Summary
The EHDS is a health-specific data sharing framework establishing clear rules, common standards and practices, infrastructures and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes.
Cross-border infrastructure
The regulation aims to harmonise the European digital healthcare landscape through European control over data exchange. To enforce this, a compulsory cross-border infrastructure MyHealth@EU was already set up, but will be expanded (MRI scans, lab results) whereby member states will be obliged to create patient records, electronic prescriptions, images, laboratory requirements and discharge reports in a common European format. The regulation foresees that member states will have to create a national contact point that will act as joint controller for the processing carried out in MyHealth@EU.
The regulation also has provisions on the requirements, certification and governance of Electronic Health Record (EHR) systems. A key provision in this context is the requirement for EHR systems to meet EU-wide technical and security standards.These systems must be designed to enable safe and efficient data sharing, ensuring that patient records are accessible across different healthcare institutions and national borders. To guarantee patient safety and data protection, the regulation introduces a mandatory certification scheme for EHR systems. Any software or infrastructure used to store, manage, or exchange electronic health data must undergo conformity assessment procedures before being placed on the market.
Manufacturers and providers of EHR systems bear responsibility for ensuring that their products meet the required standards. They must provide clear documentation demonstrating compliance and undergo regular assessments to maintain certification. Given the sensitive nature of health information, EHR systems must be equipped with strong authentication mechanisms, encryption protocols, and access controls to prevent unauthorized access and data breaches.
Primary use of health care data
This concerns use of health data for healthcare purposes, such as:
- treating the patient;
- prescription and dispensing of medicines and medical devices;
- social security, administrative or reimbursement services.
The regulation on the primary use of health care data wants to enhance patient empowerment, digital transformation of healthcare and EU-wide health data interoperability.
In terms of empowerment, patients are granted immediate and free access to their electronic health records, which must be available in a structured, interoperable, and easily readable format. They also have the right to correct any inaccuracies in their medical records and to add their own health-related notes. The regulation mandates that individuals be informed whenever their health data is accessed, including details about who accessed it and for what purpose. Furthermore, patients retain control over their data by having the ability to restrict or withdraw access, except in cases of emergency or other legally mandated situations.
The regulation also establishes clear rules regarding healthcare professionals' access to electronic health records. Physicians and other medical practitioners must be able to retrieve a patient’s health data when needed for treatment, even when the patient is receiving care in another EU country. This cross-border access ensures continuity of care and eliminates unnecessary duplication of tests or procedures. However, such access is strictly governed by the principle of necessity.
To support the implementation of these rights and obligations, member states are required to ensure that their national health systems comply with EU-wide interoperability standards. Governments must adopt common electronic health record formats to facilitate seamless data exchange and ensure that systems are built on secure and trusted infrastructures. Each country is also responsible for designating an independent Digital Health Authority, which will oversee compliance, manage national infrastructures, and enforce the provisions of the EHDS Regulation. In Belgium, this will be the Health Data Agency.
The regulation further introduces technical and security measures to protect sensitive health information. The European Commission is tasked with defining mandatory standards and formats to ensure interoperability and data portability across the EU. To safeguard against cyber threats and unauthorized access, strict cybersecurity measures must be implemented, ensuring that personal health data remains confidential and protected. Additionally, the principle of data minimization requires that only the necessary amount of data is collected and stored, reducing exposure to potential risks. In cases where immediate access to health data is crucial, healthcare professionals may override a patient’s prior data access restrictions. This ensures that medical personnel can provide timely and effective care, even if a patient had previously limited data sharing.
Secondary use of health care data
This concerns use of health data for other purposes that benefit society:
- research & innovation
- policymaking
- patient safety
- personalised medicine
- official statistics
- regulatory activities.
The proposed system will be based on three actors: health data access bodies, data holders and data users.
Health Data Access Bodies (HDAB)
These bodies are set up by the member states to ensure simplified access to electronic health data for secondary purposes. This can be an existing body or a newly created body. They act as intermediaries between data holders, potential data users and - in some cases – patients. The bodies examine requests from potential users and issue data permits, i.e. administrative decisions granting a data user access to data. The HDAB may charge fees for making electronic health data available for secondary use. In Belgium, the Health Data Agency (HDA) will fulfill several HDAB tasks and help organizations like hospitals, universities, companies, and research institutions to access health datain a regulated way.
Data holders
Data holders (hospitals, clinics, and public health institutions) are persons and bodies who hold electronic health data and will be obliged to make these data available for secondary use. Data holders will have to adopt strict protocols to ensure compliance.
Organizations handling health data must implement strong technical and organizational measures to ensure data security, integrity, and confidentiality. They should maintain detailed metadata on their datasets, covering quality, format, and interoperability standards. Secure and timely access must be provided to authorized users, such as healthcare professionals, researchers, and policymakers. Data should adhere to the FAIR principles—findable, accessible, interoperable, and reusable—to support both primary and secondary uses. Additionally, compliance with logging and auditing requirements is essential to ensure transparency and accountability in data access and usage.
Data users
These can be all sorts of people or organisations, such as researchers, health professionals, policymakers and regulators. Data users may request access to data either directly from the data controller or through the intermediary of health data access bodies. To do so, they must first apply for a data authorization. Data users should, no later than 18 months after the completion of the processing of electronic health data, make public the results or outputs of the secondary use of electronic health data.
Secondary use will not be allowed for commercial purposes including advertising, assessing insurance requests or lending conditions or making job market decisions. Access decisions will be made by national data access bodies.
Governance and timeline
The EHDS establishes a governance framework at both national and EU levels. Member States are required to designate digital health authorities responsible for implementing and enforcing the regulation. A European Health Data Space Board, comprising representatives from Member States and the European Commission, will facilitate cooperation and information exchange. The board will consist out of digital health authorities and health data access bodies, as well as observers. The board should help ensure consistent application of the rules across the EU, including by advising the European Commission and working with other EU bodies and stakeholders, such as patient organisations.
The provisions of the EHDS Regulation will become applicable between two and six years after the entry into force of the Regulation. As a regulation, the EHDS Regulation will apply directly in all EU Member States.The first obligations will start to apply from the 26th of March 2027.
