[ParlTrack]

Tilly METZ, Patrick BREYER

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16, 114 and 11468 thereof,

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 3 a (new)

(3 a) Given the extreme sensitivity of information regarding person’s physical and mental health, this Regulation seeks to provide sufficient safeguards on both EU and national level to ensure a high degree of data privacy, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of natural person’s health data for primary and secondary use. To achieve these objectives, pursuant to Article 9(4) of Regulation (EU) 2016/679, Member States may impose additional restrictions to the rights and obligations laid down in Chapters II and IV of this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 4

(4) The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council43and, for Union institutions and bodies, Regulation (EU) 2018/1725 of the European Parliament and of the Council44and Regulation (EU)2022/868 of the European Parliament and Council44a. References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant. _________________ 43 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 44 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). 44a Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152,3.6.2022, p.1)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 5 a (new)

(5 a) Improving digital health literacy for both natural persons and their healthcare professionals is key in order to achieve trust, safety and appropriate use of health data and hence achieving a successful implementation of this Regulation. Improving digital health literacy is fundamental in order to empower natural persons to have true control over their health data and actively manage their health and care, and understand the implications of disclosing such data for both primary and secondary use. Particular attention should be given to vulnerable populations, including migrants, the elderly and persons with disabilities. Healthcare professionals and IT operators should have sufficient training in working with new digital infrastructures to ensure cybersecurity and ethical management of health data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 7

(7) In health systems, personal electronic health data is usually gathered in ~~electronic~~ health records, which typically con~~tain~~sist of an electronic collection of a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed in both an electronic or analogue format, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems ~~or wellness applications~~ are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in a cross-border context, Union action is needed in order to ensure individuals have improved access to their own personal electronic health data and are empowered to share it.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 8

(8) The right of access to data by a natural person, established by Article 15 of Regulation (EU) 2016/679, should be further developed in the health sector. Under Regulation (EU) 2016/679, controllers do not have to provide access immediately. While patient portals, mobile applications and other personal health data access services exist in many places, including national solutions in some Member States, the right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time- consuming. This may severely impair timely access to health data by natural persons, and may have a negative impact on natural persons who need such access immediately due to urgent circumstances pertaining to their health condition.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 10

(10) Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be ~~clearly marked to indicate the source of such additional data~~validated by a registered healthcare professional of relevant specialisation responsible for the natural person’s treatment. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural persons should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and~~, where relevant,~~ implemented by the data controllers on a case by case basis~~, if necessary~~ involving health professionals responsible for the natural person’s treatment.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 12

(12) Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers and be informed of the patient safety risks associated with limiting access to health data. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data ~~under~~ in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data. For this purpose, providers of electronic health records shall keep a record of who has accessed which data in the last 24 months.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 13

(13) Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts~~. Such selective sharing~~, or they may want to wholly refuse access to their personal electronic health data by electronic health data access services and health professional access services. Such selective and patient-centric control of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law, together with patient- centric guidance to natural persons in relation to the use of electronic health records and primary use of their personal electronic health data. Guidance should be tailored to the patient’s level of digital health literacy, with specific care for vulnerable groups, such as migrants, the elderly, and persons with disabilities. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 14

(14) In the context of the EHDS, natural persons should be able to exercise their rights ~~as they are enshrined in~~without prejudice to Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 16

(16) Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care and avoiding duplications and errors. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format via commonly accepted open standards and open data formats, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as health professional portals, to use personal electronic health data for the exercise of their duties~~. Moreover, t~~ on a need to know basis in regards to the person under their treatment, irrespective of the Member State of affiliation and treatment. Moreover, the Commission and the Member States should agree on time- based targets to implement improved health data interoperability across the Union. The access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 17

(17) The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded. The Commission should be empowered to extend the list of priority categories, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 19

(19) The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format~~. This would also contribute to the achievement of the target of 100% of Union citizens having access to their electronic health records by 2030, a~~ as well as to give them better control over accessing and sharing their personal electronic health data. To this end, Member States should retain the right to require user consent, or at least provide the possibility for natural persons, to refuse the registration of their electronic health file by all or selected healthcare professionals in an EHR system. Such mechanisms are~~ferred to in the Policy Programme “Path to the Digital Decade”~~ key trust safeguards in the system that secure greater decentralization and user- centricity over their data. In order to make electronic health data accesible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format based on commonly accepted open standards and open data formats, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/24345provides the foundations for such a common European electronic health record exchange format. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council46recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data. _________________ 45 Commission Recommendation (EU) 2019/243 of 6 February 2019 on a European Electronic Health Record exchange format (OJ L 39, 11.2.2019, p. 18). 46 Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 20

