Activities of Lucia ĎURIŠ NICHOLSONOVÁ related to 2022/0140(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space
Amendments (267)
Amendment 181 #
Proposal for a regulation
Recital 2
Recital 2
(2) The COVID-19 pandemic has highlighted the imperative of having timely access to quality electronic health data for health threats preparedness and response, as well as for prevention, diagnosis and treatment and secondary use of health data. Such timely access would have contributed, through efficient public health surveillance and monitoring, to a more effective management of the pandemic, and ultimately would have helped to save lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/126941, to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and Union level. _________________ 41 Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (OJ L 200, 29.7.2019, p. 35).
Amendment 201 #
Proposal for a regulation
Recital 7
Recital 7
(7) In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved acess to their own personal electronic health data and are empowered to share it. The implementation cost for connecting healthcare professionals to the EHDS should not be carried by healthcare professionals alone. To this end, Member States should ensure that EU financial incentives as well as national ressources are evenly and fairly distributed.
Amendment 220 #
Proposal for a regulation
Recital 10
Recital 10
(10) Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be clearly marked to indicate the source of such additional data until a relevant health professional validates the information, which would then be marked as confirmed by a health professional. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals.
Amendment 232 #
Proposal for a regulation
Recital 13
Recital 13
(13) Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported but the restrictions on information should be easily identifiable by health professionals in the EHR in order to take due regard to the fact that the information is incomplete, when treating the patient. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
Amendment 246 #
Proposal for a regulation
Recital 17
Recital 17
(17) The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded. The Commission should be empowered to extend the list of priority categories, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.
Amendment 256 #
Proposal for a regulation
Recital 20
Recital 20
(20) While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt implementing acts for determining additional aspects related to the registration of electronic health data, such as categories of healthcare providers that are to register health data electronically, categories of data to be registered electronically, or data quality requirements.
Amendment 270 #
Proposal for a regulation
Recital 22
Recital 22
(22) Regulation (EU) No 910/2014 of the European Parliament and of the Council47lays down the conditions under which Members States perform identification of natural persons in cross- border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’). In the future, the identification and authentication for access to EHR should be facilitated by the new eID system that will be set up under the revised Regulation (EU) No 910/2014.As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level. Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities. _________________ 47 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
Amendment 273 #
Proposal for a regulation
Recital 23
Recital 23
(23) Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, and regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
Amendment 295 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory self-certificationthird party assessment scheme for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through this self- certificationthird party assessment, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council48. _________________ 48 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 300 #
Proposal for a regulation
Recital 28
Recital 28
(28) While EHR systems specifically intended by the manufacturer to be used for processing one or more specific categories of electronic health data should be subject to mandatory self-certificationthird party assessment, software for general purposes should not be considered as EHR systems, even when used in a healthcare setting, and should therefore not be required to comply with the provisions of Chapter III.
Amendment 316 #
Proposal for a regulation
Recital 36 a (new)
Recital 36 a (new)
(36 a) The uptake of real-world data and real-world evidence, including patient reported outcomes, for evidence-based regulatory and policy purposes as well as for research, health technology assessment and clinical objectives should be encouraged. Real-world data and real- world evidence have the potential to complement randomised clinical trial data and is particularly relevant when assessing safety and medicinal effectiveness of innovative products, such as, but not limited to Advanced Therapies Medicinal Products (ATMPs), particularly in the rare disease domain.
Amendment 349 #
Proposal for a regulation
Recital 40
Recital 40
(40) The data holders in the context of secondary use of electronic health data can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding, should be made available by data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies should be provided by the level of confidentiality protection in accordance with TRIPS and Directive (EU) 2016/943. often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.
Amendment 353 #
Proposal for a regulation
Recital 40 a (new)
Recital 40 a (new)
(40 a) Clinical trials are of utmost importance for fostering innovation within Europe in the benefit of European patients. In order to incentivise continuous European leadership in this domain, the sharing of the clinical trials data through the EHDS for secondary use should not compromise the scientific integrity of and investment in these clinical trials, in line with Regulation (EU) 536/2014.
Amendment 367 #
Proposal for a regulation
Recital 42
Recital 42
(42) The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health- related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial, technical and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Given the central role of the health data access bodies in the context of secondary use of electronic health data, and especially the decision-making on granting or refusing a health data permit and preparing the data to make it available to health data users, their members and staff should have the necessary qualifications, experience and skills, in particular in the area of ethics, cybersecurity, protection of intellectual property and trade secrets, healthcare, scientific research, artificial intelligence and other relevant areas, as well as the protection of personal data and specifically data concerning health. In addition, the decision-making process regarding the granting or refusal of the health data permit should involve ethical considerations. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
Amendment 372 #
Proposal for a regulation
Recital 43
Recital 43
(43) The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested state-of-the-art techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. In this regard, health data access bodies should cooperate across borders and converge on common definitions and techniques. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
Amendment 375 #
Proposal for a regulation
Recital 44
Recital 44
(44) Considering the administrative burden for health data access bodies toHealth data access bodies should comply with the obligations laid down in Article 14 paragraphs (1), (2), (3) and (4) of Regulation (EU) 2016/679 and inform the natural persons whose data are used in data projects within a secure processing environment, t. The exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 shouldmay apply. TWherefore such exceptions are applied, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed, allowing natural persons to understand whether their data are being made available for secondary use pursuant to data permits. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the data subject or his health professionalhealth professional of the data subject concerned. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
Amendment 400 #
Proposal for a regulation
Recital 49
Recital 49
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the relevant health professional of the concerned natural person(s). Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
Amendment 401 #
Proposal for a regulation
Recital 50
Recital 50
(50) In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide health data access bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information include: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), applicant´s identity, purposes for which the data would be used and detailed plan and explanation of the intended use and expected benefits related to the use, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. The applicant should also provide a declaration of having sufficient experience to manage the intended uses of the data requested, consistent with ethical practice and applicable laws and regulations as well as a declaration that the intended uses of the data request do not pose a risk of stigmatisation or dignity harm to both individuals and the groups implicated in the dataset requested. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data access bodies and, where relevant data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data, it should submit a data request application, requiring the health data access body to provide directly the result. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data application, as well as data request.
Amendment 416 #
Proposal for a regulation
Recital 53
Recital 53
Amendment 424 #
Proposal for a regulation
Recital 54
Recital 54
(54) Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body or, where relevant, single data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
Amendment 426 #
Proposal for a regulation
Recital 55
Recital 55
(55) For the processing of electronic health data in the scope of a granted permit, the health data holders, the health data access bodies and the health data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users, the Commission should, by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter intoshould each, in their turn, be deemed a controller for a specific part of the process and according to their respective roles in it, meaning that the health data holder should be considered a controller for the processing of personal electronic health data while carrying out its obligation under Article 41 (1) and (1a), health data access body should be considered a controller for the processing of personal electronic health data while carrying out its task referred to in Article 37(1) (d) of this Regulation and health data user, including Union institutions, bodies, offices and agencies, should be deemed a controller for the processing of personal electronic health data in the secure processing environment pursuant to a data permit. In this case, the health data access body should be deemed a processor. In order to achieve an inclusive and sustainable framework for multi- country secondary use of electronic health data, a cross-border infrastructure should be established. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/200950or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social, etc.. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross- border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council51. _________________ 50 Council Regulation (EC) No 723/2009 of 25 June 2009 on the Community legal framework for a European Research Infrastructure Consortium (ERIC) (OJ L 206, 8.8.2009, p. 1). 51 Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).
Amendment 449 #
Proposal for a regulation
Recital 64 a (new)
Recital 64 a (new)
(64 a) Re-identification of natural persons should be considered a particularly serious breach of this Regulation. Member States should consider criminalising re-identification as well as disclosure of de-anonymised health data by health data users to serve as a deterrent measure.
Amendment 455 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It. The EHDS Board should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. An advisory forum should be set up to advise the EHDS Board it in the fulfilment of its tasks by providing stakeholder input in matters pertaining to this Regulation. The advisory forum should be composed of representatives of patients, health professionals, industry, scientific researchers and academia, have a balanced composition and represent the views of different relevant stakeholders. Commercial and non-commercial interests should be balanced. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].
Amendment 463 #
Proposal for a regulation
Recital 71
Recital 71
(71) In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, on the self-certification of EHR systems, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
Amendment 467 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation establishes the European Health Data Space (‘EHDS’) by providing for rules, interoperable common standards and, practices, and infrastructures and a governance framework for the primary and secondary use of electronic health data.
Amendment 472 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
Article 1 – paragraph 2 – point a
(a) strengthens the rights of natural persons in relation to the availability, sharing and control of their electronic health data;
Amendment 481 #
Proposal for a regulation
Article 1 – paragraph 3 – point a
Article 1 – paragraph 3 – point a
(a) manufacturers and suppliers of EHR systems and products claiming interoperability with EHR systems, including medical devices, high-risk AI systems and wellness applications placed on the market and put into service in the Union and the users of such products;
Amendment 501 #
Proposal for a regulation
Article 2 – paragraph 1 – point a
Article 2 – paragraph 1 – point a
(a) the definitions inof ‘personal data’, ‘processing’, ‘pseudonymisation’, ‘controller’, ‘processor’, ‘genetic data’, ‘data concerning health’, ‘cross-border processing’, ‘international organisation’ pursuant to Article 4 (1), (2), (5), (7), (8), (13), (15), (23), and (26) of Regulation (EU) 2016/679;
Amendment 509 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
(a) ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services,that are processed in an electronic form;
Amendment 524 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) ‘primary use of electronic health data’ means the processing of personal electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursementadministration relevant for the provision of healthcare services;
Amendment 526 #
Proposal for a regulation
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) ‘secondary use of electronic health data’ means: (i) the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may includewhich was personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use;for purposes set out in Chapter IV of this Regulation, thereby constituting further processing within the meaning of Regulation (EU) 2016/679; or (ii) the processing of electronic health data which does not fall under (i) and was originally collected for the purposes set out in Chapter IV of this Regulation.
