(1)

The aim of this Regulation is to establish the European Health Data Space (EHDS) in order to improve natural persons’ access to and control over their personal electronic health data in the context of healthcare, as well as to better achieve other purposes involving the use of electronic health data in the healthcare and care sectors that would benefit society, such as research, innovation, policymaking, health threats preparedness and response, including preventing and addressing future pandemics, patient safety, personalised medicine, official statistics or regulatory activities. In addition, this Regulation’s goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values. The EHDS will be a key element in the creation of a strong and resilient European Health Union.

(2)

The COVID-19 pandemic highlighted the imperative of having timely access to quality electronic health data for health threats preparedness and response, as well as for prevention, diagnosis and treatment and for secondary use of such electronic health data. Such timely access could potentially contribute, through efficient public health surveillance and monitoring, to more effective management of future pandemics, to a reduction of costs and to improving the response to health threats, and ultimately could help to save more lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 (4), to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of that pandemic. However, that adaptation was only an emergency solution, showing the need for a structural and consistent approach at Member State and Union level, both in order to improve the availability of electronic health data for healthcare and to facilitate access to electronic health data in order to steer effective policy responses and contribute to high standards of human health.

(3)

The COVID-19 crisis strongly cemented the work of the eHealth Network, a voluntary network of authorities responsible for digital health, as the main pillar for the development of contact-tracing and contact-warning applications for mobile devices and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (the ‘FAIR principles’), and ensuring that electronic health data are as open as possible, while respecting the data minimisation principle as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council (5). Synergies between the EHDS, the European Open Science Cloud and the European Research Infrastructures should be ensured, and lessons should be learned from data-sharing solutions developed under the European COVID-19 Data Platform.

(4)

Given the sensitivity of personal electronic health data, this Regulation seeks to provide sufficient safeguards at both Union and national level to ensure a high degree of data protection, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of electronic health data of natural persons for primary use and secondary use as defined in this Regulation.

(5)

The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 and, for Union institutions, bodies, offices and agencies, of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6). References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions, bodies, offices and agencies, where relevant.

(6)

More and more individuals living in the Union cross national borders to work, study, visit relatives, or for other reasons. To facilitate the exchange of health data, and in line with the need to empower citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including related to the provision of healthcare services, and which reveal information about that natural person’s health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental and physical influences, medical care, and social or educational factors. Electronic health data also include data that have been initially collected for research, statistical, health threat assessment, policymaking or regulatory purposes and it should be possible to make them available in accordance with the rules laid down in this Regulation. Electronic health data consist of all categories of those data, irrespective of whether such data are provided by the data subject or other natural or legal persons, such as health professionals, or are processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automated means.

(7)

In health systems, personal electronic health data are usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies and vaccinations, as well as radiology images, laboratory results and other medical data, spread between different actors in the health system, such as general practitioners, hospitals, pharmacies or care services. In order to allow electronic health data to be accessed, shared and modified by natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. In addition, some Member States provide support to public and private healthcare providers to set up personal electronic health data spaces to enable interoperability between different healthcare providers. Several Member States also support or provide electronic health data access services for patients and health professionals, for instance through patient or health professional portals. Those Member States have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data to the central EHR system, for instance by providing a system of certification. However, not all Member States have put in place such systems, and those Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal electronic health data across the Union and avoid negative consequences for patients when receiving healthcare in a cross-border context, Union action is needed to improve natural persons’ access to their own personal electronic health data and to empower them to share those data. In this respect, appropriate action at Union and national level should be taken as a means of reducing fragmentation, heterogeneity and division, and to create a system that is user-friendly and intuitive in all Member States. Any digital transformation in the healthcare sector should aim to be inclusive and also benefit natural persons with limited ability to access and use digital services, including people with disabilities.

(8)

Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. The EHDS builds upon those rights and complements some of them as applied to personal electronic health data. Those rights apply regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of those data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided them, the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation. The additional rights of access and portability of personal electronic health data provided for in this Regulation should be without prejudice to the rights of access and portability as established under Regulation (EU) 2016/679. Natural persons continue to have those rights under the conditions set out in that Regulation.

(9)

While the rights conferred by Regulation (EU) 2016/679 should continue to apply, the right of access to data by a natural person, established in Regulation (EU) 2016/679, should be further complemented in the healthcare sector. Under that Regulation, controllers do not have to provide access immediately. The right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming for the controller, such as a hospital or other healthcare provider that provides access. That situation slows down access to health data by natural persons, and can have a negative impact on them if they need such access immediately due to urgent circumstances pertaining to their health condition. It is therefore necessary to provide for a more efficient way for natural persons to access their own personal electronic health data. They should have the right to have free-of-charge and immediate access, while respecting the need for technological practicability, to specific priority categories of personal electronic health data, such as the patient summary, through an electronic health data access service. That right should apply regardless of the Member State in which the personal electronic health data are processed, the type of healthcare provider, the sources of those data or the Member State of affiliation of the natural person. The scope of that complementary right established under this Regulation and the conditions for exercising it differ in certain ways from the right of access to personal data under Regulation (EU) 2016/679, which covers all personal data held by a controller and is exercised against an individual controller, which has up to one month to reply to a request. The right to access personal electronic health data under this Regulation should be limited to the categories of data falling within its scope, be exercised via an electronic health data access service and entail an immediate answer. The rights under Regulation (EU) 2016/679 should continue to apply, allowing natural persons to benefit from their rights under both legal frameworks, in particular the right to obtain a paper copy of the electronic health data.

(10)

It should be considered that immediate access of natural persons to certain categories of their personal electronic health data could be harmful for the safety of those natural persons or unethical. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis of an incurable disease that is likely to be terminal instead of first providing that information in a consultation with the patient. Therefore, it should be possible to delay the provision of the access to personal electronic health data in such situations for a limited amount of time, for instance until the moment when the health professional can explain the situation to the patient. Member States should be able to establish such an exception where it constitutes a necessary and proportionate measure in a democratic society, in line with restrictions as provided for in Article 23 of Regulation (EU) 2016/679.

(11)

This Regulation does not affect Member States’ competences concerning the initial registration of personal electronic health data, such as making the registration of genetic data subject to the natural person’s consent or other safeguards. Member States may require that data be made available in an electronic format prior to the application of this Regulation. This should not affect the obligation to make personal electronic health data, registered after the date of application of this Regulation, available in an electronic format.

(12)

In order to complement the information available to them, natural persons should be able to add electronic health data to their EHRs or to store additional information in their separate personal health record which could be accessed by health professionals. However, information inserted by natural persons might not be as reliable as electronic health data entered and verified by health professionals and does not have the same clinical or legal value as information provided by health professionals. Therefore, data added by natural persons in their EHR should be clearly distinguishable from data provided by health professionals. That possibility for natural persons to add and complement personal electronic health data should not entitle them to change personal electronic health data which have been provided by health professionals.

(13)

Enabling natural persons to more easily and quickly access their personal electronic health data will enable them to notice possible errors such as incorrect information or incorrectly attributed patient records. In such cases, natural persons should be able to request online the rectification of the incorrect personal electronic health data, immediately and free of charge, through an electronic health data access service. Such rectification requests should then be treated by the relevant controllers in line with Regulation (EU) 2016/679, if necessary involving health professionals with a relevant specialisation and responsible for the natural persons’ treatment.

(14)

Under Regulation (EU) 2016/679, the right to data portability is limited to data processed based on consent or contract and provided by the data subject to a controller. Additionally, under that Regulation, natural persons have the right to have the personal data transmitted directly from one controller to another only where technically feasible. Regulation (EU) 2016/679, however, does not impose an obligation to make that direct transmission technically feasible. The right to data portability should be complemented under this Regulation, thereby empowering natural persons to provide access to, at least, priority categories of their personal electronic health data to the health professionals of their choice, to exchange such health data with such health professionals and to download such health data. In addition, natural persons should have the right to request a healthcare provider to transmit a part of their electronic health data to a clearly identified recipient in the social security or reimbursement services sector. Such a transfer should be one-way only.

(15)

The framework laid down by this Regulation should build on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their personal electronic health data, including inferred data, in the European electronic health record exchange format, irrespective of the legal basis for processing the electronic health data. Health professionals should refrain from hindering the application of the rights of natural persons, for example by refusing to take into account personal electronic health data originating from another Member State and which are provided through the interoperable and reliable European electronic health record exchange format.

(16)

Access to electronic health records by healthcare providers or other individuals should be transparent to the natural persons concerned. Electronic health data access services should provide detailed information on access to data, such as when and which entity or natural person accessed data and which data were accessed. Natural persons should also be able to enable or disable automatic notifications regarding access to personal electronic health data relating to them through the health professional access services.

(17)

Natural persons might not want to allow access to some parts of their personal electronic health data while enabling access to other parts. This could especially be relevant in cases of sensitive health issues such as those related to mental or sexual health, sensitive procedures such as abortions, or data on specific medication which could reveal other sensitive issues. Such selective sharing of personal electronic health data should therefore be supported and implemented through restrictions set by the natural person concerned in the same way within the territory of a given Member State and for cross-border data sharing. Those restrictions should allow for sufficient granularity to restrict parts of datasets, such as elements of the patient summaries. Before setting the restrictions, natural persons should be informed of the risks for patient safety associated with limiting access to health data. Given that the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, natural persons making use of such access restrictions should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services. The restrictions on access to personal electronic health data could have life-threatening consequences and, therefore, access to those data should nevertheless be possible where necessary to protect vital interests in emergency situations. More specific legal provisions on the mechanisms of restrictions placed by natural persons on parts of their personal electronic health data could be provided for by Member States in their national law, in particular as regards medical liability in cases where restrictions have been placed by the natural person concerned.