(20) While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare pro~~vider~~fessionals that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt ~~implementing~~delegated acts for determining additional aspects related to the registration of electronic health data, such as categories of healthcare pro~~vider~~fessionals that are to register health data electronically, categories of data to be registered electronically, or data quality requirements.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 21

(21) Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services (including telemedicine) that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 22

(22) Regulation (EU) No 910/2014 of the European Parliament and of the Council47lays down the conditions under which Members States perform identification of natural persons in cross- border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals.Digital Health Authorities, including at regional and local level, should also support digital health literacy and public awareness, while ensuring that the implementation of this Regulation contributes to reducing inequalities and does not discriminate against vulnerable populations. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level. Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities. The EHDS Board, digital health authorities and health data access bodies should establish transparent methods for stakeholder engagement, particularly with representatives of patients, consumers and healthcare professionals.The EHDS Board, digital health authorities and health data access bodies should adhere to a high degree of transparency of its outputs and all its members, observers and experts should act independently, in the public interest and be free from any external influence that might affect the impartiality of their professional conduct. _________________ 47 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 25

(25) In the context of MyHealth@EU, a central ~~platform~~open source platform licensed under an open source licence should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities among the Member States, as joint controllers, and prescribe its own obligations, as processor. Furthermore, to ensure the technological sovereignty of the Union and ensure the highest security standards, the platform should be licenced under an open source licence in line with the Open Source Strategy 2020-2023 (C(2020) 7149 final) and Commission decision 2021/C 495 I/01. This would increase transparency and ensure consumer trust and confidence in the platform.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 27

(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory ex-ante self-certification scheme for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through this self- certification, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council48. _________________ 48 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 35

(35) Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A voluntary labelling scheme should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission may set out in implementing acts the details regarding the format and content of such label.deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 36

(36) The distribution of information on certified EHR systems ~~and labelled wellness applications~~ is necessary to enable procurers and users of such products to find interoperable solutions for their specific needs. A database of interoperable EHR systems ~~and wellness applications~~, which are not falling within the scope of Regulations (EU) 2017/745 and […] [AI act COM/2021/206 final] should therefore be established at Union level, similar to the European database on medical devices (Eudamed) established by Regulation (EU) 2017/745. The objectives of the EU database of interoperable EHR systems ~~and wellness applications~~ should be to enhance overall transparency, to avoid multiple reporting requirements and to streamline and facilitate the flow of information. For medical devices and AI systems, the registration should be maintained under the existing databases established respectively under Regulations (EU) 2017/745 and […] [AI act COM/2021/206 final], but the compliance with interoperability requirements should be indicated when claimed by manufacturers, to provide information to procurers.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 37

(37) For the secondary use of the ~~clinical~~personal electronic health data for research~~, innovation~~ and development, policy making, regulatory purposes, patient safety or the treatment of ~~other~~ natural persons, the ~~possibilities offered by~~requirements provided for in Regulation (EU) 2016/679 for a Union law should be used as a basis ~~and rules and mechanisms and providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. T~~. For processing of personal electronic health data for secondary use, a legal basis set out in points (a), (c), (e) of Article 6(1) combined with a further legal basis set out in Article 9(2) of Regulation (EU) 2016/679 is required. The most relevant processing grounds listed in Article 9(2) of Regulation (EU) 2016/679 in this context concern the consent of the data subject (point (a)), substantial public interest (point (g)), the provision of health or social care (point (h)), public interest in the area of public health (point (i)), and research (point (j)). Hence, this Regulation provides the specific legal basis for such processing in accordance with Articles 9(2) (a), (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 in combination with Articles 9(2) (a), (g), (h), (i) and (j) of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV. ~~More specifically: for processing of electronic health data held by the data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of~~If the user relies upon a legal basis offered by Article 6(1), point (~~c) of Regulation (EU) 2016/679 for disclosing the data by the data~~ e), it should~~er to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regul~~ make reference to another EU or nation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679. This Regulation assigns tasks in the public interest to the health data access bodies (runn law, different from this Regulation, mandating the usecure processing environment, processing data before they are used, etc.) in the sense of Article 6(1)(e) of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2)(h),(i),(j) of the Regulation (EU) 2016/679. Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which electronic health data can be processed. In the case where the user has access to electronic health data (for secondary use of data for one of the purposes defined in this Regulation),r to process personal health data for the compliance of its tasks. For processing of electronic health data held by the data ~~user s~~hould demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f), of Regulation (EU) 2016/679 and explain the specific legal basis on which it relies as part of the application for access to electronic health data pursuant to this Regulation: on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it should make reference to another EU or national law, different from this Regulation, mandating the user to process personal health data for the compliance of its tasks. If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data access bodies are an administrative decision defining the conditions for the access to the dataer pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing the data by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. The data permits issued by the health data access bodies are an administrative decision defining the conditions for the access to the data, in accordance with Regulation (EU) 2016/679 and this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 38

