your country assist medical and clinical stakeholders with terminological guidelines 9 on how to use terminologies, build clinical information models, etc.?

B5-43: Does the terminology centre maintain an archive with all versions and also with legacy terminologies, guaranteeing to trace back terminologies during the life-cycle of an EHR?	B5-44: Do adjustment measures and mapping activities to international standards exist to enable communication between digital health systems in other countries?

C4: Patient data in EHRs is linked to a unique patient identifier
Indicator C4 surveys the use of unique identifiers for patients, physicians and other healthcare professionals to which patient data is linked and unequivocal authentication is guaranteed. The only country without any unique identifiers, a key element for the successful implementation of an EHR infrastructure, is Czechia. While Bulgaria, Cyprus and Poland are lacking unique patient identifiers, Spain and Malta do not have such identifiers for healthcare staff.
C4-62: Does your country employ a citizen/patient electronic identifier 11 for health purposes?	C4-63: Does your country employ a national unique health services professional ID for physicians?	C4-64: Does your country employ a national unique health services professional ID for other healthcare professionals (nurses, specialists, etc.)?


C5: EHR systems are properly protected against cybersecurity risks
Indicator C5 examines the preparedness of EHR systems against cybersecurity risks. Questions include the use of security-by-design approaches, awareness management of cybersecurity risks among healthcare professionals and the application of penetration tests to ensure proper functioning of EHR systems and identification of security risks. More than two-third of countries employ consistent encryption and a security-by-design approach to prevent cyber-attacks. However, only one-third of countries report training healthcare personnel in the area of cybersecurity risks. Penetration test are a common practice among study countries. Poland, Czechia and Bulgaria do not perform well in this indicator.
C5-65: Are consistent encrypting algorithms used to protect patient ID’s in EHR systems?	C5-66: Are EHR systems developed to anticipate malicious cyber-attacks through a security-by-design approach?	C5-67: Are healthcare personnel working with national EHR systems sufficiently trained and aware of the risks of cyber-security?

C5-68: Does your country have tests in place to verify whether the EHR product or service performs as it is expected (like penetration tests)?

D3: National developments regarding semantic interoperability incorporate international standards and terminologies
Indicator D3 examines which international standards and terminologies are used nationally. Examples include SNOMED CT, LOINC, ATC and ISO IDMP, HL7 and WHO classifications ICD-10 and ICD-11. While only around one-third of countries implemented SNOMED CT or LOINC, Czechia, Ireland, Malta, Poland and Slovenia have not implemented either of those terminologies mentioned, whereas Germany is in the process of implementation. The UK is the only country which does not use WHO classifications.
D3-77: Is SNOMED CT nationally implemented as “backbone” ontology/terminology?	D3-78: Is LOINC nationally implemented as central terminology?	D3-79: Are ATC, EDQM Standard Terms, or ISO IDMP referentials nationally implemented as central terminologies?

D3-80: Are resource driven information models (such as Health Level Seven Fast Healthcare Interoperability Resources (HL7 FHIR)) nationally implemented?	D3-81: Are WHO classifications (ICD-10, ICF, ATC) nationally implemented as central terminologies?	D3-82: Are there plans to nationally implement ICD-11 and ICHI?

E2: ePrescription 15 /eDispensation 16
Indicator E2 surveys whether ePrescription and eDispensation systems exist on a national level, which modes of access patient have and whether the development of such systems was informed by eHealth Network guidelines on the electronic exchange of health data for ePrescriptions/eDispensations. The indicator also inquires on the possibility to send and/or receive ePrescription/eDispensation reports across national borders. ePrescription services exist in two-thirds of all study countries and are most frequently accessed via an online portal. However, 11 countries still use paper printouts. Czechia, Poland, and Slovakia are the only Member States which are capable of sending or receiving ePrescriptions across borders.
E2-93: Do ePrescriptions/eDispensations and respective IHE profiles exist on a national level?	E2-94: Which modes of access to patients have?

E2-95: Are ePrescriptions/eDispensations structured according to the provisions in the “GUIDELINE on the electronic exchange of health data under Cross-Border Directive 2011/24/EU Release 2 – ePrescriptions /eDispensations” adopted by the eHealth Network on 21 November 2016?		E2-96: Is it possible to receive and/or send an ePrescription cross-borders transferred via the EHR system only within given regions in both countries?

E5-104: Does your regional EHR system allow you to transfer/share/enable/access patient data electronically, permitting you to engage in any of the following? Are these functions used routinely?


F1: Actual use of national EHR system by type of institution is high
Indicator F1 surveys the usage of EHR systems in different care sectors, such as primary, secondary, and tertiary care as well as pharmacies and home care. Bulgaria, Czechia, Germany (roll-out from 2021), and Ireland to not currently have a fully functioning EHR system and only few advanced countries have the home care sector connected to a national EHR system. Denmark, Estonia, and Finland have the overall highest level of EHR use in all categories.
F1-105: Please indicate the use of the national EHR system by the following types of institutions:

G1: EHR standardisation for public health reporting of infectious diseases
Indicator G1 examines whether public health reporting for standardised diseases is standardised, focusing on national systems to collect epidemiological surveillance data directly from Labs and from clinical reports using HL7 standard messaging and whether a nationwide electronic surveillance software is mandatory. While most countries except for Czechia, Latvia, and Slovenia have created a system to collect epidemiological surveillance data, slightly more than half the countries receive this data in standardised fashion. Advanced countries like Denmark, Sweden and the UK have no standardised messaging service and mandatory electronic surveillance software.
G1-120: Do you have a national system to collect epidemiological surveillance data directly from Labs on diseases classified as under compulsory notification (e.g. tuberculosis, HIV, etc)?	G1-121: Do you have a national system to collect clinical reports of diseases classified as under compulsory notification (e.g. tuberculosis, HIV, etc)?	G1-122: Does your national system exchange/receive clinical reports/clinical data directly using HL7 or other standard messaging?

G1-123: Do you have legislation or national rules mandating nationwide electronic surveillance software usage?

G2: Usage of EHR data during the COVID-19 pandemic
Indicator G2 surveys how EHRs can be used to detect, prevent, respond to, and recover from epidemiological crises such as COVID 19 through generating information from ERH data for real-time surveillance. Automatically generating this information requires a high level of technical advancements, which Belgium, Denmark, Estonia, Spain, Finland, Hungary, Netherlands, Sweden, Slovenia and the UK are capable of.
G2-124: Can you generate information from the national EHR to detect, prevent, respond to, and recover from epidemiological crises such as COVID‑19?	G2-125: Can you extract routine data from your country’s national EHR system for real-time surveillance to detect, prevent, respond to, and recover from epidemiological crises such as COVID‑19?

Total number of eHealth Network meetings 2012- 2021
YEAR	eHealth Network, eHealth sub-groups, eHDSI/eHMSEG, eHealth JA, eHealth Stakeholder Group, CBHC Committee	COVID-19 - Contact tracing and EU DCC related
2012	2	0
2013	2	0
2014	9	0
2015	16	0
2016	20	0
2017	22	0
2018	13	0
2019	17	0
2020	7	116
2021	7	200
	115	316
Total number of meetings B3 - 2012- 2021	431