Amendment 536 #
Proposal for a regulation
Article 2 – paragraph 2 – point f
Article 2 – paragraph 2 – point f
(f) ‘interoperability’ means the ability of organisations as well as software applications or devices from the same manufacturer or different manufacturers to interact towards mutually beneficial goals, involving the exchange of information and knowledgeprocess, exchange and use data in order to perform their functions in an accurate, effective and consistent manner without changing the content of the data between these organisations, software applications or devices, through the processes they support;
Amendment 544 #
Proposal for a regulation
Article 2 – paragraph 2 – point k
Article 2 – paragraph 2 – point k
(k) ‘health data recipient’ means a natural or legal person that receives data from another controllerrecipient as defined in Article 4(9) of Regulation (EU) 2016/679, in the context of the primary use of electronic health data;
Amendment 550 #
Proposal for a regulation
Article 2 – paragraph 2 – point m
Article 2 – paragraph 2 – point m
(m) ‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare purposservices;
Amendment 556 #
Proposal for a regulation
Article 2 – paragraph 2 – point n
Article 2 – paragraph 2 – point n
(n) ‘EHR system’ (electronic health record system) means any appliance or software the primary purpose of which, intended by the manufacturer to be used for, is storing, intermediating, importing, exporting, converting, editing or viewing electronic health records between health professionals;
Amendment 578 #
Proposal for a regulation
Article 2 – paragraph 2 – point y
Article 2 – paragraph 2 – point y
(y) ‘health data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies, whoich: (i) has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data; to process electronic health data; or (ii) the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data through control of the technical design of a product and related services.
Amendment 583 #
Proposal for a regulation
Article 2 – paragraph 2 – point z
Article 2 – paragraph 2 – point z
(z) ‘health data user’ means a natural or legal person who has lawful access toas well as Union institutions, bodies, offices and agencies, who has been granted access, in accordance with this Regulation, to one or more of the categories of personal or non- personal electronic health data for secondary use;
Amendment 590 #
Proposal for a regulation
Article 2 – paragraph 2 – point aa
Article 2 – paragraph 2 – point aa
(aa) ‘health data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
Amendment 602 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae a (new)
Article 2 – paragraph 2 – point ae a (new)
(ae a) ‘ real world evidence’ (RWE) means data that are collected outside the constraints of conventional randomised clinical trials.
Amendment 606 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae b (new)
Article 2 – paragraph 2 – point ae b (new)
(ae b) ‘real-world data’ (RWD) means routinely collected data relating to patient health status or the delivery of healthcare from a variety of sources other than traditional clinical trials.
Amendment 618 #
Proposal for a regulation
Article -3 (new)
Article -3 (new)
Article -3 Scope For the purpose of this Chapter, health data holder shall be understood only as data holder from health sector providing healthcare.
Amendment 629 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. In accordance with Article 23 of Regulation (EU) 2016/679, Member States may restrict the scope of this righte rights referred to in paragraphs 1 and 2 whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on his or her health.
Amendment 636 #
Proposal for a regulation
Article 3 – paragraph 4
Article 3 – paragraph 4
Amendment 642 #
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point a
Article 3 – paragraph 5 – subparagraph 1 – point a
(a) establish one or more electronic health data access services at national, or regional or local level enabling the exercise of rights referred to in paragraphs 1 and 2this Article;
Amendment 643 #
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point b
Article 3 – paragraph 5 – subparagraph 1 – point b
(b) establish one or more proxy services enabling: (i) a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf, following the applicable provisions of the relevant Member State, for a specified period of time and if needed, for a specific purpose only; (ii) a legal guardian of a natural person to access their electronic health data on their behalf, following the applicable provisions of the relevant Member State.
Amendment 650 #
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 2
Article 3 – paragraph 5 – subparagraph 2
The proxy services shall provide authorisations free of charge, electronically or on paper. They shall enablein a transparent and easily understandable way, free of charge, electronically or on paper. Authorised natural persons and those acting on their behalf shall be informed about what authorisation rights they have, how to exercise them, and what they can expect from the authorisation process. The electronic health data access services as well as the proxy services shall be easily accessible for persons with disabilities in accordance with Directive (EU) 2019/882. The proxy services shall enable legal guardians or other representatives to be authorised, either automatically or upon request, to access electronic health data of the natural persons whose affairs they administer either for a specific purpose and time period or without limitation to administer their affairs. Member States may provide that authorisations do not apply whenever necessary for reasons related to the protection of the natural person, and in particular based on patient safety and ethics. The proxy services shall be interoperable among Member States. The proxy services shall provide an easy complaint mechanism with a contact point designated to inform individuals of a way to seek redress or remedy if they believe that their authorisation rights have been violated.
Amendment 652 #
Proposal for a regulation
Article 3 – paragraph 5 a (new)
Article 3 – paragraph 5 a (new)
5 a. In addition to the electronic services referred to in paragraph 5 point (a), Member States shall also establish easily accessible support services for natural persons with adequately trained staff dedicated to assist them with exercising their rights referred to in this Article.
Amendment 656 #
Proposal for a regulation
Article 3 – paragraph 6
Article 3 – paragraph 6
6. Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative until a relevant health professional validates the information, which would then be marked as confirmed by a healthcare professional.
Amendment 663 #
Proposal for a regulation
Article 3 – paragraph 7
Article 3 – paragraph 7
7. Member States shall ensure that, when exercising the right to rectification under Article 16 of Regulation (EU) 2016/679, natural persons can easily request rectification online through the electronic health data access services referred to in paragraph 5, point (a), of this Article. Data rectification requests shall be assessed and, where relevant, implemented by the data controllers on a case by case basis, if necessary involving health professionals.
Amendment 667 #
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1
Article 3 – paragraph 8 – subparagraph 1
Natural persons shall have the right to give access to or request a data holder from the health or social security sectorsector and providing healthcare to transmit their electronic health data to aor only specific part of health data identified by the requesting natural persons or necessary for the purpose at stake to a health data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder.
Amendment 671 #
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1 a (new)
Article 3 – paragraph 8 – subparagraph 1 a (new)
When a natural person makes the request for transmission, the health data holder shall have the obligation to comply with it, in accordance with Articles 6(1) and 9(2) point (a) of the Regulation (EU) 2016/679.
Amendment 679 #
Proposal for a regulation
Article 3 – paragraph 9
Article 3 – paragraph 9
9. Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of selected health professionals to all or a specific part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms. Such restriction shall be easily identifiable in the EHR. When restricting the information, natural persons shall be made aware that restricting access may impact the provision of healthcare provied to them. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms, including the conditions of medical liability, respecting the rules provided for by Article 18 (2) and (3) of the Regulation (EU) 2016/679 concerning the right to restriction of data processing. The Commission shall establish guidelines regarding medical liability when diagnosing and treating patients based on incomplete information.
Amendment 694 #
Proposal for a regulation
Article 3 – paragraph 10
Article 3 – paragraph 10
10. Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcareproviding healthcare, including pursuant to Article 4(4) of this Regulation. The information shall be provided immediately and free of charge through electronic health data access services and stored for at least 3 years.
Amendment 700 #
Proposal for a regulation
Article 3 – paragraph 10 a (new)
Article 3 – paragraph 10 a (new)
10 a. Natural persons shall have the possibility to choose whether to receive notifications about which health professional and when have accessed their personal electronic health data, as well as the periodicity of such notifications. There should be an automatic notification for situations when a health professional accesses the personal electronic health data of a natural person for the first time.
Amendment 701 #
Proposal for a regulation
Article 3 – paragraph 11
Article 3 – paragraph 11
Amendment 708 #
Proposal for a regulation
Article 3 – paragraph 12
Article 3 – paragraph 12
12. The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article. Those implementing acts shall be adopted in accordance with the advisoryexamination procedure referred to in Article 68(2a).
Amendment 713 #
Proposal for a regulation
Article 4 – paragraph 1 – point a
Article 4 – paragraph 1 – point a
(a) have access to the electronic health data of natural persons under their treatment and for its sole purpose, including relevant administration, irrespective of the Member State of affiliation and the Member State of treatment; , in accordance with Article 9(2) point (h) of Regulation 2016/679;
Amendment 721 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States may establish rules providing for the categories of personal electronic health data required by different health professions, based on their qualification and area of expertise. Such rules shall not be based on the geographical source of electronic health data.
Amendment 726 #
Proposal for a regulation
Article 4 – paragraph 2 a (new)
Article 4 – paragraph 2 a (new)
2 a. Notwithstanding the national rules established pursuant to paragraph 2, natural persons shall be able to easily give acces to their electronic health data to a selected health professional through the health data access services, if they wish so.
Amendment 728 #
Proposal for a regulation
Article 4 – paragraph 2 b (new)
Article 4 – paragraph 2 b (new)
2 b. In the case of treatment in a Member State other than the Member State of affiliation, the rules referred to in paragraph 2, if established, of the Member States of treatment apply.
Amendment 730 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of chargeshall have access to electronic health data through health professional access services for the sole purpose of providing healthcare treatment, including relevant administration, and only through recognised electronic identification and authentication means, free of charge. The electronic health data in the electronic health records shall be structured in a user-friendly manner to allow for an easy use by health professionals.
Amendment 743 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Where access to electronic health data has been restricted by the natural person, pursuant to Article 3(9), the healthcare provider or health professionals shall not be informed of the content of the restricted electronic health data without prior authorisationexplicit consent as defined in Article 9(2)(a) of Regulation (EU) 2016/679 by the natural person, including where the provider or professional is informed of the existence and nature of the restricted electronic health data. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data, in line with Article 6(1)(d) of of Regulation (EU) 2016/679. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
Amendment 758 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point d
Article 5 – paragraph 1 – subparagraph 1 – point d
(d) medical images and image reports and medical test results;
Amendment 761 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f
Article 5 – paragraph 1 – subparagraph 1 – point f
(f) hospital discharge reports.