(18)

In addition, due to the different sensitivities in the Member States on the degree of patients’ control over their health data, Member States should be able to provide for an absolute right to opt out from access to their personal electronic health data by anyone other than the original controller, without any possibility to override that opt-out in emergency situations. In such a case, Member States should establish the rules and specific safeguards regarding such opt-out mechanisms. Those rules and specific safeguards could also relate to specific categories of personal electronic health data, for example genetic data. The right to opt out means that personal electronic health data relating to the natural person who exercises that right would not be made available through the services set up under the EHDS other than to the healthcare provider that provided the treatment. Member States should be able to require the registration and storage of personal electronic health data in an EHR system used by the healthcare provider who provided the health services and accessible only to that healthcare provider. If a natural person has exercised the right to opt out, healthcare providers will still document the treatment provided in accordance with applicable rules, and will be able to access the data registered by them. Natural persons who exercise the right to opt out should be able to reverse their decision. In such cases, personal electronic health data generated during the period of the opt-out might not be available via the access services and MyHealth@EU.

(19)

Timely and full access by health professionals to the medical records of patients is fundamental for ensuring continuity of care, avoiding duplications and errors, and reducing costs. However, due to a lack of interoperability, in many cases health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs both for health systems and for natural persons and can lead to worse health outcomes for natural persons. Electronic health data made available in an interoperable format and which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as electronic devices and health professional portals or other health professional access services, to use personal electronic health data for the exercise of their duties. As it is difficult to exhaustively determine in advance which data from the existing data in priority categories are medically relevant in a specific episode of care, health professionals should have a wide access to data. When accessing data relating to their patients, health professionals should comply with the applicable law, codes of conduct, deontological guidelines or other provisions governing ethical conduct with respect to sharing or accessing information, particularly in life-threatening or extreme situations. In accordance with Regulation (EU) 2016/679, in order to limit their access to what is relevant in a specific episode of care, healthcare providers should follow the data minimisation principle when accessing personal electronic health data, limiting the data accessed to data that are strictly necessary and justified for a given service. Providing health professional access services is a task assigned in the public interest by this Regulation and the performance of such task requires the processing of personal data as referred to in Article 6(1), point (e), of Regulation (EU) 2016/679. This Regulation provides for conditions and safeguards for the processing of electronic health data by the health professional access service in accordance with Article 9(2), point (h), of Regulation (EU) 2016/679, for instance detailed provisions regarding logging of access to personal electronic health data and that aim to provide transparency towards data subjects. However, this Regulation should be without prejudice to national law concerning the processing of health data for the delivery of healthcare, including national law establishing categories of health professionals that can process different categories of electronic health data.

(20)

In order to facilitate the exercise of the complementary access and portability rights established under this Regulation, Member States should establish one or more electronic health data access services. Those services could be provided at national, regional or local level, or by healthcare providers, in the form of an online patient portal, an application for mobile devices or by other means. They should be designed in an accessible way, in particular for persons with disabilities. Providing such a service to enable natural persons to have easy access to their personal electronic health data is a substantial public interest. The processing of personal electronic health data through those services is necessary for the performance of that task assigned by this Regulation in the sense of Article 6(1), point (e), and Article 9(2), point (g), of Regulation (EU) 2016/679. This Regulation lays down the necessary conditions and safeguards for the processing of electronic health data in electronic health data access services, such as electronic identification of natural persons accessing such services.

(21)

Natural persons should be able to provide an authorisation to other natural persons of their choice, such as their relatives or other close natural persons, enabling such persons of their choice to access or control the access to the personal electronic health data of the natural persons who provide the authorisation or to use digital health services on their behalf. Such authorisations could also be convenient for other usage by natural persons provided with such an authorisation. Proxy services for enabling and implementing such authorisations should be established by Member States, and be linked to personal electronic health data access services such as patient portals or patient-facing applications for mobile devices. Those proxy services should also enable guardians to act on behalf of their dependents, including minors; in such situations, authorisations could be automatic. In addition to those proxy services, Member States should also establish easily accessible support services to be provided by adequately trained staff dedicated to assisting natural persons when exercising their rights. In order to take into account cases in which the display of some personal electronic health data of dependent persons to their guardians could be contrary to the interests or the will of their dependents, including minors, Member States should be able to provide in national law for limitations and safeguards as well as for mechanisms for their technical implementation. Personal electronic health data access services, such as patient portals or patient-facing applications for mobile devices, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the scope of the authorisation. In order to provide a horizontal solution with increased user-friendliness, digital proxy solutions should be aligned with Regulation (EU) No 910/2014 of the European Parliament and of the Council (7) and the technical specifications of the European Digital Identity Wallet. That alignment would contribute to reducing both the administrative and financial burden for Member States by lowering the risk of developing parallel systems that are not interoperable across the Union.

(22)

In some Member States, healthcare is provided by primary care management teams, which are groups of health professionals focused on primary care, such as general practitioners, that carry out their primary care activities based on a healthcare plan that they draw up. Other types of healthcare teams also exist in several Member States for other care purposes. In the context of primary use in the EHDS, access should be provided to the health professionals belonging to such teams.

(23)

The supervisory authorities established pursuant to Regulation (EU) 2016/679 are competent for monitoring and enforcing the application of that Regulation, in particular for the monitoring of the processing of personal electronic health data and for handling any complaints lodged by the natural persons concerned. This Regulation establishes additional rights for natural persons regarding primary use, which go beyond and complement access and portability rights enshrined in Regulation (EU) 2016/679. Since those additional rights should also be enforced by the supervisory authorities established pursuant to Regulation (EU) 2016/679, Member States should ensure that those supervisory authorities are provided with the financial and human resources, premises and infrastructure necessary for the effective performance of those additional tasks. The supervisory authority or authorities responsible for the monitoring and enforcement of the processing of personal electronic health data for primary use in compliance with this Regulation should be competent to impose administrative fines. The legal system of Denmark does not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fines are imposed by the competent national courts as a criminal penalty, provided that such an application of the rules has an equivalent effect to administrative fines imposed by supervisory authorities. In any event, the fines imposed should be effective, proportionate and dissuasive.

(24)

Member States ought to strive to adhere to ethical principles, such as the European ethical principles for digital health adopted by the eHealth Network on 26 January 2022 and the principle of health professional-patient confidentiality, in the application of this Regulation. Recognising the importance of ethical principles, the European ethical principles for digital health provide guidance to practitioners, researchers, innovators, policy-makers and regulators.

(25)

The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity as regards standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of certain categories of electronic health data is needed. Categories of electronic health data such as patient summaries, electronic prescriptions and dispensations, medical imaging studies and related imaging reports, medical test results such as laboratory results and related reports, and discharge reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. Where such priority categories of data represent groups of electronic health data, this Regulation should apply to both the groups as a whole and to the individual data entries included in those groups. For example, given that vaccination status is part of a patient summary, the rights and requirements linked to the patient summary should also apply to such vaccination status even if it is processed separately from the patient summary as a whole. When further needs for the exchange of additional categories of electronic health data are identified for healthcare purposes, access to and exchange of those additional categories should be possible under this Regulation. The additional categories should be first implemented at Member State level and the exchange on a voluntary basis of such categories of data in cross-border situations between the cooperating Member States should be provided for in this Regulation. Particular attention should be given to data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.

(26)

The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format and to control better the access to and sharing of their personal electronic health data. This would also contribute to the achievement of the target of 100 % of Union citizens having access to their electronic health records by 2030, as referred to in Decision (EU) 2022/2481 of the European Parliament and of the Council (8). In order to make electronic health data accessible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data such as patient summaries, electronic prescriptions and dispensations, medical imaging studies and related imaging reports, medical test results and discharge reports, subject to transition periods. Where personal electronic health data are made available to a healthcare provider or a pharmacy by a natural person, or are transmitted by another controller in the European electronic health record exchange format, that format should be accepted, and the recipient should be able to read the data and use them for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the healthcare services or the dispensation of the electronic prescription. The European electronic health record exchange format ought to be designed in a way that facilitates translation of electronic health data communicated using that format into the official languages of the Union, to the extent possible. Commission Recommendation (EU) 2019/243 (9) provides the foundations for such a common European electronic health record exchange format. The interoperability of the EHDS should contribute to having European health datasets of a high quality. The use of a European electronic health record exchange format should become more widespread at Union and national level. The European electronic health record exchange format could allow for different profiles for its use at the level of EHR systems and at the level of the national contact points for digital health in MyHealth@EU for cross-border data exchange.

(27)

While EHR systems are widespread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the application of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and in accordance with specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data.

(28)

Telemedicine is becoming an increasingly important tool that can provide patients with access to care and tackle inequities. It has the potential to reduce health inequalities and reinforce the free movement of Union citizens across borders. Digital and other technological tools can facilitate the provision of care in remote regions. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision. Under Article 168 of the Treaty on the Functioning of the European Union (TFEU), Member States are responsible for their health policy, in particular for the organisation and delivery of health services and medical care, including the regulation of activities such as online pharmacies, telemedicine and other services that they provide and provide reimbursement for, in line with their national legislation. Different healthcare policies should not, however, constitute barriers to the free movement of electronic health data in the context of cross-border healthcare, for example telemedicine and online pharmacy services.

(29)

Regulation (EU) No 910/2014 lays down the conditions under which Member States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires secure access to electronic health data, including in cross-border situations. Electronic health data access services and telemedicine services should enable natural persons to exercise their rights regardless of their Member State of affiliation, and should therefore support the identification of natural persons using any electronic identification means recognised pursuant to Regulation (EU) No 910/2014. Given the possibility of challenges regarding identity matching in cross-border situations, it might be necessary for Member States of treatment to provide complementary access mechanisms such as tokens or codes to natural persons who arrive from other Member States and receive healthcare. The Commission should be empowered to adopt implementing acts to determine the requirements for the interoperable and cross-border identification and authentication of natural persons and health professionals, including any complementary mechanisms that are necessary to ensure that natural persons can exercise their rights related to personal electronic health data in cross-border situations.

