The European Health Data Area (EHDS).

Introduction

The Regulation European health data space, or - in English - the European Health Data Space Act (EHDS) is a European regulation that aims to transform access to and use of health data. This regulation creates a common framework for the use and exchange of electronic health data across national borders, benefiting health care delivery as well as scientific research and innovation.

As a specialized law firm with expertise in health law and data protection we will bring you up to speed on key aspects of this regulation and what it means for your organization.

What is the EHDS?

The EHDS is a regulation directly applicable in all EU member states, without the need for transposition into national (Belgian) legislation. For Belgium, this also means, among other things, that the EDHS takes precedence over the law of April 22, 2019 on the
quality healthcare practice, the
coordinated law of May 10, 2015 on the exercise of the
healthcare professions or the coordinated law of July 14, 1994
On compulsory insurance for medical care and benefits.

The EHDS builds on the General Data Protection Regulation (GDPR), the Data Act and the Data Governance Act and provides an industry-specific framework for health care.

Although the EHDS does not mandate electronic processing of health data, the rules apply once such data is processed electronically.

Who is the EHDS relevant to?

The EHDS is of interest to:

• Healthcare providers and healthcare professionals: They must record and share electronic health data according to the standardized formats prescribed by the EHDS.
• Citizens/patients: They will have improved access to and control over their personal electronic health data, both in Belgium and in the EU
• Manufacturers of EHR systems and interoperable wellness apps: They must meet harmonized safety, security and interoperability requirements.

Individual researchers and micro-enterprises are exempt from the obligations applicable to health data holders. In addition, the EHDS does not apply when the processing of health data is carried out by competent authorities in the context of criminal offenses.

What does the EHDS regulate?

The EHDS regulates three main areas:

1. Primary use of health data.

This refers to the use of (personal) electronic health data for direct care delivery.

The EHDS establishes requirements for recording and updating essential patient data, electronic prescriptions, medical imaging, laboratory results and discharge reports in a standardized electronic format.

Two years after the entry into force of the EHDS, the European Commission will adopt specific technical specifications to ensure the interoperability and quality of these data.

2. Secondary use of health data.

This concerns the use of (personal) electronic health data for scientific research, policy-making and innovation, among other things.

Health data holders are required to make this data available for secondary use under strict privacy and security safeguards:

• Data users must obtain a license from a Health Data Access Body (HDAB), which makes the data available within a secure environment.
• The use of the data is limited to specific purposes, such as improving care and scientific research. Use for commercial purposes, such as marketing is not permitted.

3. Market regulation for EHR systems and wellness apps.

The EHDS harmonizes safety, security and interoperability requirements for systems such as electronic health records (EHRs) and interoperable wellness apps.

Manufacturers are responsible for the conformity of their products and must comply with a self-certification schedule.

Each member state must designate a Market Surveillance Authority to monitor compliance with these requirements.

Key implications of the EHDS

1. Opt-out as the default

Instead of the opt-in arrangement as currently in place in Belgium, the EHDS introduces an opt-out system for both primary and secondary use of health data. Patients can prohibit use through an opt-out arrangement.

2. European basis for secondary use.

The EHDS creates a uniform European basis for the secondary use of health data, making large datasets available for purposes such as training AI applications. This includes data from other EU countries.

3. Rights are expanded

Patient rights under the AVG will be expanded, with enhanced rights to data portability and access through the MyHealth@EU platform.

4. Adaptation of national legislation

National legislation should be aligned with the EHDS, especially in the area of norms and standards for data exchange.

5. New institutional roles.

Member states must establish new entities, such as a Digital Health Authority (DHA) for primary use, a Health Data Access Body (HDAB) for secondary use, and a Market Surveillance Authority for market surveillance.

6. Obligations of data holders

Holders of health data , such as healthcare providers and wellness app manufacturers, will be required to submit this data in a structured manner to the HDAB for secondary use. They may receive administrative support for this from health data mediation entities .

Enforcement and sanctions

Enforcement of the EHDS regulation has been entrusted to different national authorities within member states, each with specific responsibilities.

• Digital Health Authority (DHA).: This authority oversees patients' rights regarding the primary use of health data.A collaborative effort with the DPA will be necessary.
• Health Data Access Body (HDAB).: Responsible for managing and controlling the secondary use of health data.
• Market Surveillance Authority: Oversees compliance by manufacturers of EHR systems and wellness apps.

Significant penalties can be imposed for violation of EHDS rules.

• Fines: Violations can result in fines of up to €20 million or up to 4% of the violator's total annual global turnover, whichever is higher.
• Revocation of permits: In case of non-compliance, the granted authorization for secondary use of health data may be revoked, meaning that further processing must be stopped.
• Exclusion: Violators may also be barred from access to the EHDS for up to five years.

In addition, member states are required to set additional penalties for violations for which no specific penalty is included in the EHDS.

From when does the EHDS apply?

The EHDS was published in the Official Journal on March 5, 2025 and entered into force on March 25, 2025. The EHDS is applicable from March 25, 2027 and must be fully implemented within six years, i.e. by 2031.

How can our law firm help you?

As a specialized law firm in health law and data protection, we can assist you with:

1. Compliance assessment: A thorough analysis of your current processes and systems to determine what needs to change to meet EHDS obligations.
2. Strategic consulting: Advice on implementing EHDS requirements within your organization, taking into account your specific situation and needs.
3. Contractual support: Assistance in establishing or modifying contracts with suppliers, partners and other interested parties to ensure EHDS compliance.
4. Documentation and procedures: Guidance in preparing required documentation and procedures for both primary and secondary uses of health data.
5. Guidance on certification: Support for manufacturers of EHR systems in the self-certification process.
6. Representation to authorities: Representation of your interests before the various supervisory authorities.
7. Training and awareness raising: Trainings and workshops to make your employees aware of the new obligations and procedures under the EHDS.

Conclusion

The EHDS brings significant changes for all healthcare stakeholders. Timely preparation is essential to meet all obligations and maximize the benefits of this European data space.