Amendment 774 #
Proposal for a regulation
Article 5 – paragraph 2 – introductory part
Article 5 – paragraph 2 – introductory part
2. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. Such delegated acts may also amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data and indicating, where relevant, deferred application date. The categories of electronic health data added through such delegated acts shall satisfy the following criteria:.
Amendment 776 #
Proposal for a regulation
Article 5 – paragraph 2 – point a
Article 5 – paragraph 2 – point a
Amendment 777 #
Proposal for a regulation
Article 5 – paragraph 2 – point b
Article 5 – paragraph 2 – point b
Amendment 778 #
Proposal for a regulation
Article 5 – paragraph 2 – point c
Article 5 – paragraph 2 – point c
Amendment 787 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) harmonised datasets containing electronic health data and defining structures, such as minimum data fields and data groups for the content representation of clinical content and other parts of the electronic health data that may be enlarged to include disease specific data;
Amendment 788 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
1 a. The Commisssion shall ensure that those implementing acts contain the latest versions of healthcare coding systems and nomenclatures and that they are updated regularly in order to keep up with the revisions of the healthcare coding systems and nomenclatures.
Amendment 789 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2 a. For the purpose of paragraph 1, the Commission shall consult and cooperate with relevant stakeholders, including patients’ representatives, healthcare providers, health professionals, industry associations, national competence centres, as well as other Union and national authorities with competence in relevant areas, to encourage and contribute to the elaboration and adoption of a European electronic health record exchange format.
Amendment 793 #
Proposal for a regulation
Article 6 – paragraph 3 a (new)
Article 6 – paragraph 3 a (new)
3 a. Member States shall ensure that the priority categories of personal electronic health data referred to in Article 5 are available in the language of the patient and the treating health professional.
Amendment 799 #
Proposal for a regulation
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1 a. Where the personal health data have not been registered electronically prior to the application of this Regulation, Member States may require that such data is made available in electronic format pursuant to this Article. This shall not affect the obligation to make personal electronic health data, registered after the application of this Regulation, available in electronic format, pursuant to this Article.
Amendment 803 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – introductory part
Article 7 – paragraph 3 – subparagraph 1 – introductory part
The Commission shall, by means of implementing acts, determine the requirements for the registration of electronic health data by healthcare providers and natural persons, as relevant. Those implementing acts shall establish the following:
Amendment 808 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point a
Article 7 – paragraph 3 – subparagraph 1 – point a
Amendment 811 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point b
Article 7 – paragraph 3 – subparagraph 1 – point b
Amendment 827 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
Where a Member State acceptenables the provision of telemedicine services, it shall, under the same conditions and in a non- discriminatory manner, accept the provision of the services of the same type by healthcare providers located in other Member States.
Amendment 828 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Where a natural person uses telemedicine services or, that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014. Where a natural person uses personal health data access services referred to in Article 3(5), point (a), that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.
Amendment 830 #
Proposal for a regulation
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
1 a. Where a health professional provides telemedicine services or uses health professional access services referred to in Article 4(3), that health professional shall identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.
Amendment 832 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. The Commission shall, by means of implementing acts, determine the requirements for the interoperable, cross- border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014 as amended by [COM(2021) 281 final]. The mechanism shall facilitate the transferability of electronic health data in a cross-border context and allow natural persons to easily access their electronic health record by identification and authentication under the new eID system. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 842 #
Proposal for a regulation
Article 10 – paragraph 2 – point a
Article 10 – paragraph 2 – point a
(a) ensure the implementation of the rights and obligations provided for in Chapters II and III by adopting necessary national, or regional or local technical solutions and by establishing relevant rules and mechanisms;
Amendment 854 #
Proposal for a regulation
Article 10 – paragraph 2 – point k
Article 10 – paragraph 2 – point k
(k) offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, dounder the same notn- discriminateory conditions and offer the possibility of choosing between in person and digital services;
Amendment 860 #
Proposal for a regulation
Article 10 – paragraph 2 – point m
Article 10 – paragraph 2 – point m
(m) cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives through relevant associations, including patients’ representatives of patients, healthcare providers, health professionals, industry associations;
Amendment 872 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
Article 10 – paragraph 2 a (new)
2 a. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of Article 3, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, consult and cooperate in the enforcement of this Regulation, within the remit of their respective competences.
Amendment 879 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Each Member State shall ensure that each digital health authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. Digital health authorities and their members and staff shall have the qualifications, experience and skills required to carry out their duties and exercise their powers.
Amendment 888 #
Proposal for a regulation
Article 10 – paragraph 5
Article 10 – paragraph 5
5. In the performance of its tasks, the digital health authority shall actively cooperate wiand consult with essential health stakeholders’ representatives, including patients’ representatives, health professionals and healthcare providers. Members of the digital health authority shall avoid any conflicts of interest.
Amendment 895 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, or any data protection aspects, the digital health authority shall inform the supervisory authorities under Regulation (EU) 2016/679 and send them a copy of the complaint in order to facilitate their assessment and investigation. Where a complaint concerning rights of natural persons pursuant to Article 3 is made solely to the supervisory authorities, they shall inform the digital health authorities and send them a copy.
Amendment 900 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The digital health authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken. Where the complaint concerns data protection aspects, the digital health authority shall inform the complainant that the complaint was referred to the relevant supervisory authority under Regulation (EU) 2016/679, and that the supervisory authority will, from that time on, be the sole point of contact for the complainant in that matter.
Amendment 919 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisoryexamination procedure referred to in Article 68(2a). The implementing act shall include target implementation dates, including for cross- border health data interoperability, in consultation with the EHDS Board.
Amendment 924 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU, without prejudice to Article 11 of Directive 2011/24. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.
Amendment 937 #
Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 1
Article 13 – paragraph 3 – subparagraph 1
Amendment 943 #
Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 2
Article 13 – paragraph 3 – subparagraph 2
Amendment 951 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in this Chapter. That compliance shall be accredited through an EHR conformity assessment procedure performed by notified bodies for EHR systems and products claiming interoperability, including technical solutions on interoperability and security.
Amendment 959 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) ensure that their EHR systems are in conformity with the essential requirements laid down in Annex II and with the common specifications in accordance with Article 23; and that they follow the principles of data minimisation and data protection by design; for the latter, the manufacturers shall be encouraged to consult relevant supervisory authorities under Regulation (EU) 2016/679.
Amendment 1027 #
Proposal for a regulation
Chapter III – Section 2 a (new)
Chapter III – Section 2 a (new)
Amendment 1033 #
Proposal for a regulation
Article 23 – paragraph 4 a (new)
Article 23 – paragraph 4 a (new)
4 a. Where common specifications have an impact on data protection requirements of EHR systems, they shall be subject to consultation with EDPB and EDPS before their adoption, pursuant to Article 42(2) of Regulation (EU) 2018/1725.
Amendment 1086 #
Proposal for a regulation
Article 29 – paragraph 3 a (new)
Article 29 – paragraph 3 a (new)
3 a. Where a finding of a market surveillance authortiy, or a serious incident it is informed of, concerns personal data protection, the market surveillance authority shall, without undue delay, inform and cooperate with the relevant supervisory authorities under Regulation (EU) 2016/679.
Amendment 1101 #
Proposal for a regulation
Article -31 (new)
Article -31 (new)
Article -31 Interoperability of wellness applications with EHR systems 1. Manufacturers of wellness applications may claim interoperability with an EHR system, after relevant conditions are met. When this is the case, the users of such wellness applications shall be duly informed about such interoperability and its effects. 2. The interoperability of wellness applications with EHR systems shall not mean automatic sharing or transmission of all or part of the health data from the wellness application with the EHR system. The sharing or transmission of such data shall only be possible pursuant to and in line with Article 3(6) of this Regulation and interoperability shall be limited exclusively to this end. The manufacturers of wellness applications claiming interoperability with an EHR system shall ensure that the user is able to choose which part of health data from the wellness application they want to insert in the EHR system. 3. Wellness applications shall not be able to access the information in EHRs nor extract any information from it.
Amendment 1110 #
6. If the wellness application is embedded in a device, the accompanying label shall be placed on the device and in the case of software a digital label. 2D barcodes may also be used to display the label.
Amendment 1125 #
Proposal for a regulation
Article -33 (new)
Article -33 (new)
Article -33 Scope This Chapter shall apply to situations of secondary use of electronic health data where a health data user seeks access to such data, as referred to in Article 33, from one or more health data holders as defined in Article 2 (y) of this Regulation.
Amendment 1126 #
Proposal for a regulation
Article -33 a (new)
Article -33 a (new)
Article -33 a Rights of natural persons in relation to the secondary use of electronic health data Natural persons shall have the right to opt-out from sharing their electronic health data for secondary use. A mechanism shall be put in place to allow natural persons the flexibility to determine the categories of electronic health data and/or purposes from which they wish to opt out. Such mechanism shall be easily accessible, comprehensible and actionable.