(30)

Member States should designate relevant digital health authorities for the planning and implementation of standards for access to and transmission of electronic health data and the enforcement of the rights of natural persons and health professionals, as separate organisations or as part of already existing authorities. The digital health authority staff should not have any financial or other interests in industries or economic activities which could affect their impartiality. Digital health authorities already exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. When carrying out their tasks, digital health authorities should cooperate in particular with the supervisory authorities established pursuant to Regulation (EU) 2016/679 and supervisory bodies established pursuant to Regulation (EU) No 910/2014. Digital health authorities can also cooperate with the European Artificial Intelligence Board established by Regulation (EU) 2024/1689 of the European Parliament and of the Council (10), the Medical Device Coordination Group established by Regulation (EU) 2017/745 of the European Parliament and of the Council (11), the European Data Innovation Board established pursuant to Regulation (EU) 2022/868 of the European Parliament and of the Council (12) and the competent authorities under Regulation (EU) 2023/2854 of the European Parliament and of the Council (13). Member States should facilitate the participation of national actors in the cooperation at Union level, the conveying of expertise and the provision of advice on the design of solutions necessary to achieve the goals of the EHDS.

(31)

Without prejudice to any other administrative or non-judicial remedy, any natural or legal person should have the right to an effective judicial remedy against a legally binding decision of a digital health authority concerning them or where a digital health authority does not handle a complaint or does not inform the natural or legal person within three months about the progress or outcome of the complaint. Proceedings against a digital health authority should be brought before the courts of the Member States where the digital health authority is established.

(32)

Digital health authorities should have sufficient technical skills, possibly by bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take the necessary measures to protect the rights of natural persons by setting up national, regional, and local technical solutions such as national EHR intermediation solutions and patient portals. When taking such necessary protective measures, digital health authorities should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurement procedures and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. Member States should ensure that appropriate training initiatives are taken. In particular, health professionals should be informed and trained with regard to their rights and obligations under this Regulation. To carry out their tasks, the digital health authorities should cooperate at Union and national level with other entities, including with insurance bodies, healthcare providers, health professionals, manufacturers of EHR systems and of wellness applications, as well as other stakeholders from the health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.

(33)

Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it can support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions who cross the border frequently to get healthcare. In many border regions, some specialised healthcare services might be available closer across the border than in the same Member State. Infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. The gradual expansion of such infrastructure and its funding should be considered. A voluntary infrastructure for that purpose, MyHealth@EU, was established as part of the actions to achieve the objectives set up in Directive 2011/24/EU of the European Parliament and of the Council (14). Through MyHealth@EU, Member States started to provide natural persons with the possibility of sharing their personal electronic health data with healthcare providers when travelling abroad. Building on that experience, the participation of Member States in MyHealth@EU as established by this Regulation should be mandatory. Technical specifications for MyHealth@EU should enable the exchange of priority categories of electronic health data as well as additional categories supported by the European electronic health record exchange format. Those specifications should be defined by means of implementing acts and should be based on the cross-border specifications of the European electronic health record exchange format, complemented by further specifications on cybersecurity, technical and semantic interoperability, operations and service management. Member States should be required to join MyHealth@EU, comply with its technical specifications and connect healthcare providers, including pharmacies, to it, as this is necessary for enabling natural persons to exercise their rights under this Regulation to access and make use of their personal electronic health data regardless of the Member State where the natural persons are located.

(34)

MyHealth@EU provides a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way to support cross-border healthcare, without affecting Member States’ responsibilities before and after the transmission of personal electronic health data through it. Member States are responsible for the organisation of their national contact points for digital health and for the processing of personal data for the purposes of the delivery of healthcare, before and after the transmission of those data through MyHealth@EU. The Commission should monitor through compliance checks the compliance of national contact points for digital health with the necessary requirements regarding the technical development of MyHealth@EU as well as with detailed rules concerning the security, confidentiality and protection of personal electronic health data. In the event of serious non-compliance by a national contact point for digital health, the Commission should be able to suspend the services affected by the non-compliance provided by that national contact point for digital health. The Commission should act as a processor on behalf of the Member States within MyHealth@EU and should provide central services for it. To ensure compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the specific responsibilities of the Member States, as joint controllers, and the Commission’s obligations as processor on their behalf should be specified by means of implementing acts. Each Member State is solely responsible for data and services in that Member State. This Regulation provides the legal basis for the processing of personal electronic health data in MyHealth@EU as a task carried out in the public interest assigned by Union law referred to in Article 6(1), point (e), of Regulation (EU) 2016/679. That processing is necessary for the provision of healthcare in cross-border situations, as mentioned in Article 9(2), point (h), of that Regulation.

(35)

In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures could be needed, for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. Such additional use cases would also be important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases. MyHealth@EU should support exchanges of personal electronic health data with national contact points for digital health of relevant third countries and systems established at international level by international organisations in order to contribute to the continuity of healthcare. This is particularly relevant for individuals travelling to and from neighbouring third countries, candidate countries, and the associated overseas countries and territories. The connection of such national contact points for digital health of third countries to MyHealth@EU and the interoperability with digital systems established at international level by international organisations should be subject to a check ensuring the compliance of those contact points and digital systems with the technical specifications, data protection rules and other requirements of MyHealth@EU. In addition, given that the connection to MyHealth@EU will entail transfers of personal electronic health data to third countries, such as sharing a patient summary when the patient seeks care in that third country, relevant transfer instruments under Chapter V of Regulation (EU) 2016/679 should be put in place. The Commission should be empowered to adopt implementing acts to facilitate the connection of such national contact points for digital health of third countries and systems established at international level by international organisations to MyHealth@EU. When preparing those implementing acts, the Commission should take into account Member States’ national security interests.

(36)

In order to enable the seamless exchange of electronic health data and ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market should be able to store and transmit, in a secure way, high quality electronic health data. It is a key objective of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory conformity self-assessment scheme for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through the self-assessment, EHR systems will prove compliance with the requirements on interoperability, security and logging for communication of personal electronic health data established by the two mandatory EHR software components harmonised by this Regulation, namely the European interoperability software component for EHR systems and the European logging software component for EHR systems (the ‘harmonised software components of EHR systems’). The harmonised software components of EHR systems mainly concern data transformation, although they may imply the need for indirect requirements for data registration and data presentation in EHR systems. Technical specifications for the harmonised software components of EHR systems should be defined by means of implementing acts and should be based on the use of the European electronic health record exchange format. The harmonised software components of EHR systems should be designed to be reusable and to integrate seamlessly with other components within a larger software system. The security requirements of the harmonised software components of EHR systems should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as those under Regulation (EU) 2024/2847 of the European Parliament and of the Council (15). To support that process, European digital testing environments should be set up to provide automated means to test whether the functioning of the harmonised software components of an EHR system is compliant with the requirements laid down in this Regulation. To that end, implementing powers should be conferred on the Commission to determine the common specifications for those environments. The Commission should develop the necessary software for the testing environments and make it available as open source. Member States should be responsible for the operation of the digital testing environments, as they are closer to manufacturers and better placed to support them. Manufacturers should use those digital testing environments to test their products before placing them on the market while continuing to bear full responsibility for the compliance of their products. The results of the test should become part of the product’s technical documentation. Where the EHR system or any part of it complies with European standards or common specifications, the list of the relevant European standards and common specifications should also be indicated in the technical documentation. To support the comparability of EHR systems, the Commission should prepare a uniform template for the technical documentation accompanying such systems.

(37)

EHR systems should be accompanied by an information sheet that includes information for its professional users and by clear and complete instructions for use, including in accessible formats for persons with disabilities. If an EHR system is not accompanied by such information, the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators should be required to add to the EHR system that information sheet and those instructions for use.

(38)

While EHR systems specifically intended by the manufacturer to be used for processing one or more specific categories of electronic health data should be subject to mandatory self-certification, software for general purposes should not be considered to be an EHR system, even when used in a healthcare setting, and should therefore not be required to comply with this Regulation. That covers cases such as text-processing software used for writing reports that would then become part of written electronic health records, general-purpose middleware, or database management software that is used as part of data storage solutions.

(39)

This Regulation imposes a mandatory conformity self-assessment scheme for the harmonised software components of EHR systems to ensure that EHR systems placed on the Union market are able to exchange data in the European electronic health record exchange format and that they have the required logging capabilities. That mandatory conformity self-assessment, which would be in the form of an EU declaration of conformity by the manufacturer, should ensure that those requirements are fulfilled in a proportionate way, while avoiding an undue burden on Member States and manufacturers.

(40)

Manufacturers should affix in the accompanying documents of the EHR system, and where applicable on its packaging, a CE marking of conformity indicating that the EHR system is in conformity with this Regulation and, in respect of aspects not covered by this Regulation, with other applicable Union law which also requires the affixing of such marking. Member States should build upon existing mechanisms to ensure the correct application of the provisions on the CE marking of conformity under relevant Union law and should take appropriate action in the event of improper use of that marking.

(41)

Member States should remain competent to define requirements relating to any other software components of EHR systems and the terms and conditions for connection of healthcare providers to their respective national infrastructures, which could be subject to third-party assessment at national level. In order to facilitate the smooth functioning of the internal market for EHR systems, digital health products and associated services, it is necessary to ensure as much as possible transparency as regards national law establishing requirements for EHR systems and provisions on their conformity assessment in relation to aspects other than the harmonised software components of EHR systems. Therefore, Member States should inform the Commission of those national requirements so it has the necessary information to ensure that they do not adversely affect the harmonised software components of EHR systems.

(42)

Certain software components of EHR systems could be considered medical devices under Regulation (EU) 2017/745 or in vitro diagnostic medical devices under Regulation (EU) 2017/746 of the European Parliament and of the Council (16). Software or modules of software which fall within the definition of a medical device, in vitro diagnostic medical devices or an artificial intelligence (AI) system considered to be high-risk (the ‘high-risk AI system’) should be certified in accordance with Regulations (EU) 2017/745, (EU) 2017/746 and (EU) 2024/1689, as applicable. While such products are required to fulfil the requirements under the respective Regulation governing those products, Member States should take appropriate measures to ensure that the respective conformity assessment is carried out as a joint or coordinated procedure in order to limit the administrative burden on manufacturers and other economic operators. The essential requirements on interoperability of this Regulation should only apply to the extent that the manufacturer of a medical device, an in vitro diagnostic medical device, or a high-risk AI system, which is providing electronic health data to be processed as part of the EHR system, claims interoperability with such EHR system. In such case, the provisions on common specifications for EHR systems should be applicable to those medical devices, in vitro diagnostic medical devices and high-risk AI systems.