(38) In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, aggregated genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy- makers, regulators and ~~doctor~~healthcare professionals to use those data for different purposes, including research, ~~innovation~~development, policy-making, regulatory purposes, and patient safety ~~or personalised medicine~~. In order to fully unleash the benefits of the secondary use of electronic health data, all data holders, except for micro enterprises and small enterprises in the context of healthcare professionals’ practices and pharmacies, should contribute to this effort in making different categories of electronic health data they are holding available for secondary use. Likewise, beneficiaries should respect the principle of open science and provide open access to research or processing results.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 39

(39) The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as non- personal data with an impact on health (for example consumption of different substances, homelessness, health insurance, minimum income, professional status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include person- generated data, such as data from medical devices~~, wellness applications or other wearables and digital health applications~~. The data user who benefits from access to datasets provided under this Regulation pursuant to a data permit could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 40

(40) The data holders can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above. As such, they are controllers in the meaning of Regulation (EU) 2016/679 in the health or care sector since they process personal electronic health data. In order to avoid a disproportionate burden on small entities, micro-enterprises and small enterprises in healthcare professional setting are excluded from the obligation to make their data available for secondary use in the framework of EHDS. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding,It should be noted that making anonymised data available for secondary use will require additional resources for healthcare systems, including often understaffed public hospitals. This additional burden for public entities should be mad~~e available by data holders~~dressed and minimised to the~~alth data access bodies, in order to maximise the impact of the public investment and support r~~ greatest possible extent during the implementation phase of the EHDS and, where necesesar~~ch, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associat~~y, allocation of additional resources should be ensured. To safeguard the long-term sustainability and durability of European healthcare systems and the provision of public goods across the Unions, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutisufficient and adequate return to public investment in the field of health must be ensured via adequate societal access to access products and services developed via the EHDS framework on a just, fair, transparent, and redistributive basis that caln companies often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sectorntribute to greater social justice. The public good nature of European healthcare systems and equality of access need to be safeguarded by demonstrating the public value stemming from private investments via the EHDS framework and by enhancing the role of public institutions in the field. Likewise, when electronic health data is made available for secondary use, research and processing results should be made publicly available based on the principles of open science so that society at large can access relevant results in the field, enhance transparency, and further contribute to new innovative products and services that can benefit society at large. Data generated by individuals and shared through the EHDS must be considered a public investment. Uses that are detrimental to individuals, in particular to vulnerable groups, should be prohibited and subject to aggravated penalties. In light of possible future risks, a moratorium on certain uses and users should be made possible.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 40 a (new)

(40 a) The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in areas where the collection of such data is fragmented or difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding, should be made available by data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefiting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 41

(41) The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research~~, innovation~~ and development, policy making, ~~educational activities,~~ patient safety, or regulatory activities ~~or personalised medicine,~~ in line with the purposes set out in this Regulation. Access to data for secondary use should ~~contribute to the general interest of the society~~be based on the data subject's explicit consent in the case of personal data and contribute to the general interest of the society as well as to high quality, accessibility and affordability of medical products. Without the data subject’s consent, any health data may only be made accessible after it has been fully and irreversibly anonymised by the data holder, where necessary by aggregating the health data of several persons. Real world evidence collected through the EHDS should in no way substitute data generated in clinical trials, which remain a gold standard in terms of data generation for regulatory purposes. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies which are necessary to meet a substantial public interest, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remains at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), ~~development and innovation, producing goods and services for the~~related to health or care sectors for the prevention, early detection, diagnosis, treatment, rehabilitation, supportive care or health or care ~~sectors, such as innovation activities or training of AI algorithms that could protect~~management. It should also contribute to development activities aimed at producing goods and services for the health or care ~~of natural person~~sectors. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, to profile and discriminate against individuals, or develop harmful products should be prohibited.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 42

(42) The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health- related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Likewise, despite Member States’ constitutional, organisational and administrative specificities, health data access bodies should at least consist of authorization bodies to decide on the validity of data access applications and data requests, and of trust bodies that receive the electronic health data from data holders and disclose it to authorisation bodies. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full- fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use and their staff should not have any conflict of interest that is prejudicial to their independence and impartial conduct. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial and human resources, legal and technical expertise, including ethical boards and committees premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 43

(43) The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. The selection procedure for health stakeholders should be transparent, public, and free of any conflict of interest. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should duly and expeditiously inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 44

(44) Considering the administrative burden for health data access bodies to inform the natural persons whose data are used in data projects within a secure processing environment, the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned, while fully respecting the principles of medical confidentiality and professional secrecy. In this case, the data user should inform the health data access body, which should inform the data subject or his health professional. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 47