Amendment 1127 #
Proposal for a regulation
Article 33 – title
Article 33 – title
Minimum categories of electronic health data for secondary use
Amendment 1135 #
Proposal for a regulation
Article 33 – paragraph 1 – introductory part
Article 33 – paragraph 1 – introductory part
1. Data holdThis Chapters shall makeapply to the following categories of electronic health data available for secondary use in accordance with the provisions of this Chapter:
Amendment 1143 #
Proposal for a regulation
Article 33 – paragraph 1 – point a
Article 33 – paragraph 1 – point a
(a) electronic health data from EHRs;
Amendment 1150 #
Proposal for a regulation
Article 33 – paragraph 1 – point b
Article 33 – paragraph 1 – point b
(b) data on factors impacting on health, including social, environmental behavioural determinants of health;
Amendment 1176 #
Proposal for a regulation
Article 33 – paragraph 1 – point f
Article 33 – paragraph 1 – point f
(f) person generated electronic health data, including from medical devices, wellness applications or other digital health applications;
Amendment 1181 #
Proposal for a regulation
Article 33 – paragraph 1 – point h
Article 33 – paragraph 1 – point h
(h) population wide health data registries (public health registries) and patient demographic data;
Amendment 1183 #
Proposal for a regulation
Article 33 – paragraph 1 – point i
Article 33 – paragraph 1 – point i
(i) electronic health data from medical registries for specific diseases;
Amendment 1188 #
Proposal for a regulation
Article 33 – paragraph 1 – point j
Article 33 – paragraph 1 – point j
(j) electronic health data from clinical trialsfully concluded or terminated clinical trials, in accordance with Regulation 536/2014;
Amendment 1192 #
Proposal for a regulation
Article 33 – paragraph 1 – point k
Article 33 – paragraph 1 – point k
(k) electronic health data from medical devices and from registries for medicinal products and medical devices, including medical audio and video material;
Amendment 1194 #
Proposal for a regulation
Article 33 – paragraph 1 – point l
Article 33 – paragraph 1 – point l
(l) research cohorts, questionnaires and surveys related to health, including patient-reported outcomes and experience measures (PROMs and PREMs);
Amendment 1208 #
Proposal for a regulation
Article 33 – paragraph 1 – point n
Article 33 – paragraph 1 – point n
(n) electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health;
Amendment 1216 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
Amendment 1224 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
3. The electronic health data referred to in paragraph 1 shall cover data processed for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, including real-world data and real-world evidence, collected by entities and bodies in the health or care sectors, including public and private providers of health or care, entities or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies.
Amendment 1235 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
4. Electronic health data entailing protected intellectual property and trade secrets from private enterprisehealth data holders shall be made available for secondary use. Where such data is made available for secondary use, all technical and organisational measures necessary to preserve the confidentiality of IP rights and confidentiality of trade secrets shall be taken by the health data access body and in consultation with the data holder. This regulation is without prejudice to existing relevant Union legislation, including Directive 2004/48/EC, Directive 2001/29/EC, Directive (EU) 2016/943 and Directive (EU) 2019/790.
Amendment 1241 #
Proposal for a regulation
Article 33 – paragraph 4 a (new)
Article 33 – paragraph 4 a (new)
4 a. Health data holders shall, when making available to health data access bodies relevant electronic health data pursuant to Article 41(1) which contains intellectual property or trade secrets, inform the data access body that this is the case and indicate which parts of the datasets are concerned.
Amendment 1244 #
Proposal for a regulation
Article 33 – paragraph 4 b (new)
Article 33 – paragraph 4 b (new)
4 b. Should the health data access body be in no position to ensure the protection of IP rights and the confidentiality of trade secrets, it shall refuse the granting of the relevant health data access permit to the health data user.
Amendment 1246 #
Proposal for a regulation
Article 33 – paragraph 4 c (new)
Article 33 – paragraph 4 c (new)
4 c. Health data holders and health data users may conclude data sharing agreements with regards to the exchange of data containing IP and trade secrets. Such negotiations shall be overseen by the relevant health data access body.
Amendment 1247 #
Proposal for a regulation
Article 33 – paragraph 4 d (new)
Article 33 – paragraph 4 d (new)
4 d. Public sector bodies or Union institutions, agencies and bodies that obtain access to electronic health data entailing IP rights and trade secrets in the exercise of the tasks conferred to them by Union law or national law, shall take all specific technical and organisational measures necessary to preserve the confidentiality of such data.
Amendment 1250 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
Amendment 1273 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
Amendment 1279 #
Proposal for a regulation
Article 33 – paragraph 8
Article 33 – paragraph 8
Amendment 1290 #
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
Article 34 – paragraph 1 – introductory part
1. Health data access bodies shall only provide access to electronic health data referred to in Article 33 to a health data user where the intended purpose of processing pursued by the applicant complies withis one or more of the following:
Amendment 1297 #
Proposal for a regulation
Article 34 – paragraph 1 – point a
Article 34 – paragraph 1 – point a
(a) activities for reasons of public interest in the area of public and occupational health, such as: protection against serious cross-border threats to health, public health surveillance or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices;
Amendment 1302 #
Proposal for a regulation
Article 34 – paragraph 1 – point b
Article 34 – paragraph 1 – point b
(b) to support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates, including optmising patient pathway;
Amendment 1310 #
Proposal for a regulation
Article 34 – paragraph 1 – point d
Article 34 – paragraph 1 – point d
(d) higher education or, continuing proffessional development or higher education teaching activities in health or care sectors;
Amendment 1313 #
Proposal for a regulation
Article 34 – paragraph 1 – point e
Article 34 – paragraph 1 – point e
(e) scientific research related to health or care sectorsdemonstrably linked to health or care sectors, such as prevention, early detection, diagnosis, treatment, rehabilitation or healthcare management, including fundamental, exploratory or applied healthcare research;
Amendment 1324 #
Proposal for a regulation
Article 34 – paragraph 1 – point f
Article 34 – paragraph 1 – point f
(f) development and innovation activities for products or services demonstrably contributing to public health or social security, or ensuring high levels of quality and safety of health or care, of medicinal products or of medical devices, including scientific research into their efficiency and efficacy and post-market safety monitoring;
Amendment 1340 #
Proposal for a regulation
Article 34 – paragraph 1 – point g
Article 34 – paragraph 1 – point g
(g) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, demonstrably contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
Amendment 1350 #
Proposal for a regulation
Article 34 – paragraph 1 – point h
Article 34 – paragraph 1 – point h
(h) improving delivery of care, optimising patient pathway and providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.
Amendment 1352 #
Proposal for a regulation
Article 34 – paragraph 1 a (new)
Article 34 – paragraph 1 a (new)
1 a. The purposes referred to in paragraph 1 shall be compatible with the purposes for which data were originally collected pursuant to Article 6(4) of Regulation (EU) 2016/679.
Amendment 1353 #
Proposal for a regulation
Article 34 – paragraph 2
Article 34 – paragraph 2
2. Access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant fulfils one of tThe purposes referred to in points (a) to (c) of paragraph 1 shall only be granted tobe reserved for public sector bodies and Union institutions, bodies, offices and agencies exercising their tasks conferred to them by Union or national law, including where processing of data for carrying out these tasks is done by a third party on behalf of that public sector body or of Union institutions, agencies and bodies.
Amendment 1358 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
Amendment 1364 #
Proposal for a regulation
Article 35 – title
Article 35 – title
Prohibited purposes of secondary use of electronic health data
Amendment 1367 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
Seeking access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 for the following purposes shall be prohibited and subject to effective, proportionate and dissuasive sanctions:
Amendment 1371 #
Proposal for a regulation
Article 35 – paragraph 1 – point a
Article 35 – paragraph 1 – point a
(a) taking decisions detrimental to a natural person or a group of natural persons based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons;
Amendment 1389 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) advertising or marketing activities towards health professionals, organisations in health or natural persons;
Amendment 1396 #
Proposal for a regulation
Article 35 – paragraph 1 – point e
Article 35 – paragraph 1 – point e
(e) developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco and nicotine products, or goods or services which are designed or modified in such a way that they incite addiction, contravene public order or morality.
Amendment 1418 #
Proposal for a regulation
Article 35 – paragraph 1 a (new)
Article 35 – paragraph 1 a (new)
Any other misuse of electronic health data, including its use for permissible purposes other than those specified in the data permit or data request, shall also be prohibited and subject to effective, proportionate and dissuasive sanctions.
Amendment 1425 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
1. Member States shall designate one or more health data access bodies responsible for granting access to electronic health data for secondary usecarrying out the tasks referred to in Articles 37, 38 and 39 of this Regulation. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies that fulfil the conditions set out in this Article. Where a Member State designates several health data access bodies, it shall designate one health data access body to act as coordinator, with responsibility for coordinating data access applications and requests with the other health data access bodies.
Amendment 1427 #
Proposal for a regulation
Article 36 – paragraph 1 a (new)
Article 36 – paragraph 1 a (new)
1 a. Each health data access body shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the health data access bodies shall cooperate with each other and with the supervisory authorities under Regulation (EU) 2016/679 as well as with the Commission and where relevant with the EDPB and the EDPS.
Amendment 1434 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. Member States shall ensure that each health data access body is provided with adequathe human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers, including those related to the participation in the EHDS Board.
Amendment 1437 #
Proposal for a regulation
Article 36 – paragraph 2 a (new)
Article 36 – paragraph 2 a (new)
2 a. Member States shall provide for each member of their data access body to be appointed by means of a transparent procedure by: their parliament; their government; their head of State; or an independent body entrusted with the appointment under Member State law. Members as well as staff shall have the qualifications, experience and skills required to perform their duties and exercise their powers, in particular in the area of ethics, cybersecurity, protection of intellectual property and trade secrets, healthcare, scientific research, artificial intelligence and other relevant areas, as well as the protection of personal data and specifically data concerning health.
Amendment 1439 #
Proposal for a regulation
Article 36 – paragraph 2 b (new)
Article 36 – paragraph 2 b (new)
2 b. The health data access bodies shall set up application review committees, composed of at least 3 persons, to examine each health data access application. The composition of such committees shall be diverse and tailored to the specific cases and expertise required and shall include one expert in ethics. For applications that pose very minimal ethical or social risks, health data access bodies may set up simplified ethics assessment procedure.
Amendment 1440 #
Proposal for a regulation
Article 36 – paragraph 2 c (new)
Article 36 – paragraph 2 c (new)
2 c. The Commission shall, in consultation and cooperation with relevant experts, create guidelines with minimum standards for the work of the review committees.
Amendment 1441 #
Proposal for a regulation
Article 36 – paragraph 2 d (new)
Article 36 – paragraph 2 d (new)
2 d. Each Member State shall ensure that each health data access body chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the data access body concerned. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.