(43)

To further support interoperability and security, Member States should be able to maintain or define specific rules for the procurement, reimbursement or financing of EHR systems at national level in the context of the organisation, delivery or financing of health services. Such specific rules should not impede the free movement of EHR systems in the Union. Some Member States have introduced mandatory certification of EHR systems or mandatory interoperability testing for their connection to national digital health services. Such requirements are commonly reflected in procurement procedures organised by healthcare providers and national or regional authorities. The mandatory certification of EHR systems at Union level should establish a baseline that can be used in procurement procedures at national level.

(44)

In order to guarantee the effective exercise by patients of their rights under this Regulation, healthcare providers developing and using an EHR system ‘in-house’ to carry out internal activities without placing it on the market in return for payment or remuneration should also comply with this Regulation. In that context, such healthcare providers should comply with all requirements applicable to manufacturers as regards such EHR systems that are developed ‘in-house’ and that such healthcare providers put into service. However, given that the healthcare providers may need additional time to prepare for compliance with this Regulation, those requirements should only apply to such systems after an extended transitional period.

(45)

It is necessary to provide for a clear and proportionate distribution of obligations corresponding to the role of each economic operator in the supply and distribution process of EHR systems. Economic operators should be responsible for compliance in relation to their respective roles in such process and should ensure that they make available on the market only EHR systems which comply with relevant requirements.

(46)

Compliance with essential requirements on interoperability and security should be demonstrated by the manufacturers of EHR systems through the implementation of common specifications. To that end, implementing powers should be conferred on the Commission to determine such common specifications regarding datasets, coding systems, technical specifications, standards, specifications and profiles for data exchange, as well as requirements and principles related to patient safety and the security, confidentiality, integrity and protection of personal data, and specifications and requirements related to identification management and the use of electronic identification. Digital health authorities should contribute to the development of such common specifications. Where applicable, those common specifications should be based on existing harmonised standards for the harmonised software components of EHR systems and be compatible with sectoral law. Where common specifications have a particular importance in relation to personal data protection requirements concerning EHR systems, they should be subject to consultation with the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) before their adoption, pursuant to Article 42(2) of Regulation (EU) 2018/1725.

(47)

In order to ensure there is appropriate and effective enforcement of the requirements and obligations laid down in this Regulation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 of the European Parliament and of the Council (17) should apply. Depending on the organisation defined at national level, such market surveillance activities could be carried out by the digital health authorities ensuring the proper implementation of Chapter II of this Regulation or by a separate market surveillance authority responsible for EHR systems. While designating digital health authorities as market surveillance authorities could have significant practical advantages for the implementation of health and care, any conflicts of interest should be avoided, for instance by separating different tasks.

(48)

The staff of market surveillance authorities should have no direct or indirect economic, financial or personal conflicts of interest that might be considered prejudicial to their independence and, in particular, they should not be in a situation that could, directly or indirectly, affect the impartiality of their professional conduct. Member States should determine and publish the selection procedure for market surveillance authorities. They should ensure that the procedure is transparent and does not allow conflicts of interest.

(49)

Users of wellness applications, including applications for mobile devices, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions in cases where data produced by wellness applications are useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should also be informed about the compliance of such wellness applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A mandatory labelling scheme for wellness applications for which interoperability with EHR systems is claimed should therefore be established as an appropriate mechanism for providing transparency for the users of wellness applications regarding compliance with requirements under this Regulation, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission should set out by means of implementing acts the details regarding the format and content of such label.

(50)

Member States should remain free to regulate other aspects of the use of wellness applications, provided that the corresponding rules are in compliance with Union law.

(51)

The distribution of information on certified EHR systems and labelled wellness applications is necessary to enable procurers and users of such products to find interoperable solutions for their specific needs. A database of interoperable EHR systems and wellness applications, which do not fall within the scope of Regulations (EU) 2017/745 and (EU) 2024/1689, should therefore be established at Union level, similar to the European database on medical devices (Eudamed) established by Regulation (EU) 2017/745. The objectives of the EU database for registration of EHR systems and wellness applications should be to enhance overall transparency, to avoid multiple reporting requirements and to streamline and facilitate the flow of information. For medical devices and AI systems, the registration should be maintained under the existing databases established, respectively, under Regulations (EU) 2017/745 and (EU) 2024/1689, but the compliance with interoperability requirements should be indicated by manufacturers when they claim such compliance, in order to provide information to procurers.

(52)

Without hindering or replacing contractual arrangements or other mechanisms in place, this Regulation is aimed at establishing a common mechanism to access electronic health data for secondary use across the Union. Under that mechanism, health data holders should make the data they hold available on the basis of a data permit or a health data request. For the purpose of processing electronic health data for secondary use, one of the legal bases referred to in Article 6(1), points (a), (c), (e) or (f), of Regulation (EU) 2016/679 in conjunction with Article 9(2) thereof is required. Accordingly, this Regulation provides for a legal basis for the secondary use of personal electronic health data, including the safeguards required under Article 9(2), points (g) to (j), of Regulation (EU) 2016/679 to allow the processing of special categories of data, in terms of lawful purposes, trusted governance for providing access to health data through the involvement of health data access bodies, and processing in a secure processing environment, as well as arrangements for data processing, set out in the data permit. Consequently, Member States should no longer be able to maintain or introduce under Article 9(4) of Regulation (EU) 2016/679 further conditions, including limitations and specific provisions requesting the consent of natural persons, with regard to the processing for secondary use of personal electronic health data under this Regulation, with the exception of the introduction of stricter measures and additional safeguards at national level aimed at safeguarding the sensitivity and value of certain data as laid down in this Regulation. Health data applicants should also demonstrate a legal basis referred to in Article 6 of Regulation (EU) 2016/679 that allows them to request access to electronic health data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV thereof. In addition, the health data access body should assess the information provided by the health data applicant, based on which it should be able to issue a data permit for the processing of personal electronic health data pursuant to this Regulation that should fulfil the requirements and conditions set out in Chapter IV of this Regulation. For processing of electronic health data held by the health data holders, this Regulation creates the legal obligation within the meaning of Article 6(1), point (c), of Regulation (EU) 2016/679, in accordance with Article 9(2), points (i) and (j), of that Regulation, for the health data holder to make available the personal electronic health data to health data access bodies, while the legal basis for the purpose of the initial processing, for example the delivery of healthcare, is unaffected. This Regulation also assigns tasks in the public interest within the meaning of Article 6(1), point (e), of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2), points (g) to (j), as applicable, of that Regulation. If the health data user relies upon a legal basis set out in Article 6(1), point (e) or (f), of Regulation (EU) 2016/679, this Regulation should provide for the safeguards required under Article 9(2) of Regulation (EU) 2016/679.

(53)

Electronic health data used for secondary use can bring great societal benefits. The uptake of real-world data and real-world evidence, including patient-reported outcomes, for evidence-based regulatory and policy purposes as well as for research, health technology assessment and clinical objectives should be encouraged. Real-world data and real-world evidence have the potential to complement health data currently made available. To achieve that goal, it is important that datasets made available for secondary use pursuant to this Regulation be as complete as possible. This Regulation provides the necessary safeguards to mitigate certain risks involved in the achievement of those benefits. The secondary use of electronic health data is based on pseudonymised or anonymised data, in order to preclude the identification of the data subjects.

(54)

To balance the need of health data users to have exhaustive and representative datasets with the need for autonomy of natural persons over personal electronic health data of theirs that are considered particularly sensitive, natural persons should be able to make the decision as to whether their personal electronic health data can be processed for secondary use under this Regulation, in the form of a right to opt out from having those data being made available for secondary use. An easily understandable and accessible user-friendly mechanism to exercise that right to opt out should be provided for. Moreover, it is imperative to provide natural persons with sufficient and complete information regarding their right to opt out, including on the benefits and drawbacks entailed by exercising that right. Natural persons should not be required to give any reasons for opting out and should have the possibility of reconsidering their choice at any time. However, for certain purposes with a strong link to the public interest, such as activities for protection against serious cross-border threats to health or scientific research for important reasons of public interest, it is appropriate to provide for a possibility for Member States to establish, taking into account their national context, mechanisms to provide access to personal electronic health data of natural persons who have exercised their right to opt out, to ensure that complete datasets can be made available in those situations. Such mechanisms should comply with the requirements established for secondary use under this Regulation. Scientific research for important reasons of public interest could for example include research addressing unmet medical needs, including for rare diseases, or emerging health threats. The rules on such overrides should respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society to fulfil the public interest in relation to legitimate scientific and societal objectives. Such overrides should only be available to health data users that are public sector bodies, or relevant Union institutions, bodies, offices or agencies, entrusted with the performance of tasks in the area of public health, or to another entity entrusted with the performance of public tasks in the area of public health or acting on behalf of or commissioned by a public authority, and only where the data cannot be obtained by alternative means in a timely and effective manner. Those health data users should justify that the use of the override is necessary for an individual health data access application or health data request. When such an override is applied, the safeguards under Chapter IV should continue to be applied by health data users, in particular the prohibition of re-identification or attempting to re-identify the natural persons concerned.

(55)

In the context of the EHDS, electronic health data already exist and are being collected by, among others, healthcare providers, professional associations, public institutions, regulators, researchers and insurers in the course of their activities. Those data should also be made available for secondary use, that is to say for processing of data for purposes other than those for which they were collected or produced, however, many of such data are not made available for processing for such purposes. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policymaking, regulatory purposes, patient safety or personalised medicine. In order to fully exploit the benefits of secondary use, all health data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use, provided that such effort is always made through effective and secured processes, with due respect for professional duties, such as confidentiality duties.

