European Health Data Space (EHDS) (EHDS)
AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.
Summary
The European Health Data Space (EHDS) establishes an EU-wide framework for the primary use (healthcare delivery) and secondary use (research, innovation, policymaking and regulatory purposes) of electronic health data. It strengthens individuals’ rights to access and share their electronic health data across borders and sets interoperability and security requirements for electronic health record (EHR) systems. It also creates a governance and permitting system for secondary use via national health data access bodies and secure processing environments, with strict safeguards and prohibited uses.
Who is affected?
Individuals (patients/citizens), healthcare providers, and health data holders (e.g., hospitals, registries, biobanks, insurers) are directly affected, as are authorised secondary users such as researchers, innovators and public authorities. EHR system manufacturers and other digital health vendors must comply with interoperability, security and (where applicable) conformity/certification requirements, while Member States must designate and operate health data access bodies and cross-border infrastructure.
Scope
Applies to the access, exchange and reuse of electronic health data in the EU for primary healthcare purposes and for permitted secondary uses, including rules for EHR systems, interoperability, governance, and safeguards.
Key Points
- Strengthens individuals’ rights to access, obtain and share their electronic health data (including cross-border access) for healthcare (primary use).
- Requires interoperability for a set of priority electronic health data categories (e.g., patient summaries, e-prescriptions, medical images, laboratory results, discharge reports).
- Sets EU-level requirements for EHR systems (interoperability, security and related compliance obligations) to support cross-border exchange.
- Creates a secondary-use access regime via national health data access bodies, permits/authorisations and secure processing environments.
- Imposes strict safeguards for secondary use (purpose limitation, data minimisation, pseudonymisation/anonymisation where appropriate) and bans certain uses (e.g., advertising and decisions that disadvantage individuals in insurance/employment contexts).
- Builds on GDPR and complements EU data legislation by establishing a sector-specific European data space for health.
Key Deadlines
- — Commission proposal published
- — Parliament committee vote
- — Parliament plenary vote
- — Trilogue agreement
Related Regulations
Frequently Asked Questions
Who must comply with the European Health Data Space (EHDS) regulation?
Compliance is required from individuals (patients/citizens), healthcare providers, health data holders (such as hospitals, registries, biobanks, and insurers), EHR system manufacturers, digital health vendors, and Member States. Researchers, innovators, and public authorities seeking secondary use of health data are also subject to specific provisions.
What types of data and activities fall under the scope of the EHDS?
The EHDS covers the access, exchange, and reuse of electronic health data in the EU for both primary use (healthcare delivery) and secondary use (research, innovation, policymaking, and regulatory purposes). It includes requirements for EHR systems, data interoperability, governance, and security safeguards.
What are the key obligations for EHR system manufacturers under the EHDS?
EHR system manufacturers must ensure their products meet EU-level interoperability and security requirements, support cross-border data exchange, and comply with conformity or certification processes where applicable. They must also facilitate individuals’ rights to access and share their health data.
How does the EHDS strengthen individuals' rights regarding their health data?
The EHDS grants individuals enhanced rights to access, obtain, and share their electronic health data, including across EU borders. It ensures that patients can control their data for healthcare purposes and benefit from improved digital health services.
What are the main safeguards for the secondary use of health data under the EHDS?
Secondary use of health data is subject to strict safeguards, including purpose limitation, data minimisation, and the application of pseudonymisation or anonymisation where appropriate. Certain uses, such as for advertising or discriminatory decisions in insurance or employment, are explicitly prohibited.
What are the penalties for non-compliance with the EHDS?
Penalties for non-compliance are determined by Member States and may include administrative fines or other corrective measures. The regulation requires effective, proportionate, and dissuasive penalties to ensure compliance.
How does the EHDS interact with the GDPR and other EU data laws?
The EHDS builds on and complements the GDPR by establishing sector-specific rules for health data. It does not replace the GDPR but provides additional requirements and safeguards tailored to the health sector, ensuring consistency with broader EU data protection legislation.
What practical steps should healthcare providers take to comply with the EHDS?
Healthcare providers should review and update their EHR systems to meet interoperability and security requirements, train staff on new data rights and procedures, and establish processes for facilitating patient access and cross-border data sharing. They should also coordinate with national health data access bodies for secondary data use requests.
What is the timeline for EHDS implementation and compliance?
The EHDS is in force, but specific implementation deadlines and transitional periods may be set for different obligations, such as EHR system certification and the establishment of health data access bodies. Stakeholders should consult national authorities and the European Commission for detailed timelines.
Who oversees the governance and permitting for secondary use of health data?
National health data access bodies, designated by each Member State, are responsible for overseeing governance, processing permit applications, and ensuring secure processing environments for secondary use of health data.
Key Terms
- Primary Use
- The use of electronic health data for healthcare delivery, including diagnosis, treatment, and patient care.
- Secondary Use
- The reuse of electronic health data for purposes other than direct healthcare, such as research, innovation, policymaking, and regulatory activities.
- Electronic Health Record (EHR) System
- A digital system for recording, storing, and managing patients’ health information, subject to interoperability and security requirements under the EHDS.
- Interoperability
- The ability of different EHR systems and digital health applications to exchange, interpret, and use health data seamlessly across borders and providers.
- Health Data Access Body
- A national authority designated by each Member State to manage and authorise secondary use of health data, ensuring compliance with EHDS safeguards.
- Secure Processing Environment
- A technical and organisational framework that ensures health data is processed safely and in compliance with EHDS requirements for secondary use.
- Pseudonymisation
- A data processing technique that replaces identifying information with artificial identifiers, reducing the risk of re-identification while allowing data use.
- Anonymisation
- The process of irreversibly removing personal identifiers from health data so that individuals cannot be identified, even indirectly.
- Purpose Limitation
- A principle requiring that health data collected for one purpose (e.g., healthcare) cannot be used for other purposes (e.g., research) without proper authorisation and safeguards.
- Cross-border Data Exchange
- The sharing and access of electronic health data between EU Member States to facilitate healthcare and secondary uses across national boundaries.