Amendment 1445 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodies shall not be bound by any instrucHealth data access bodies and their members and staff, including application review committees shall act with complete independence in performing their tasks and exercising their powers in accordance with this Regulation. They shall avoid any conflicts of interest and remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody. Members of health data access bodies, including application review committees, shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupations, when making their decisionsgainful or not.
Amendment 1460 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
Article 37 – paragraph 1 – point a
(a) decide on data access applications pursuant to Article 45, authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter where the application concerns anonymised electronic health data; where the application concerns pseudonymised electronic health data, the decision-making shall be done in close cooperation with relevant supervisory authorities under Regulation (EU) 2016/679;
Amendment 1461 #
Proposal for a regulation
Article 37 – paragraph 1 – point a a (new)
Article 37 – paragraph 1 – point a a (new)
(a a) authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter;
Amendment 1462 #
Proposal for a regulation
Article 37 – paragraph 1 – point a b (new)
Article 37 – paragraph 1 – point a b (new)
(a b) request electronic health data referred to in Article 33 from relevant health data holders pursuant to a data permit or a data request granted;
Amendment 1467 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
Article 37 – paragraph 1 – point d
(d) process electronic health data for the purposes set outreferred to in Article 343, including gathe collectionring, combination, preparation and disclosure, anonymisation and pseudonymisation of those data for secondary use on the basis of a data permit;
Amendment 1470 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
Amendment 1477 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
(f) take all measures necessary to preserve IP rights and the confidentiality of IP rights and of trade secrets;
Amendment 1480 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
(g) gather and compile or provide access to the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal ofbased on a data permit, provide access to health data referred to in Article 33 to health data users in a secure processing environment in accordance with the requirements laid down in Article 50 and store the data for the period of the duration of the data permit;
Amendment 1494 #
Proposal for a regulation
Article 37 – paragraph 1 – point k
Article 37 – paragraph 1 – point k
(k) maintain a management system to record and process data access applications, data requests, the decisions on these applications and the data permits issued and data requests answered, providing at least information on the name of the data applicant, the purpose of access, the date of issuance, duration of the data permit and a description of the data application or the data request;
Amendment 1497 #
Proposal for a regulation
Article 37 – paragraph 1 – point m
Article 37 – paragraph 1 – point m
(m) cooperate at Union and national level to lay down a common approach, technical requirements and appropriate measures and requirements for accessing electronic health data in a secure processing environment;
Amendment 1502 #
Proposal for a regulation
Article 37 – paragraph 1 – point n
Article 37 – paragraph 1 – point n
(n) cooperate at Union and national level and provide advice to the Commission on techniques and best practices for the secondary use of electronic health data use and management;
Amendment 1508 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – point i
Article 37 – paragraph 1 – point q – point i
(i) a national dataset catalogue that shall include details about the source and nature of electronic health data, in accordance with Articles 55, 56 and 58, of this Regulation and the conditions for making electronic health data available. The national dataset catalogue shall also be made available to single information points under Article 8 of Regulation […] [Data Governance Act COM/2020/767 final];
Amendment 1510 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – point ii
Article 37 – paragraph 1 – point q – point ii
(ii) all data permits, requests and applications on their websites within 30 working dhealth data applications and requests without undue delays after issuance of the data permit or reply to a data requesttheir reception;
Amendment 1511 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – point ii a (new)
Article 37 – paragraph 1 – point q – point ii a (new)
(ii a) all health data permits or requests granted as well as denied, together with justification, within 30 working days after their issuance;
Amendment 1517 #
Proposal for a regulation
Article 37 – paragraph 1 – point r a (new)
Article 37 – paragraph 1 – point r a (new)
(r a) monitor and supervise compliance by data users and data holders with the requirements laid down in this Chapter; where personal data are concerned, the monitoring and compliance shall be carried out in close cooperation with relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725; monitoring and supervision shall include regular audits on health data users regarding their processing of electronic health data in the secure processing environment;
Amendment 1524 #
Proposal for a regulation
Article 37 – paragraph 2 – point a a (new)
Article 37 – paragraph 2 – point a a (new)
(a a) immediately notify the relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 of any potential issue related to the processing of personal electronic health data for secondary use to ensure application and enforcement of this Regulation and relevant provisions of the aforementioned Regulations, including penalties.
Amendment 1537 #
Proposal for a regulation
Article 37 – paragraph 4 a (new)
Article 37 – paragraph 4 a (new)
4 a. The EDPB shall provide health data acces bodies with specific guidelines and minimum standards of anonymisation and pseudonymisation for the purposes in this Regulation in order to ensure the same level of quality of anonymisation and pseudonymisation across Member States. The guidelines shall be based on state-of- the-art technology in this regard, which in turn shall be used by the health data access bodies when carrying out their task of anonymisation or pseudonymisation of electronic health data. The guidelines shall be regularly updated, in line with technological progress in this field.
Amendment 1540 #
Proposal for a regulation
Article 38 – paragraph 1 – introductory part
Article 38 – paragraph 1 – introductory part
1. Health data access bodies shall make publicly available and easily searchable and accessible the conditions under which electronic health data is made available for secondary use, with information concerning:
Amendment 1547 #
Proposal for a regulation
Article 38 – paragraph 1 – point d
Article 38 – paragraph 1 – point d
(d) the arrangementmodalities for natural persons to exercise their rights in accordance with Chapter III of Regulation (EU) 2016/679;
Amendment 1556 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. Health data access bodies shall not be obliged to provide the specific information undercomply with the obligations laid down in Article 14(1) to (4) of Regulation (EU) 2016/679. Natural persons shall have the possibility to choose whether to receive notifications when their data are being used for secondary purpose, as well as the periodicity of such notifications.Where, with regards to obligations laid down in Article 14(1) to (4) of Regulation (EU) 2016/679 to eaca health ndatural person concerning the use of their data for projects subject to a data permit and shall provide general public information on all the data permits issueda access body decides to make use of the exception laid down in Article 14(5), point (b), of the same Regulation, it shall make sure to make the information as referred to in Article 14(1) to (4) of Regulation (EU) 2016/679 publicly available on its website in an aggregated form, allowing natural persons to understand whether their data are being made available for secondary use pursuant to Article 46data permits.
Amendment 1564 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
3. Where a health data access body is informed by a health data user of a clinically significant finding that may impact onnfluence the health status of a natural person, as referred to in Article 41a(5) of this Regulation, the health data access body mayshall inform the natural person and his or , where applicable, the treating health professional of the natural person concerned about that finding. Where relevant, ther treating health professional about that findingshall take due regard to the expressed wish of the natural person not to be informed.
Amendment 1591 #
Proposal for a regulation
Article 39 – paragraph 1 – point a
Article 39 – paragraph 1 – point a
(a) information relating to the data access applications for electronic healthand data accrequests submitted, such as the types of applicants, number of data permits granted or refused, purposes of access and categories of electronic health data accessed, and a summary of the results of the electronic health data uses, where applicable;
Amendment 1593 #
Proposal for a regulation
Article 39 – paragraph 1 – point c
Article 39 – paragraph 1 – point c
(c) information on the fulfilment of regulatory and contractual commitments by data users and data holders, as well as penalties imposedthe number and amount of penalties imposed by health data access bodies or supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725;
Amendment 1594 #
Proposal for a regulation
Article 39 – paragraph 1 – point d
Article 39 – paragraph 1 – point d
(d) information on audits carried out on data users to ensure compliance of the processing within the secure processing environment as referred to in Article 50 of this Regulation,
Amendment 1595 #
Proposal for a regulation
Article 39 – paragraph 1 – point e
Article 39 – paragraph 1 – point e
(e) information on third party audits on compliance of secure processing environments with the defined standards, specifications and requirements, as referred to in Article 50(3) of this Regulation;
Amendment 1596 #
Proposal for a regulation
Article 39 – paragraph 1 – point j
Article 39 – paragraph 1 – point j
Amendment 1599 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
2. The report shall be transmitted to the Commission, the Council and the European Parliament and made publicly available.
Amendment 1607 #
1. When processing personal electronic health data, data altruism organisations shall comply with the rules set out in Chapter IV of Regulation […] [Data Governance Act COM/2020/767 final]. Where data altruism organisationsIn addition to rules regarding data altruism estabished by Regulation (EU) 2022/868, where recognised data altruism organisations under Chapter IV of that Regulation process personal electronic health data using a secure processing environment, such environments shall also comply with the requirements set out in Article 50 of this Regulation.
Amendment 1609 #
Proposal for a regulation
Article 40 – paragraph 2
Article 40 – paragraph 2
2. Health data access bodies shall support the competent authorities designated in accordance with Article 23 of Regulation […] [Data Governance Act COM/2020/767 final](EU) 2022/868 in the monitoring of entities carrying out data altruism activities, where electronic health data are concerned.
Amendment 1610 #
Proposal for a regulation
Article 41 – paragraph 1
Article 41 – paragraph 1
1. Where a(1) Health data holder is obliged to makes shall make relevant electronic health data available under Article 33 or under other Union law or national legislation implementing Union law, itavailable upon request to the health data access body pursuant to a data permit issued or data request granted by such a body. Health data holders shall cooperate in good faith with the health data access bodies, where relevant.
Amendment 1616 #
Proposal for a regulation
Article 41 – paragraph 1 a (new)
Article 41 – paragraph 1 a (new)
1 a. The health data holder shall put the electronic health data at the disposal of the health data access body within 2 months from receiving the request from the health data access body. In justified cases, after consultation with the health data holder concerned, that period may be extended by the health data access body for a maximum of 2 months. The extention might be shorter than 2 months.
Amendment 1617 #
Proposal for a regulation
Article 41 – paragraph 1 b (new)
Article 41 – paragraph 1 b (new)
1 b. Paragraphs 1 and 1a constitute a legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 and/or Article 5(1) point (b) of Regulation (EU) 2018/1725 for the health data holder to make available the electronic health data to the health data acces body, in line with Article 9(2) point (h), (i) and (j) of Regulation (EU) 2016/679 and/or Article 10(2) point (h), (i) and (j) of Regulation (EU) 2018/1725.