(56)

The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of health data users, while remaining limited to data related to health or known to influence health. They can also include relevant data from the health system, for example electronic health records, claims data, dispensation data, data from disease registries or genomic data, as well as data with an impact on health, for example data on consumption of different substances, socioeconomic status or behaviour, and data on environmental factors such as pollution, radiation or the use of certain chemical substances. The categories of electronic health data for secondary use include some categories of data that were initially collected for other purposes such as research, statistics, patient safety, regulatory activities or policymaking, for example, policymaking registries or registries concerning the side effects of medicinal products or medical devices. European databases that facilitate use or reuse of data are available in some areas, such as cancer (the European Cancer Information System) or rare diseases (for example, the European Platform on Rare Disease Registration and European reference networks (ERN) registries). The categories of electronic health data that can be processed for secondary use should also include automatically generated data from medical devices and person-generated data, such as data from wellness applications. Data on clinical trials and clinical investigations should also be included in the categories of electronic health data for secondary use when the clinical trial or clinical investigation has ended, without affecting any voluntary data sharing by the sponsors of ongoing trials and investigations. Electronic health data for secondary use should be made available preferably in a structured electronic format that facilitates their processing by computer systems. Examples of structured electronic formats include records in a relational database, XML documents or CSV files and free text, audios, videos and images provided as computer-readable files.

(57)

Health data users who benefit from access to datasets provided for under this Regulation could enrich the data in those datasets with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of the data in the datasets. Health data users should be encouraged to report critical errors in datasets to health data access bodies. To support the improvement of the initial database and further use of the enriched dataset, Member States should be able to establish rules for the processing and the use of electronic health data containing improvements related to the processing of those data. The improved dataset should be made available free of charge to the original health data holder together with a description of the improvements. The health data holder should make the new dataset available, unless it provides a justified notification to the health data access body for not doing so, for instance in cases in which the enrichment by the health data user is of low quality. It should be ensured that non-personal electronic health data are available for secondary use. In particular, pathogen genomic data hold significant value for human health, as shown during the COVID-19 pandemic during which timely access to and sharing of such data proved to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics efforts will be achieved when public health and research processes share datasets and cooperate to inform and improve each other.

(58)

In order to increase the effectiveness of the secondary use of personal electronic health data, and to fully benefit from the possibilities offered by this Regulation, the availability in the EHDS of electronic health data described in Chapter IV should be such that the data are as accessible, high-quality, ready and suitable for the purpose of creating scientific, innovative and societal value and quality as possible. Work on the implementation of the EHDS and further dataset improvements should be conducted in a manner that prioritises the datasets that are the most suitable for creating such value and quality.

(59)

Public or private entities often receive public funding from national or Union funds to collect and process electronic health data for research, official or unofficial statistics, or other similar purposes, including in areas where the collection of such data is fragmented or difficult, such as in relation to rare diseases or cancer. Such data, collected and processed by health data holders with the support of Union or national public funding, should be made available to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policymaking, benefiting society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. The health data holders in the context of secondary use should therefore be entities that are healthcare providers or care providers or carry out research with regard to the healthcare or care sectors, or develop products or services intended for the healthcare or care sectors. Such entities can be public, not for profit or private. In line with this definition, nursing homes, day-care centres, entities providing services for people with disabilities, entities carrying out business and technological activities related to care such as orthopaedics and companies providing care services should be considered health data holders. Legal persons developing wellness applications should also be considered health data holders. Union institutions, bodies, offices or agencies that process those categories of health and healthcare data as well as mortality registries should also be considered health data holders.In order to avoid a disproportionate burden for natural persons and microenterprises, they should be, as a general rule, exempted from the obligations on health data holders. Member States should, however, be able to extend the obligations of health data holders to natural persons and microenterprises in their national law. To reduce the administrative burden, and in light of the effectiveness and efficiency principles, Member States should be able to require in their national law that health data intermediation entities carry out the duties of certain categories of health data holders. Such health data intermediation entities should be legal persons able to process, make available, register, provide, restrict access to, and exchange electronic health data for secondary use provided by health data holders. Such health data intermediation entities perform tasks that differ from those of data intermediation services under Regulation (EU) 2022/868.

(60)

Electronic health data protected by intellectual property rights or trade secrets, including data on clinical trials, investigations and studies, can be very useful for secondary use and can foster innovation within the Union for the benefit of Union patients. In order to incentivise continuous Union leadership in this domain, it is important to encourage the sharing of clinical trials and clinical investigations data through the EHDS for secondary use. Clinical trials and clinical investigations data should be made available to the extent possible, while taking all necessary measures to protect intellectual property rights and trade secrets. This Regulation should not be used to reduce or circumvent such protection and should be consistent with the relevant transparency provisions laid down in Union law, including for clinical trials and clinical investigations data. Health data access bodies should assess how to preserve such protection while enabling access to such data for health data users to the extent possible. If a health data access body is unable to provide access to such data, it should inform the health data user and explain why it is not possible to provide such access. Legal, organisational and technical measures to protect intellectual property rights or trade secrets could include common electronic health data access contractual arrangements, specific obligations within the data permit in relation to such rights, pre-processing the data to generate derived data that protect a trade secret but nonetheless have a utility for the health data user or configuration of the secure processing environment so that such data are not accessible to the health data user.

(61)

The secondary use of health data under the EHDS should enable public, private and not-for-profit entities, as well as individual researchers, to have access to health data for research, innovation, policymaking, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes as set out in this Regulation. Access to data for secondary use should contribute to the general interest of society. In particular, the secondary use of health data for research and development purposes should contribute to benefiting society in the form of new medicines, medical devices, and healthcare products and services at affordable and fair prices for Union citizens, as well as to enhancing access to and the availability of such products and services in all Member States. Activities for which access in the context of this Regulation is lawful could include using the electronic health data for tasks carried out by public sector bodies, such as the exercise of public duty, including public health surveillance, planning and reporting duties, health policymaking, and ensuring patient safety, quality of care and the sustainability of healthcare systems. Public sector bodies and Union institutions, bodies, offices and agencies might need to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, as is provided for in this Regulation. Public sector bodies could carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remains at all times the supervisor of those activities. The provision of the data should also support activities related to scientific research. The notion of scientific research purposes should be interpreted in a broad manner, including technological development and demonstration, fundamental research, applied research and privately funded research. Activities related to scientific research include innovation activities such as training of AI algorithms that could be used in healthcare or the care of natural persons, as well as the evaluation and further development of existing algorithms and products for such purposes. It is necessary that the EHDS also contribute to fundamental research, and, although its benefits to end-users and patients might be less direct, such fundamental research is crucial for societal benefits in the longer term. In some cases, the information of some natural persons, such as genomic information of natural persons with a certain disease, could contribute to the diagnosis or treatment of other natural persons. There is a need for public sector bodies to go beyond the scope of ‘exceptional need’ of Chapter V of Regulation (EU) 2023/2854. However, health data access bodies should be allowed to provide support to public sector bodies when processing or linking data. This Regulation provides for a channel for public sector bodies to obtain access to information that they require for fulfilling the tasks assigned to them by law, but does not extend the mandate of such public sector bodies.

(62)

Any attempt to use electronic health data for measures detrimental to natural persons, such as to increase insurance premiums, to engage in activities potentially detrimental to natural persons related to employment, pensions or banking, including mortgaging of properties, to advertise products or treatments, to automate individual decision-making, to re-identify natural persons or to develop harmful products should be prohibited. That prohibition should also apply to activities contrary to ethical provisions under national law, with the exception of ethical provisions relating to consent to the processing of personal data and ethical provisions relating to the right to opt out, since this Regulation takes precedence over national law in accordance with the general principle of the primacy of Union law. It should also be prohibited to provide access to, or otherwise make available, electronic health data to third parties not mentioned in the data permit. The identity of authorised persons, in particular the identity of the principal investigator, who will have the right pursuant to this Regulation to access electronic health data in the secure processing environment should be indicated in the data permit. The principal investigators are the main persons responsible for requesting access to the electronic health data and for processing the requested data within the secure processing environment on behalf of the health data user.

(63)

This Regulation does not create an empowerment for the secondary use of health data for the purpose of law enforcement. The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties by the competent authorities should not be among the secondary use purposes covered under this Regulation. Therefore, courts and other entities of the justice system should not be considered health data users for the secondary use of health data under this Regulation. In addition, courts and other entities of the justice system should not be covered under the definition of health data holders and should not therefore be addressees of obligations on health data holders under this Regulation. Moreover, the powers of the competent authorities for the prevention, investigation, detection and prosecution of criminal offences established by law to obtain electronic health data are unaffected by this Regulation. Likewise, electronic health data held by courts for the purpose of judicial proceedings are outside the scope of this Regulation.

(64)

The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is essential to promoting the secondary use of health-related data. Member States should therefore establish one or more health data access bodies to reflect, inter alia, their constitutional, organisational and administrative structure. However, one of those health data access bodies should be designated as a coordinator in the event there is more than one health data access body. Where a Member State establishes several health data access bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the European Health Data Space Board (the ‘EHDS Board’). That Member State should, in particular, designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies could vary in terms of organisation and size, spanning from a dedicated fully fledged organisation to a unit or department in an existing organisation. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use and should avoid any conflicts of interest. Therefore, members of the governance and decision-making bodies of each health data access body and its staff should refrain from any action that is incompatible with their duties and should not engage in any incompatible occupation. However, the independence of the health data access bodies should not mean that they cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review. Each health data access body should be provided with the financial, technical and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. The members of the governance and decision-making bodies of health data access bodies and their staff should have the necessary qualifications, experience and skills. Each health data access body should have a separate public annual budget, which could be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(2) of Regulation (EU) 2022/868, Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation (EU) 2022/868 or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.

(65)

Health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, health data access bodies should cooperate with each other and with the Commission. Health data access bodies should also cooperate with stakeholders, including patient organisations. Health data access bodies should support health data holders that are small enterprises in accordance with Commission Recommendation 2003/361/EC (18), in particular medical practitioners and pharmacies. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulations (EU) 2016/679 and (EU) 2018/1725 apply and the supervisory authorities under those Regulations should remain the only authorities competent for enforcing those provisions. Health data access bodies should inform the data protection authorities of any penalties imposed and any potential issues related to data processing for secondary use and exchange any relevant information at their disposal to ensure enforcement of the relevant rules. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, and promote the development of common standards. They should apply tested state-of-the-art techniques that ensure electronic health data are processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets for the health data user as required under the issued data permit. In that regard, health data access bodies should cooperate across borders to develop and exchange best practices and techniques. This includes rules for pseudonymisation and anonymisation of micro datasets. When relevant, the Commission should set out the procedures and requirements, and provide technical tools, for a unified procedure for pseudonymising and anonymising electronic health data.

(66)

Health data access bodies should ensure that secondary use is transparent by providing public information about the data permits granted and their justifications, the measures taken to protect the rights of natural persons, the means for natural persons to exercise their rights in relation to secondary use, and the outcomes of secondary use including through links to scientific publications. Where appropriate, that information on the outcomes of secondary use should also include a lay summary to be provided by the health data user. Those transparency obligations complement the obligations laid down in Article 14 of Regulation (EU) 2016/679. The exceptions provided for in Article 14(5) of that Regulation could apply. Where such exceptions do apply, the transparency obligations established in this Regulation should contribute to ensuring fair and transparent processing as referred to in Article 14(2) of Regulation (EU) 2016/679, for example through providing information on the purpose of the processing and the data categories processed, thereby enabling natural persons to understand whether their data are being made available for secondary use pursuant to data permits.

(67)

Natural persons should be informed by the health data holders about significant findings related to their health made by health data users. Natural persons should have the right to request not to be informed of such findings. Member States could lay down conditions on the arrangements for the provision by the health data holders of such information to the natural persons concerned and on the exercise of the right not to be informed. Member States should be able, in accordance with Article 23(1), point (i), of Regulation (EU) 2016/679, to restrict the scope of the obligation to inform natural persons whenever necessary for their protection based on patient safety and ethics, by delaying the communication of their information until a health professional can communicate and explain to the natural persons concerned information that potentially can have an impact on their health.

(68)

In order to promote transparency, health data access bodies should also publish activity reports, every two years, providing an overview of their activities. Where a Member State has designated more than one health data access body, the coordinating body should prepare and publish a common report every two years. Activity reports should follow a structure agreed by the EHDS Board and provide an overview of activities, including information regarding decisions on applications, audits and engagement with relevant stakeholders. Such stakeholders can include representatives of natural persons, patient organisations, health professionals, researchers and ethical committees.

(69)

In order to support secondary use, health data holders should refrain from withholding the data, requesting unjustified fees that are not transparent or proportionate to the costs of making the data available or, where relevant, to marginal costs of data collection, requesting the health data users to co-publish the research or other practices that could dissuade the health data users from requesting the data. Where a health data holder is a public sector body, the part of the fees linked to its costs should not cover the costs of the initial collection of the data. Where ethical approval is necessary for providing a data permit, the evaluation related to ethical approval should be based on its own merits.

(70)

Health data access bodies should be allowed to charge fees, taking into account the horizontal rules provided by Regulation (EU) 2022/868, in relation to their tasks. Such fees could take into account the situation and interest of small and medium-sized enterprises (SMEs), individual researchers or public sector bodies. In particular, Member States should be able to establish measures for health data access bodies in their jurisdiction which make it possible to charge certain categories of health data users reduced fees. Health data access bodies should be able to cover the costs of their operations with fees set up in a proportionate, justified and transparent manner. This could result in higher fees for some health data users, if handling their health data access applications and health data requests requires more work. Health data holders should be allowed to also ask for fees for making data available which reflect their costs. Health data access bodies should decide on the amount of such fees, which could also include the fees requested by health data holders. The health data user ought to be charged such fees by the health data access body in a single invoice. The health data access body should then transfer the relevant part of the paid fees to the health data holder. In order to ensure a harmonised approach concerning fee policies and structure, implementing powers should be conferred on the Commission. Article 10 of Regulation (EU) 2023/2854 should apply to fees charged under this Regulation.

(71)

In order to strengthen the enforcement of the rules on secondary use, appropriate measures that can lead to administrative fines or enforcement measures by health data access bodies or temporary or definitive exclusions from the EHDS framework of health data users or health data holders that do not comply with their obligations should be envisaged. Health data access bodies should be empowered to verify compliance of health data users and health data holders and give them the opportunity to reply to any findings and to remedy any infringement. When deciding on the amount of the administrative fine or on an enforcement measure for each individual case, health data access bodies should take into account the cost margins and the criteria set out in this Regulation, ensuring that those fines or measures are proportionate.

(72)

Given the sensitivity of electronic health data, it is necessary to reduce risks for the privacy of natural persons by applying the data minimisation principle. Therefore, non-personal electronic health data should be made available in all cases where the provision of such data is sufficient. If the health data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of that type of data and the health data access body should assess whether that justification is valid. The personal electronic health data should only be made available in pseudonymised format. Taking into account the specific purposes of the processing, personal electronic health data should be pseudonymised or anonymised as early as possible in the process of making data available for secondary use. It should be possible for pseudonymisation and anonymisation to be carried out by health data access bodies or by health data holders. As controllers, health data access bodies and health data holders should be allowed to delegate those tasks to processors. When providing access to a pseudonymised or anonymised dataset, a health data access body should use state-of-the-art pseudonymisation or anonymisation technology and standards, ensuring to the maximum extent possible that natural persons cannot be re-identified by health data users. Such technology and standards for data pseudonymisation or anonymisation should be further developed. Health data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, and where they do so they should be subject to administrative fines and enforcement measures laid down in this Regulation or possible criminal penalties, where national law so provides. Moreover, a health data applicant should be able to request a response to a health data request in an anonymised statistical format. In such cases, the health data user will only process non-personal data, and the health data access body will remain sole controller for any personal data necessary to provide the response to the health data request.

(73)

In order to ensure that all health data access bodies issue data permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The health data applicant should provide health data access bodies with several elements of information that would help the body evaluate the health data access application and decide if the health data applicant can receive a data permit, and coherence should be ensured between different health data access bodies. The information provided as part of the health data access application should comply with the requirements established under this Regulation in order to enable it to be thoroughly assessed, as a data permit should only be issued if all the necessary conditions set out in this Regulation are met. In addition, where relevant, that information should include a declaration by the health data applicant that the intended use of the health data requested does not pose a risk of stigmatisation, or of causing harm to the dignity, of natural persons or groups to which the dataset requested relates. An ethical assessment could be requested based on national law. In that case, it should be possible for existing ethics bodies to carry out such assessments for the health data access body. Existing ethics bodies of Member States should make their expertise available to the health data access body for that purpose. Alternatively, Member States should be able to provide for ethics bodies to be part of the health data access body. The health data access body, and where relevant health data holders, should assist health data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the health data applicant needs data in an anonymised statistical format, it should submit a health data request, requiring the health data access body to provide the result directly. A refusal of a data permit by the health data access body should not preclude the health data applicant from submitting a new health data access application. In order to ensure a harmonised approach between health data access bodies and to limit the administrative burden for the health data applicants, the Commission should support the harmonisation of health data access applications, as well as health data requests, including by establishing the relevant templates. In justified cases, such as in the case of a complex and burdensome request, the health data access body should be allowed to extend the time period for health data holders to make the requested electronic health data available to it.

(74)

As their resources are limited, health data access bodies should be allowed to apply prioritisation rules, for instance prioritising public institutions over private entities, but they should not discriminate between the national organisations and organisations from other Member States within the same category of priorities. A health data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publications or to enable additional analysis of the dataset based on the initial findings. This should require an amendment of the data permit and could be subject to an additional fee. However, in all cases, the data permit should reflect such additional uses of the dataset. Preferably, the health data user should mention them in their initial health data access application. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permits.

(75)

As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies with a legal mandate in the field of public health, especially the Commission, need access to health data for a longer period and on a recurring basis. This may be the case not only for specific circumstances provided for in Union or national law in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data could be required in specific Member States or throughout the whole territory of the Union. Such Union institutions, bodies, offices and agencies should be able to benefit from an accelerated procedure for having data made available, ordinarily in less than two months, with a possibility of prolonging the timeline by one month in more complex cases.

(76)

Member States should be able to designate trusted health data holders for which the data permit issuing procedure can be performed in a simplified manner, in order to alleviate the administrative burden for health data access bodies of managing requests for the data processed by them. Trusted health data holders should be allowed to assess the health data access applications submitted under this simplified procedure, based on their expertise in dealing with the type of health data they are processing, and issue a recommendation regarding a data permit. The health data access body should remain responsible for issuing the final data permit and should not be bound by the recommendation provided by the trusted health data holder. Health data intermediation entities should not be designated as trusted health data holders.

(77)

Given the sensitivity of electronic health data, health data users should not have unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure there are strong technical and security safeguards in place for the electronic health data, the health data access body or, where relevant, the trusted health data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. The processing of personal data in such a secure processing environment should comply with Regulation (EU) 2016/679, including, where the secure processing environment is managed by a third party, the requirements of Article 28 of that Regulation and, where applicable, Chapter V thereof. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the health data users. The health data access body or the health data holder providing that service should remain at all times in control of the access to the electronic health data, and the access granted to the health data users should be determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any personal electronic health data should be downloaded by the health data users from such secure processing environment. Thus, such a secure processing environment is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member States in developing common security standards in order to promote the security and interoperability of the various secure processing environments.