Amendment 1624 #
Proposal for a regulation
Article 41 – paragraph 4
Article 41 – paragraph 4
Amendment 1629 #
Proposal for a regulation
Article 41 – paragraph 7 a (new)
Article 41 – paragraph 7 a (new)
7 a. This Article shall not apply to health data holders that qualify as microenterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC.Microentreprises may, however, notify the relevant data access body about their wish to voluntarily contribute to the secondary use of health data. This Article shall apply to small enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC 1 year from entry into force of this Regulation.
Amendment 1630 #
Proposal for a regulation
Article 41 a (new)
Article 41 a (new)
Article 41 a Duties of health data users 1. Health data users may access and process the electronic health data for secondary use referred to in Article 33 only in accordance with the data permit issued by the health data access body in line with Article 46 of this Regulation. 2. Health data users shall not seek access to and process electronic health data obtained via a data permit issued in line with Article 46 of this Regulation for the purposes referred to in Article 35. 3. Health data users shall not re-identify or seek to re-identify the natural persons to which the electronic health data belong which they obtained based on the data permit or data request. Such conduct shall be considered a serious breach of this Regulation. 4. Health data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47. Those results or output shall only contain anonymised data. In justified cases, especially cases referred to in Article 34(1), point (e), this period may be extended by the relevant health data access body, after consultation with the health data user. The health data users shall inform the health data access bodies from which a data permit was obtained about the results or output and provide them with necessary support in order to make them public also on health data access bodies’ websites, without prejudice to IP rights, the confidentiality of trade secrets and relevant Union legislation. Whenever the health data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS. 5. Without prejudice to paragraph 2, health data users shall inform the health data access body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset. 6. ECDC and EMA shall, in consultation and cooperation with relevant stakeholders, including representatives of patients, health professionals and researchers, create guidelines in order to help health data users to fulfil their obligation under paragraph 3, especially to determine whether their findings are clinically significant. 7. Health data users shall cooperate in good faith with the health data access bodies, where relevant.
Amendment 1633 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Health data access bodies and single data holders may charge fees to health data users for making electronic health data available for secondary use. Any fees shall include andIn the case of health data access bodies, any fees shall be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]gathering, combining, preparing, anonymisation or pseudonymisation of the electronic health data or commercially confidential data for secondary use and maintaining of the secure processing environment;
Amendment 1638 #
Proposal for a regulation
Article 42 – paragraph 2
Article 42 – paragraph 2
2. WIn the case of health data holders, where the data in question are not held by the data access body or a public sector body, the fees may also include compensation for part of the costs for collectbe derived from the costs for gathering and preparing the electronic health data for secondary use specifically under this Regulation in addition to the fees that may be charged pursuant to paragraph 1. The part of the fees linked to the data holder’s costs shall be paid to the data holder.
Amendment 1649 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Any fees charged to data users pursuant to this Article by the health data access bodies or data holders shall be transparent and, non-discriminatory, proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition. The support received by the data holder from donations, public national or Union funds, to set up, develop or update tat dataset shall be excluded from this calculation. The specific interests and needs of SMEs and start-ups, public bodies, Union institutions, bodies, offices and agencies involved in scientific research, health policy or analysis, educational institutions and healthcare providers shall be taken into account when setting the fees, by reducing those fees proportionately to their size or budget.
Amendment 1659 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
Amendment 1660 #
Proposal for a regulation
Article 43 – paragraph 2
Article 43 – paragraph 2
2. When requesting from data users and data holders the information that is necessary to verify compliance with this Chapter, the health data access bodies shall be proportionate to the performance of the compliance verificationcarrying out its monitoring and supervisory tasks to verify compliance with this Chapter, as referred to in Article 37(1), point (ra), the health data access bodies shall request information from data holders and users that is necessary for the performance of the task.
Amendment 1662 #
3. Where health data access bodies find that a data user or data holder does not comply with the requirements of this Chapter, they shall immediately notify the data user or data holder of those findings and shall give it the opportunity to state its views within 2 months.4 weeks. Where the finding of non-compliance concerns personal electronic health data, the health data access body shall immediately inform supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 of this finding to ensure application and enforcement of this Regulation and relevant provisions of the aforementioned Regulations, including penalties;
Amendment 1667 #
Proposal for a regulation
Article 43 – paragraph 4
Article 43 – paragraph 4
4. Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non- compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, tThe health data access bodies shall be able, where appropriate, to revoke the data permit and to exclude the data user from any access to electronic health data within the EHDS for a period of up to 5 years.
Amendment 1672 #
Proposal for a regulation
Article 43 – paragraph 5
Article 43 – paragraph 5
5. Where data holders withhold the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or do not respect the deadlines set out in Article 41, the health data access body shall have the power to fine the data holder with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body. In case of repeated breaches by the data holder of the obligation of loyal cooperation with the health data access body, that body can exclude the data holder from participation in the EHDS for a period of up to 5 years. Where a data holder has been excluded from the participation in the EHDS pursuant to this Article, following manifest intention of obstructing the secondary use of electronic health data, it shall not have the right to provide access to health data in accordance with Article 49.
Amendment 1678 #
Proposal for a regulation
Article 43 – paragraph 6
Article 43 – paragraph 6
6. The health data access body shall communicate the measures imposed pursuant to paragraphs 4 and 5 and the reasons on which they are based to the data user or holder concerned, without delay, and shall lay down a reasonable period for the data user or holder to comply with those measures.
Amendment 1680 #
Proposal for a regulation
Article 43 – paragraph 7
Article 43 – paragraph 7
7. Any penalties and measures imposed pursuant to paragraph 4 shall be made availablenotified to other health data access bodies.
Amendment 1686 #
Proposal for a regulation
Article 43 – paragraph 10
Article 43 – paragraph 10
10. The Commission mayshall issues guidelines on penalties to be applied by the health data access bodies.
Amendment 1707 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Where the purpose of the data user’sdata user has demonstrated that the purpose of processing cannot be achieved with anonymised data, taking into account the information provided by the data userin line with Article 46(1c), the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriatconsidered a particularly serious breach of this Regulation and shall be subject to effective, proportionate and dissuasive penalties.
Amendment 1724 #
Proposal for a regulation
Article 45 – paragraph 1
Article 45 – paragraph 1
1. Any natural or legal person with a demonstrable link to the health or care sector and specifically activities relevant for the purposes listed in Article 34(1) of this Regulation may submit a data access application for the purposes referred to in Article 34.
Amendment 1727 #
Proposal for a regulation
Article 45 – paragraph 2 – point -a (new)
Article 45 – paragraph 2 – point -a (new)
(-a) the applicant´s identity, description of professional functions and operations, including the identity of the concrete persons who will have access to electronic health data, if a data permit is granted;
Amendment 1732 #
Proposal for a regulation
Article 45 – paragraph 2 – point a
Article 45 – paragraph 2 – point a
(a) a detailed plan and explanation of the intended use of the electronic health data, including for which of the purposes referred to in Article 34(1) access is sought;
Amendment 1736 #
Proposal for a regulation
Article 45 – paragraph 2 – point a a (new)
Article 45 – paragraph 2 – point a a (new)
(a a) a declaration that the applicant has sufficient experience to manage the intended uses of the data requested, consistent with ethical practice and applicable laws and regulations;
Amendment 1740 #
Proposal for a regulation
Article 45 – paragraph 2 – point a b (new)
Article 45 – paragraph 2 – point a b (new)
(a b) a detailed explanation of the expected benefits related to the use;
Amendment 1741 #
Proposal for a regulation
Article 45 – paragraph 2 – point b
Article 45 – paragraph 2 – point b
(b) a description of the requested electronic health data, their timeframe, format and data sources, where possible, including geographical coverage where data is requested from several Member States;
Amendment 1744 #
Proposal for a regulation
Article 45 – paragraph 2 – point c
Article 45 – paragraph 2 – point c
(c) an indication whether electronic health data shouldneed to be made available in an an pseudonymised format;
Amendment 1746 #
Proposal for a regulation
Article 45 – paragraph 2 – point e
Article 45 – paragraph 2 – point e
(e) a description of the safeguards planned to prevent any other use or misuse of the electronic health data, including attempts to re-identify natural persons whose data are part of the dataset;
Amendment 1754 #
Proposal for a regulation
Article 45 – paragraph 2 – point h a (new)
Article 45 – paragraph 2 – point h a (new)
(h a) where applicable, information on the assessment of ethical aspects of the processing and evidence of ethics approval obtained by the competent ethics committee in line with national law;
Amendment 1759 #
Proposal for a regulation
Article 45 – paragraph 2 – point h b (new)
Article 45 – paragraph 2 – point h b (new)
(h b) a declaration that the intended uses of the data requested do not pose a risk of stigmatisation or dignitary harm to both individuals and the groups implicated in the dataset requested;
Amendment 1765 #
Proposal for a regulation
Article 45 – paragraph 3
Article 45 – paragraph 3
3. Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice which shall be responsible for sharing the requestapplication with the other health data access bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. For requests to access electronic health data from more than one Member StatesIn such a case, the health data access body shall notify the other relevant health data access bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.
Amendment 1770 #
Proposal for a regulation
Article 45 – paragraph 4 – point a
Article 45 – paragraph 4 – point a
(a) a description of how the processing would comply with Article 6(1) and 9(2) of Regulation (EU) 2016/679 or Articles 5(1) and 10(2) of Regulation (EU) 2018/1725;
Amendment 1775 #
Proposal for a regulation
Article 45 – paragraph 4 – point a a (new)
Article 45 – paragraph 4 – point a a (new)
(a a) a detailed demonstration that the purpose of processing cannot be achieved with anonymised data;
Amendment 1776 #
Proposal for a regulation
Article 45 – paragraph 4 – point b
Article 45 – paragraph 4 – point b
Amendment 1779 #
Proposal for a regulation
Article 45 – paragraph 5 – subparagraph 2
Article 45 – paragraph 5 – subparagraph 2
Amendment 1785 #
Proposal for a regulation
Article 45 – paragraph 6
Article 45 – paragraph 6
6. The Commission mayshall, by means of implementing acts, set out the templates for the data access application referred to in this Article, the data permit referred to in Article 46 and the data request referred to in Article 47. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2a).