(78)

Regulation (EU) 2022/868 sets out the general rules for the management of data altruism. Given that the health sector manages sensitive data, additional criteria should be established through the rulebook referred to in that Regulation. Where such rules provide for the use of a secure processing environment for that sector, such secure processing environment should comply with the criteria established in this Regulation. The health data access bodies should cooperate with the competent authorities designated under Regulation (EU) 2022/868 to supervise the activity of data altruism organisations in the health or care sector.

(79)

For the processing of electronic health data in the scope of a data permit or a health data request, health data holders, including trusted health data holders, health data access bodies and health data users should be deemed each of them, in turn, controllers for a specific part of the process and according to their respective roles therein. Health data holders should be deemed controllers for the disclosure of the requested personal electronic health data to the health data access bodies, while the health data access bodies should in turn be deemed controllers for the processing of the personal electronic health data when preparing the data and making them available to the health data users. Health data users should be deemed controllers for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to their data permits. Health data access bodies should be deemed processors on behalf of the health data user for the processing carried out by the health data user pursuant to a data permit in the secure processing environment as well as for the processing to generate a response to a health data request. Similarly, trusted health data holders should be deemed controllers for their processing of personal electronic health data related to the provision of electronic health data to the health data user pursuant to a data permit or a health data request. The trusted health data holders should be deemed processors for the health data user when providing data through a secure processing environment.

(80)

In order to achieve an inclusive and sustainable framework for multi-country secondary use, a cross-border infrastructure should be established (‘HealthData@EU’). HealthData@EU should accelerate secondary use while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as ‘privacy by design’ and ‘privacy by default’ and the concept of bringing questions to data instead of moving those data should be respected whenever possible. Member States should designate national contact points for secondary use, as organisational and technical gateways for health data access bodies, and connect those contact points to HealthData@EU. The Union health data access service should also be connected to HealthData@EU. In addition, authorised participants in HealthData@EU could be research infrastructures established as a European Research Infrastructure Consortium (ERIC) under Council Regulation (EC) No 723/2009 (19), as a European digital infrastructure consortium (EDIC) under Decision (EU) 2022/2481 or similar infrastructures established under other Union legal acts, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI) or infrastructures federated under the European Open Science Cloud (EOSC). Third countries and international organisations could also become authorised participants in HealthData@EU, provided that they are compliant with the requirements in this Regulation. The Commission communication of 19 February 2020 entitled ‘A European strategy for data’ promoted the linking of the various common European data spaces. HealthData@EU should therefore enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as those relating to the environment, agriculture and social sector. Such interoperability between the health sector and other sectors such as the environmental, agricultural or social sectors could be relevant for obtaining additional insights on health determinants. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants in HealthData@EU for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission could also set up a secure processing environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, such as those being built for the exchange of evidence under the ‘once-only’ technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council (20).

(81)

In addition, given that the connection to HealthData@EU could entail transfers of personal data related to the applicant or the health data user to third countries, relevant transfer instruments under Chapter V of Regulation (EU) 2016/679 need to be in place for such transfers.

(82)

In the case of cross-border registries or databases, such as the registries of European Reference Networks for Rare Diseases, which receive data from different healthcare providers in several Member States, the health data access body of the Member State where the coordinator of the registry is located should be responsible for providing access to data.

(83)

The authorisation process to gain access to personal electronic health data in different Member States can be repetitive and cumbersome for health data users. Whenever possible, synergies should be established to reduce the burden and barriers for health data users. One way to achieve that aim is to adhere to the ‘single application’ principle whereby, with one application, the health data user can obtain authorisation from multiple health data access bodies in different Member States or authorised participants in HealthData@EU.

(84)

The health data access bodies should provide information about the available datasets and their characteristics so that health data users can be informed of elementary facts about the dataset and assess the possible relevance of those facts to those users. For this reason, each dataset should include, at least, information concerning the source and nature of the data and the conditions for making the data available. The health data holder should, at least every year, check that its dataset description in the national dataset catalogue is accurate and up to date. Therefore, an EU dataset catalogue should be established to: facilitate the discoverability of datasets available in the EHDS; help health data holders to publish their datasets; provide all stakeholders, including the general public, taking into account the specific needs of people with disabilities, with information about datasets placed on the EHDS, such as quality and utility labels and dataset information sheets; and provide health data users with up-to-date data quality and utility information about datasets.

(85)

Information on the quality and utility of datasets increases the value of outcomes from data-intensive research and innovation significantly while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines and recommendations for data collection and data exchange, such as FAIR principles, also benefits health data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform health data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between health data holders and health data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set by frameworks created pursuant to Article 10 of Regulation (EU) 2024/1689 and the relevant technical documentation specified in Annex IV to that Regulation should be taken into account when developing the data quality and utility framework. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support those activities. The use of datasets could be prioritised by their users according to their usefulness and quality.

(86)

The EU dataset catalogue should minimise the administrative burden for the health data holders and other database users, be user-friendly, accessible and cost-effective, connect national dataset catalogues and avoid redundant registration of datasets. Without prejudice to the requirements set out in Regulation (EU) 2022/868, the EU dataset catalogue could be aligned with the data.europa.eu initiative. Interoperability should be ensured between the EU dataset catalogue, the national dataset catalogues and the dataset catalogues from European research infrastructures and other relevant data sharing infrastructures.

(87)

Cooperation and work are ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets, for instance registries. That work is more advanced in areas such as cancer, rare diseases, cardiovascular and metabolic diseases, risk factor assessment and statistics, and should be taken into account when defining new standards and disease-specific harmonised templates for structured data elements. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised coding and registration of electronic health data to enable the supply of such data for secondary use in a consistent way. Such datasets could include data from registries of rare diseases, orphan drugs databases, cancer registries and registries of highly relevant infectious diseases. Member States should work towards ensuring that European electronic health systems and services and interoperable applications deliver sustainable economic and social benefits, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare. Existing health data infrastructures and registries can provide models that are useful for defining and implementing data standards and interoperability and should be leveraged to enable continuity and to build on existing expertise.

(88)

The Commission should support Member States in building capacity and enhancing effectiveness in the area of digital health systems for primary use and secondary use. Member States should be supported to strengthen their capacity. Activities at Union level, such as benchmarking and exchange of best practices, are relevant measures in that respect. Those activities should take into account the specific circumstances of different categories of stakeholders, such as representatives of civil society, researchers, medical societies and SMEs.

(89)

Improving digital health literacy for both natural persons and health professionals is essential to trust and safety and appropriate use of health data and thus is essential to achieving a successful implementation of this Regulation. Health professionals are faced with profound changes in the context of digitalisation and will be offered further digital tools as part of the implementation of the EHDS. Consequently, health professionals need to develop their digital health literacy and digital skills and Member States should provide access for health professionals to digital literacy courses so that they can prepare to work with EHR systems. Such courses should allow health professionals and IT operators to receive sufficient training in working with new digital infrastructures to ensure cybersecurity and ethical management of health data. The training courses should be developed and reviewed, and kept up to date, on a regular basis in consultation and cooperation with relevant experts. Improving digital health literacy is fundamental in order to empower natural persons to have true control over their health data, actively manage their health and care, and understand the implications of the management of such data for both primary use and secondary use. Different demographic groups have varying degrees of digital literacy, which can affect natural persons’ ability to exercise their rights to control their electronic health data. Member States, including regional and local authorities, should therefore support digital health literacy and public awareness, while ensuring that the implementation of this Regulation contributes to reducing inequalities and does not discriminate against people lacking digital skills. Particular attention should be given to persons with disabilities and vulnerable groups including migrants and the elderly. Member States should create targeted national digital literacy programmes, including programmes to maximise social inclusion and to ensure all natural persons can effectively exercise their rights under this Regulation. Member States should also provide patient-centric guidance to natural persons in relation to the use of electronic health records and primary use of their personal electronic health data. Guidance should be tailored to the patient’s level of digital health literacy, with specific attention to be given to the needs of vulnerable groups.

(90)

The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, and the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation, when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds. Union funds need to be distributed transparently among the Member States, taking into account the different levels of health system digitalisation. Making data available for secondary use requires additional resources for healthcare systems, in particular public healthcare systems. That additional burden should be addressed and minimised during the implementation phase of the EHDS.

(91)

The implementation of the EHDS requires appropriate investment in capacity-building and training and a well-funded commitment to public consultation and engagement both at Union and national level. The economic costs of implementing this Regulation will need to be borne at both Union and national level, and a fair sharing of that burden between Union and national funds will need to be found.

(92)

Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically provided for in Regulation (EU) 2022/868. Even where state-of-the-art anonymisation techniques are used, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases, that is to say a life-threatening or chronically debilitating condition affecting not more than 5 in 10 000 persons in the Union, where the limited numbers of cases reduce the possibility of fully aggregating the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. Such residual risk can affect different categories of health data and can lead to the re-identification of the data subjects using means that are beyond those reasonably likely to be used. Such risk depends on the level of granularity, on the description of the characteristics of data subjects, on the number of people affected, for instance in cases of data included in electronic health records, disease registries, biobanks and person-generated data, where the range of identification characteristics is broader, and on the possible combination with other information, for example in very small geographical areas, or through the technological evolution of methods which had not been available at the moment of anonymisation. Such re-identification of natural persons would present a major concern and would be likely to put the acceptance of the rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as is the case in the reporting on clinical trials and clinical investigations, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for those categories of health data, there remains a risk of re-identification after the anonymisation or aggregation, which cannot be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation (EU) 2022/868. Those types of health data would thus fall within the empowerment set out in Article 5(13) of that Regulation for transfer to third countries. The special conditions provided for under the empowerment set out in Article 5(13) of Regulation (EU) 2022/868 will be detailed in the context of the delegated act adopted under that empowerment, and need to be proportional to the risk of re-identification and to take into account the specificities of different data categories or of different anonymisation or aggregation techniques.

(93)

The processing of large amounts of personal electronic health data for the purposes of the EHDS, as part of data processing activities in the context of handling health data access applications, data permits and health data requests entails higher risks of unauthorised access to such personal data, as well as the possibility of cybersecurity incidents. Personal electronic health data are particularly sensitive as they often contain information covered by medical secrecy, the disclosure of which to unauthorised third parties can cause significant distress. Taking fully into consideration the principles outlined in the case law of the Court of Justice of the European Union, this Regulation ensures full respect for fundamental rights, for the right to privacy and for the principle of proportionality. In order to ensure the full integrity and confidentiality of personal electronic health data under this Regulation, to guarantee a particularly high level of protection and security, and to reduce the risk of unlawful access to those personal electronic health data, this Regulation allows Member States to require that personal electronic health data be stored and processed solely within the Union for the purpose of carrying out the tasks provided for in this Regulation, unless an adequacy decision adopted pursuant to Article 45 of Regulation (EU) 2016/679 applies.

(94)

Access to electronic health data for health data users established in third countries or for international organisations should take place only on the basis of the reciprocity principle. Making electronic health data available to a third country should be allowed to take place only where the Commission has established, by means of an implementing act, that the third country concerned allows access to electronic health data originating from that third country by Union entities under the same conditions and with the same safeguards as would be the case if they were accessing electronic health data within the Union. The Commission should monitor and carry out a periodic review of the situation in those third countries and for international organisations and list those implementing acts. Where the Commission finds that a third country no longer ensures access on the same terms, it should revoke the corresponding implementing act.

(95)

In order to promote the consistent application of this Regulation, including as regards cross-border interoperability of electronic health data, a European Health Data Space Board should be set up. The Commission should participate in its activities and co-chair it. The EHDS Board should be able to issue written contributions related to the consistent application of this Regulation throughout the Union, including by helping Member States to coordinate the use of electronic health data for healthcare and certification, but also concerning secondary use, and the funding for those activities. This could also include sharing information on risks and incidents in the secure processing environments. The sharing of that kind of information does not affect obligations under other legal acts, such as data breach notifications under Regulation (EU) 2016/679. More generally, the activities of the EHDS Board are without prejudice to the powers of the supervisory authorities pursuant to Regulation (EU) 2016/679. Given that, at national level, digital health authorities dealing with primary use may be different from the health data access bodies dealing with secondary use, the functions are different and there is a need for distinct cooperation in each of those areas, the EHDS Board should be able to set up subgroups dealing with those two functions, as well as other subgroups, as needed. In order for there to be an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations (EU) 2022/868, (EU) 2023/2854 and (EU) 2024/1689 and Regulation (EU) 2019/881 of the European Parliament and of the Council (21). The EHDS Board should operate independently, in the public interest and in line with its code of conduct.

(96)

Where issues that are considered by the EHDS Board to be of specific relevance are discussed, it should be able to invite observers, for instance the EDPS, representatives of Union institutions, including of the European Parliament, and other stakeholders.

(97)

A stakeholder forum should be set up to advise the EHDS Board in the fulfilment of its tasks by providing stakeholder input on matters pertaining to this Regulation. The stakeholder forum should be composed, inter alia, of representatives of patient and consumer organisations, health professionals, industry, scientific researchers and academia. It should have a balanced composition and represent the views of different relevant stakeholders. Both commercial and non-commercial interests should be represented.

(98)

In order to ensure proper day-to-day management of the cross-border infrastructures for primary use and secondary use, it is necessary to create steering groups consisting of Member State representatives. These steering groups should take operational decisions on the technical day-to-day management of the cross-border infrastructures and their technical development, including on technical changes to the infrastructures, improving functionalities or services, or ensuring interoperability with other infrastructures, digital systems or data spaces. Their activities should not include contributing to the development of implementing acts affecting those infrastructures. The steering groups should also be able to invite representatives of other authorised participants in HealthData@EU as observers to their meetings and should consult relevant experts when carrying out their tasks.

(99)

Without prejudice to any other administrative, judicial or non-judicial remedy, any natural or legal person should have the right to lodge a complaint with a digital health authority or with a health data access body, if the natural or legal person considers that his or her rights or interests under this Regulation have been affected. The investigation following a complaint should be carried out, subject to judicial review, to the extent appropriate in the specific case. The digital health authority or health data access body should inform the natural or legal person of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another digital health authority or health data access body, information on the progress made in dealing with the complaint should be given to the natural or legal person. In order to facilitate the submission of complaints, each digital health authority and health data access body should take measures such as providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication. Where the complaint concerns the rights of natural persons related to the protection of their personal data, the digital health authority or health data access body should transmit the complaint to the supervisory authorities under Regulation (EU) 2016/679. Digital health authorities or health data access bodies should cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means, without undue delay.

(100)

Where a natural person considers that his or her rights under this Regulation have been infringed, he or she should have the right to mandate a not-for-profit body, organisation or association constituted in accordance with national law, having statutory public interest objectives and active in the field of the protection of personal data, to lodge a complaint on his or her behalf.

(101)

The digital health authority, health data access body, health data holder or health data user should compensate any damage which a natural or legal person suffers as a result of an infringement of this Regulation. The concept of damage should be broadly interpreted in the light of the case law of the Court of Justice of the European Union, in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other provisions in Union or national law. Natural persons should receive full and effective compensation for the damage they have suffered.

(102)

In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any infringement of this Regulation, in addition to, or instead of, appropriate measures imposed by health data access bodies pursuant to this Regulation. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.

(103)

It is appropriate to lay down provisions enabling health data access bodies to apply administrative fines for certain infringements of this Regulation which should be considered under this Regulation to be serious infringements, such as the re-identification of natural persons, downloading personal electronic health data outside of the secure processing environment or processing of data for prohibited uses or uses not covered by a data permit. This Regulation should specify those infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent health data access body in each individual case, taking into account all the relevant circumstances of the specific situation, having due regard in particular to the nature, gravity and duration of the infringement and its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. For the purposes of the imposition of administrative fines under this Regulation, the concept of undertaking should be understood in accordance with Articles 101 and 102 TFEU. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning should not affect the enforcement of other powers of the health data access bodies or of other penalties under this Regulation.

(104)

In order to ensure that the EHDS fulfils its objectives, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the modification, addition or removal in Annex I of the main characteristics of the priority categories of personal electronic health data, the list of required data to be entered by the manufacturers of EHR systems and wellness applications into the EU database for registration of EHR systems and wellness applications as well as the modification, addition or removal of elements to be covered by the data quality and utility label. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making (22). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(105)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission as regards:

Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (23).

(106)

Member States should take all measures necessary to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. When deciding on the amount of the penalty for each individual case, Member States should take into account the limits and criteria set out in this Regulation. Re-identification of natural persons should be considered a serious breach of this Regulation.

(107)

Implementing the EHDS will require significant development work across Member States and central services. To track the progress made in that regard, the Commission should, until the full application of this Regulation, report annually on that progress, taking into account information provided by the Member States. Those reports could include recommendations for remedial measures, as well as an assessment of the progress made.

(108)

In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level, the Commission should carry out an evaluation of this Regulation. The Commission should carry out a targeted evaluation of this Regulation within eight years of its entry into force, and an overall evaluation within 10 years of its entry into force. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.

(109)

For a successful cross-border implementation of the EHDS, the European Interoperability Framework, the scope of which was updated and extended by the Commission communication of 23 March 2017 entitled ‘European Interoperability Framework – Implementation Strategy’ to take on board new or revised interoperability requirements, should be considered as a common reference to ensure legal, organisational, semantic and technical interoperability.

(110)

Since the objectives of this Regulation, namely to empower natural persons by providing them with increased control over their personal electronic health data and supporting their freedom of movement by ensuring that their health data follow them, to foster a genuine internal market for digital health services and products and to ensure a consistent and efficient framework for the reuse of natural persons’ health data for research, innovation, policymaking and regulatory activities, cannot be sufficiently achieved by the Member States through coordination measures alone, as shown by the evaluation of the digital aspects of Directive 2011/24/EU, but can rather, by reason of harmonising measures for rights of natural persons in relation to their electronic health data, interoperability of electronic health data and a common framework and safeguards for the primary use and secondary use, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(111)

The evaluation of the digital aspects of Directive 2011/24/EU shows that the effectiveness of the eHealth Network is limited, but also that there is strong potential for work at Union level in the area of digital health, as demonstrated by the work carried out during the COVID-19 pandemic. Directive 2011/24/EU should therefore be amended accordingly.

(112)

This Regulation complements the essential cybersecurity requirements laid down in Regulation (EU) 2024/2847. EHR systems which are products with digital elements within the meaning of Regulation (EU) 2024/2847 should therefore also comply with the essential cybersecurity requirements set out in that Regulation. The manufacturers of those EHR systems should demonstrate conformity as required by this Regulation. To facilitate that conformity, manufacturers should be allowed to draw up a single set of technical documents containing the elements required by both legal acts. It should be possible to demonstrate conformity of EHR systems with essential cybersecurity requirements laid down in Regulation (EU) 2024/2847 through the assessment framework under this Regulation. However, the parts of the conformity assessment procedure under this Regulation which relate to the use of testing environments should not be applied, since those testing environments do not allow for an assessment of conformity with the essential cybersecurity requirements. As Regulation (EU) 2024/2847 does not cover Software as a Service (SaaS) directly as such, EHR systems offered through the SaaS licensing and delivery model do not fall within the scope of that Regulation. Similarly, EHR systems that are developed and used in-house do not fall within the scope of that Regulation, as they are not placed on the market.

(113)

The EDPS and the EDPB were consulted in accordance with Article 42(1) and (2) of Regulation (EU) 2018/1725 and delivered their joint opinion on 12 July 2022.

(114)

This Regulation should not affect the application of the rules of competition, and in particular Articles 101 and 102 TFEU. The measures provided for in this Regulation should not be used to restrict competition in a manner contrary to the TFEU.

(115)

Given the need for technical preparation, this Regulation should apply from 26 March 2027. In order to support the successful implementation of the EHDS and the creation of effective conditions for European health data cooperation, the implementation should take place in stages,