Amendment 1786 #
Proposal for a regulation
Article 45 – paragraph 7
Article 45 – paragraph 7
Amendment 1794 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. HWhen health data access bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data access body shall issue a data permit.decide whether to grant or refuse a data permit, they shall assess if the health data access application referred to in Article 45 fulfils the following criteria:
Amendment 1802 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1 a. (a) the purpose described in the health data access application is one of the purposes listed in Article 34(1) of this Regulation, regardless of whether the health data access application concerns anonymised or pseudonymised data; (b) the requested data is necessary for the purpose or purposes listed in the health data access application; (c) where electronic health data is requested in pseudonymised format, the information provided by the applicant demonstrates that the purposes of processing described in the application, and which are in line with point (a) of this paragraph, cannot be achieved with electronic health data in anonymised format; (d) the processing of pseudonymised electronic health data, if the data permit would be granted, will be in line with Articles 6(1) and 9(2) of Regulation (EU) 2016/679 or Articles 5(1) and 10(2) of Regulation (EU) 2018/1725; (e) the applicant demonstrates sufficient safeguards to prevent any other use or misuse of the electronic health data and to protect the rights and interests of the data holder and of the natural persons concerned; (f) all other requirements in this Chapter are fulfilled by the applicant. In this process, the health data access bodies shall also take into consideration the history of applications from the same applicant. The health data access bodies shall ensure that the data will not be used for something a reasonable participant would find objectionable, or uses that health data access bodies would have reason to believe participants within the dataset would find objectionable.
Amendment 1806 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
2. HIf the health data access bodies shall refuse all applications including one or more purposes listed in Article 35 ory in its independent assessment concludes that the requirements listed in paragraph 1 of this Article are met, as well as all other requirements of this Chapter, the health data access body shall grant the health data permit. Health data access bodies shall refuse all applications where the requirements in this Chapter are not met.
Amendment 1814 #
Proposal for a regulation
Article 46 – paragraph 3
Article 46 – paragraph 3
3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final](EU) 2022/868, the health data access body may extend the period for responding to a data access application by 2a maximum of 3 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.
Amendment 1829 #
Proposal for a regulation
Article 46 – paragraph 6 – point a
Article 46 – paragraph 6 – point a
(a) typcategories and format of electronic health data accessed, covered by the data permit, including their sources;
Amendment 1830 #
Proposal for a regulation
Article 46 – paragraph 6 – point b
Article 46 – paragraph 6 – point b
(b) a detailed description of the purpose for which data are made available;
Amendment 1831 #
Proposal for a regulation
Article 46 – paragraph 6 – point b a (new)
Article 46 – paragraph 6 – point b a (new)
(b a) the identity of the applicant as well as the concrete persons who are authorised to have access to the electronic health data in the secure processing environment;
Amendment 1832 #
Proposal for a regulation
Article 46 – paragraph 6 – point e
Article 46 – paragraph 6 – point e
(e) fees to be paid by the data user to the health data access body;
Amendment 1839 #
Proposal for a regulation
Article 46 – paragraph 8
Article 46 – paragraph 8
8. The Commission is empowered to adopt delegated acts to amend the list of aspects to be covered by a data permit in paragraph 76 of this Article, in accordance with the procedure set out in Article 67.
Amendment 1840 #
Proposal for a regulation
Article 46 – paragraph 9
Article 46 – paragraph 9
9. A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body for a period of 5 years.
Amendment 1845 #
Proposal for a regulation
Article 46 – paragraph 11
Article 46 – paragraph 11
Amendment 1854 #
Proposal for a regulation
Article 46 – paragraph 12
Article 46 – paragraph 12
Amendment 1858 #
Proposal for a regulation
Article 46 – paragraph 14
Article 46 – paragraph 14
14. The liability of health data access bodies as joint controller is limited to the scope of the issued data permit until the completion of the processing activityand in accordance with Article 51.
Amendment 1863 #
Proposal for a regulation
Article 47 – paragraph 1
Article 47 – paragraph 1
1. Any natural or legal person may submit a data request for the purposes referred to in Article 34 with the aim of obtaining an answer only in anonymised statistical format. A health data access body shall onlynot provide an answer to a data request in an anonymised statisticaly other format and the data user shall have no access to the electronic health data used to provide this answer.
Amendment 1867 #
Proposal for a regulation
Article 47 – paragraph 2 – introductory part
Article 47 – paragraph 2 – introductory part
2. A data request shall include the elements mentioned in paragraphs 2 (-a), (a) and (b) of Article 45 and if needed may also include:
Amendment 1871 #
Proposal for a regulation
Article 47 – paragraph 3
Article 47 – paragraph 3
3. WThere an applicant has requested a result in an anonymised form, including statistical format, based on a data request, the health data access body shall assess, health data access body shall assess the health data request within 2 months and, where possible, provide the result to the data user within 2 months.
Amendment 1884 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
By derogation from Article 46 of this Regulation, a data permit shall not be required to access the electronic health data under this Article. When carrying out those tasks under Article 37 (1), points (b) and (c), tby the European Medicines Agency (EMA), European Centre for Disease Prevention and Control (ECDC) and Health Emergency Preparedness and Response Authority (HERA) to access the electronic health data under this Chapter. The health data access body shall inform public sector bodies and the Union institutions, offices, agencies and bodies, about the availability of data within 2 months of the data access application, in accordance with Article 9 of Regulation […] [Data Governance Act COM/2020/767 final]EMA, ECDC, or HERA about the availability of data within 2 months of the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final ], the health data access body may extend the period by 2 additional months where necessary, taking into account the complexity of the request. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless it specifies that it will provide the data within a longer specified timeframe.
Amendment 1893 #
Proposal for a regulation
Article 49
Article 49
Access to electronic health data from a 1. access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies. 2. issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. 3. 51, the single data provider and the data user shall be deemed joint controllers. 4. shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.rticle 49 deleted single data holder Where an applicant requests In such case, the data holder may By way of derogation from Article Within 3 months the data holder
Amendment 1911 #
Proposal for a regulation
Article 50 – paragraph 3
Article 50 – paragraph 3
3. The health data access bodies shall ensure regular third party audits of the secure processing environments.
Amendment 1914 #
Proposal for a regulation
Article 50 – paragraph 4
Article 50 – paragraph 4
4. The Commission shall, by means of implementing acts, provide for the technical, information security, confidentiality, data protection and interoperability requirements for the secure processing environments, in consultation with ENISA. Those implementing acts shall be adopted in accordance with the advisoryexamination procedure referred to in Article 68(2a).
Amendment 1916 #
Proposal for a regulation
Article 51 – title
Article 51 – title
Amendment 1918 #
Proposal for a regulation
Article 51 – paragraph 1
Article 51 – paragraph 1
1. The health data access bodies and the dData users, including Union institutions, bodies, offices and agencies, shall be deemed joint controllers of electronic health data processed in accordance with data permitcontroller for the processing of personal of electronic health data in the secure processing environment pursuant to a data permit. In this case, the health data access body shall be deemed a processor. The health data access body shall be considered a controller for the processing of personal electronic health data while carrying out its task referred to in Article 37(1), point (d). The health data holder shall be considered a controller for the processing of personal electronic health data while carrying out its obligation under Article 41(1) and (1a).
Amendment 1923 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. The Commission shall, by means of implementing acts, establish a template for the joint controllers’ arrangementa contract or other legal act for the purpose of paragraph 1 in line with Article 28(3) of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisoryexamination procedure set out in Article 68(2a).
Amendment 1932 #
Proposal for a regulation
Article 52 – paragraph 5
Article 52 – paragraph 5
5. Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation, where they have set up a body equivalent to the health data access bodies as referred to in Article 36 and where they ensure that Chapter V of Regulation (EU) 2016/679 will be complied with after the connection to the HealthData@EU and provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation as well as with Chapter V of Regulation (EU) 2016/679 and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68 (2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
Amendment 1948 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point a
Article 52 – paragraph 13 – subparagraph 1 – point a
(a) requirements, technical specifications, the IT architecture of HealthData@EU, conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU, with stricter criteria and an accelerated procedure for third countries and international organisations;
Amendment 1960 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 a (new)
Article 52 – paragraph 13 – subparagraph 1 a (new)
Amendment 1967 #
Proposal for a regulation
Article 53 – title
Article 53 – title
Access to cross-border sources of electronic health dataregistries and databases for secondary use
Amendment 1971 #
Proposal for a regulation
Article 54 – title
Article 54 – title
54 MCross-border access and mutual recognition of data permits
Amendment 1972 #
Proposal for a regulation
Article 54 – paragraph 1
Article 54 – paragraph 1
1. When handling an access application for cross-border access to electronic health data for secondary use, health data access bodies and relevant authorised participants shall remain responsible for taking decisions to grant or refuse access to electronic health data within their remit in accordance with the requirements for access laid down in this Chapter. After a decision is made regarding the granting or refusal of the health data permit, the health data access body shall inform the other health data bodies concerned by the same application about the decision. These decisions may be taken into consideration by the other health data access bodies when deciding on the granting or refusal of the data permit.
Amendment 1977 #
Proposal for a regulation
Article 55 – title
Article 55 – title
Dataset description and dataset catalogue
Amendment 1980 #
Proposal for a regulation
Article 56 – paragraph 1
Article 56 – paragraph 1
1. Datasets made available through health data access bodies may have a Union data quality and utility label provided by the data holderhealth data access bodies.
Amendment 1986 #
Proposal for a regulation
Article 59 a (new)
Article 59 a (new)
Article 59 a Digital health literacy and digital health access 1. In order to ensure successful implementation of the EHDS, Member States shall put in place educational programmes aimed at increasing digital health literacy and relevant competences and skills. Those programmes shall be tailored to the needs of specific groups, including patients and health professionals, and shall be developed and reviewed, and where necessary updated, on a regular basis in consultation and cooperation with relevant experts and stakeholders. 2. Member States shall measure, on a regular basis, the digital health literacy of health professionals, patients as well as persons in general. 3. Member States shall organise awareness-raising campaigns to ensure that all specific groups are informed about the importance of digital health literacy as well as educational programmes available to them pursuant to paragraph 1. 4. Member States as well as the Commission shall take all the necessary measures to ensure that natural persons, and specifically patients and health professionals, are informed about the EHDS, its primary and secondary components, functionalities and conditions as well as their rights within EHDS. 5. Member States shall ensure that all natural persons have access to the infrastructure necessary for the effective management of their electronic health data, both within primary and secondary use.
Amendment 1989 #
Proposal for a regulation
Article 60 – paragraph 2 a (new)
Article 60 – paragraph 2 a (new)
2a. Two additional requirements shall be established and required as a condition for the procurement or funding of services for processing personal electronic health data: (a) storing of personal electronic health data in the Union, in line with Article 60a of this Regulation; and (b) duly demonstrating that applicants are not subject to third country legislation conflicting with EU data protection rules.
Amendment 1992 #
Proposal for a regulation
Article 60 a (new)
Article 60 a (new)
Article 60a Electronic health data storage in the Union 1. The personal electronic health data within the scope of this Regulation shall be stored only within the territory of the Union. 2. Paragraph 1 is without prejudice to the possibility of transfers of personal electronic health data in line with Chapter V of the Regulation (EU) 2016/674 or in line with Articles 61 and 62 of this Regulation.
Amendment 2011 #
2. Any judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a digital health authority, health data access body or data users to transfer or give access to non-personal electronic health data within the scope of this Regulation held in the Union shallmay only be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State.
Amendment 2022 #
Proposal for a regulation
Article 64 – paragraph 1
Article 64 – paragraph 1
1. A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of th: (a) one high level representatives of digital health authorities andof all the Member States; and (b) one high level representative of health data access bodies of all the Member States. OtWhere a Member State has designated several health data access bodies, the coordinating health data access body shall be part of the EHDS Board; and (c) EDPB and EDPS. The EHDS Board shall be aided by an advisory forum as referred to in Article 65a. EMA, ECDC, ENISA shall be invited by the Board to join the meeting where the issues discussed are of relevance to their respective mandates or tasks. Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor may be invited to the meetings, where the issues discussed are of relevance for them. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an observer role.
Amendment 2034 #
Proposal for a regulation
Article 64 – paragraph 4
Article 64 – paragraph 4
Amendment 2042 #
Proposal for a regulation
Article 64 – paragraph 6
Article 64 – paragraph 6
6. The CommissionA representative of the Commission and a representative of the European Parliament shall co-chair the meetings of the EHDS Board.
Amendment 2043 #
Proposal for a regulation
Article 64 – paragraph 7 a (new)
Article 64 – paragraph 7 a (new)
7a. The EHDS Board shall operate in a transparent manner with open publication of meeting dates and minutes of the discussions and produce and annual report on its activities.
Amendment 2044 #
Proposal for a regulation
Article 64 a (new)
Article 64 a (new)
Article 64a Advisory forum 1. An advisory forum shall be established by the EHDS Board to advise it in the fulfilment of its tasks by providing stakeholder input in matters pertaining to this Regulation. 2. EMA, ECDC, JRC shall be permanent members of the advisory forum. 3. The advisory forum shall be composed of representatives of patients, health professionals, industry, scientific researchers and academia. The advisory forum shall have a balanced composition and represent the views of different relevant stakeholders. The composition of the advisory forum shall be balanced between commercial and non-commercial interests and, within the commercial interests, it shall be balanced between large companies, SMEs and start-ups. Focus on primary and secondary use of electronic health data shall also be balanced. 4. Members of the advisory forum shall be appointed by the Commission following a public call for interest and a transparent selection procedure, in consultation with the European Parliament. 5. The term of office of the members of the advisory forum shall be two years and it shall not be renewable more than twice consecutively. 6. The advisory forum may establish standing or temporary subgroups as appropriate for the purpose of examining specific questions related to the objectives of this Regulation. 7. The advisory forum shall draw up its rules of procedure and elect two co- Chairs from among its members, one of them being from its permanent members. Their term of office shall be two years, renewable once. 8. The advisory forum shall hold regular meetings. The advisory forum can invite relevant experts and other relevant stakeholders to its meetings. The Chair of the EHDS Board may attend, ex officio, the meetings of the advisory forum. 9. In fulfilling its role as set out in paragraph 1, the advisory forum may prepare opinions, recommendations or written contributions. 10. The advisory forum shall prepare an annual report of its activities. That report shall be made publicly available.
Amendment 2045 #
Proposal for a regulation
Article 65 – paragraph 1 – point -a (new)
Article 65 – paragraph 1 – point -a (new)
(-a) to exercise oversight over the implementation and proper enforcement of Chapter II, without prejudice to the competences of EDPB where personal electronic health data are concerned;
Amendment 2050 #
Proposal for a regulation
Article 65 – paragraph 1 – point b a (new)
Article 65 – paragraph 1 – point b a (new)
(ba) All aspects under point (b) related to data protection rights and issues shall be left to the EDPB in order to ensure consistent application of the existing data protection framework.
Amendment 2051 #
Proposal for a regulation
Article 65 – paragraph 1 – point d
Article 65 – paragraph 1 – point d
(d) to share information between members of the EHDS Board concerning risks posed by EHR systems and serious incidents as well as how they were handled. The EDPB shall be responsible for identifying all possible data protection risks posed by EHR systems and provide guidance for their handling;
Amendment 2054 #
Proposal for a regulation
Article 65 – paragraph 2 – point -a (new)
Article 65 – paragraph 2 – point -a (new)
(-a) to exercise oversight over the implementation and proper enforcement of Chapter IV, without prejudice to the competences of EDPB where personal electronic health data are concerned;
Amendment 2061 #
Proposal for a regulation
Article 65 – paragraph 2 – point b a (new)
Article 65 – paragraph 2 – point b a (new)
(ba) All aspects under point (b) related to data protection rights and issues shall be left to the EDPB in order to ensure consistent application of the existing data protection framework.
Amendment 2064 #
Proposal for a regulation
Article 65 – paragraph 2 – point d
Article 65 – paragraph 2 – point d
(d) to share information between members of the EHDS Board concerning risks and data protection incidents related to secondary use of electronic health data, as well as how they were handled. The EDPB shall be responsible for identifying all possible data protection risks and provide guidance for their handling;
Amendment 2073 #
Proposal for a regulation
Article 66 – paragraph 6 a (new)
Article 66 – paragraph 6 a (new)
6a. The groups shall consult relevant experts when carrying out their tasks as well as on technical implementing measures related to cybersecurity, confidentiality and data protection, especially ENISA and EDPB and EDPS.
Amendment 2075 #
Proposal for a regulation
Article 67 – paragraph 2
Article 67 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
Amendment 2080 #
Proposal for a regulation
Article 67 – paragraph 3
Article 67 – paragraph 3
3. The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 2085 #
Proposal for a regulation
Article 67 – paragraph 6
Article 67 – paragraph 6
6. A delegated act adopted pursuant to Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 3 months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.
Amendment 2087 #
Proposal for a regulation
Article 68 – paragraph 2 a (new)
Article 68 – paragraph 2 a (new)
2a. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Amendment 2088 #
Proposal for a regulation
Article 69 – paragraph 1
Article 69 – paragraph 1
1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties shall be effective, proportionate and dissuasive. Specific attention shall be given to penalties for serious breaches of this Regulation, as referred to in Article 41a(3) and Article 44(3). Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them. 2. Penalties referred to in paragraph 1 shall be without prejudice to the penalties established pursuant to Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. 3. The Commission shall provide Member States with guidelines and recommendations on the types and levels of penalties in order to prevent forum shopping and ensure fair enforcement, especially in cross-border cases. 4. Member States are encouraged to consider criminalising re-identification of anonymised data.
Amendment 2098 #
Proposal for a regulation
Article 70 – paragraph 1
Article 70 – paragraph 1
1. After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapter III, including the need to extend interoperability possibilities between EHR systems and electronic health data access services other than those established by the Member States, the possibility to expand the access to MyHealth@EU infrastructure to third countries and international organisations, the implementation and use by natural persons of the opt-out mechanism in secondary use as referred to in Article - 33a, the use and implementation of the right referred to in Article 3(9), the implementation of Articles 33 and 34 as well as the application of fees as referred to in Article 42, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self-certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies.
Amendment 2106 #
Proposal for a regulation
Article 70 – paragraph 1 a (new)
Article 70 – paragraph 1 a (new)
1a. After 2 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of the Union funding made available for the setting up of the European Health Data Space as well as an evaluation of funding allocated to this end by Member States, and where appropriate, consider further measures in this regard.
Amendment 2113 #
Proposal for a regulation
Article 72 – paragraph 2
Article 72 – paragraph 2
It shall apply from 124 months after its entry into force.
Amendment 2130 #
Proposal for a regulation
Annex II – point 2 – point 2.5 a (new)
Annex II – point 2 – point 2.5 a (new)
2.5a. An EHR system shall be developed in interoperable format that enables data portability.
Amendment 2132 #
Proposal for a regulation
Annex II – point 3 – point 3.8
Annex II – point 3 – point 3.8
3.8. An EHR system designed for the storage of electronic health data shall support different retention periods and access rights that take into account the origins and categories of electronic health data as well as the specific purposes of data processing.