(47) Health data access bodies ~~and single data holders~~ should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission may adopt ~~implementing~~delegated acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 48

(48) In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to penalties or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement. TWhe ~~imposition of penalties should be subject to appropriate procedural safeguards~~n deciding on the amount of the penalty for each individual case, Member States should take into acco~~rdance with the general principles of law of the relevant Member State, including effective judicial protection and due process~~unt the margins and criteria set out in this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 49

(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when ~~possible and if the data user asks it~~the purpose of processing by the data user can be achieved with such data and the data subject has not given explicit consent for the secondary use of his/her personal data. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. To this end, the Commission can adopt implementing acts to identify the procedures and requirements for a unified and irreversible procedure for anonymising and pseudonymising electronic health data. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person(s). Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 50

(50) In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide health data access bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information include: a description of the applicant’s identity, professional function, and operation, the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the ~~sec~~free and open source ~~environment that are needed~~tools and computing resources that are needed for the secure environment. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data access bodies and, where relevant data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data, it should submit a data request application, requiring the health data access body to provide directly the result. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data application, as well as data request.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 51

(51) As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit by a maximum period of two additional months in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an additonal fee. However, in all the cases, the data permit should reflect theses additionals uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 52

(52) As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies, especially the Commission, need access to health data for a longer period and on a recurring basis. This is may be the case ~~not only in~~for specific circumstances stipulated by Union or Member States law in times of crisis ~~but also~~and to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 53

(53) For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data access bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi- country requests and requests requiring combination of datasets from several data holders should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or data requests they provide.deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 54

(54) Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment based on free and open-source software. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body or, where relevant, single data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 55

(55) For the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users, the Commission should, by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter into. However, the use of such a template shall not relieve health data access bodies or the data users from any of their duties and responsibilities. In order to achieve an inclusive and sustainable framework for multi-country secondary use of electronic health data, a cross-border infrastructure should be established. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected ~~whenever possible~~. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/200950or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross- border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council51. _________________ 50 Council Regulation (EC) No 723/2009 of 25 June 2009 on the Community legal framework for a European Research Infrastructure Consortium (ERIC) (OJ L 206, 8.8.2009, p. 1). 51 Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 63

(63) The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds. To procure or fund services provided by controllers and processors established in the Union that process personal electronic health data, they are required to demonstrate that they will store the data in the Union and that they are not subject to third country legislation that conflicts with Union data protection rules.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 64

(64) Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically foreseen in the Data Governance Act. Even in situations of the use of state of the art anonymization techniques, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases (a life-threatening or chronically debilitating condition affecting not more than five in 10 thousand persons in the Union), where the limited numbers of case reduce the possibility to fully aggregate the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. It can affect different types of health data depending on the level of granularity and description of the characteristics of data subjects, the number of people affected or and for instance in cases of data included in electronic health records, disease registries, biobanks, person generated data etc. where the identification characteristics are broader and where, in combination with other information (e.g. in very small geographical areas) or through the technological evolution of methods which had not been available at the moment of anonymisation, can lead to the re- identification of the data subjects using means that are beyond those reasonably likely to be used. The realisation of such risk of re-identification of natural persons would present a major concern and is likely to put the acceptance of the policy and rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as in the reporting on clinical trials, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for these types of health data, there remains a risk for re-identification after the anonymisation or aggregation, which could not be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. These types of health data would thus fall within the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final] for transfer to third countries. The protective measures, proportional to the risk of re-identification, would need to take into account the specificities of different data categories or of different anonymization or aggregation techniques and will be detailed in the context of the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. In case of mixed datasets, where personal and non- personal data are inextricably linked, the protections in EU data protection legislation and in this Regulation concerning personal electronic health data shall be fully applicable.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 65

(65) In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient, independent, and public interest driven working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Recital 70

(70) Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. ~~For certain specific infringements~~When deciding on the amount of the penalty for each individual case, Member States should take into account the margins and criteria set out in this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 1 – paragraph 2 – point a

(a) s~~trengthen~~pecifies the rights of natural persons in relation to the availability and control of their electronic health data;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 1 – paragraph 3 – point a

(a) manufacturers and suppliers of EHR systems and ~~wellness application~~of medical devices placed on the market and put into service in the Union and the users of such products;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 1 – paragraph 4

4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, ~~[…] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final].~~(EU) 2022/868 and […] [Data Act COM/2022/68 final]. (This amendment applies throughout the text)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 1 – paragraph 4 a (new)

4 a. Pursuant to Article 9(4) of Regulation (EU) 2016/679, Member States may impose further restrictions on the processing of personal health data laid down in Chapters II and IV of this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point a

(a) ‘personal electronic health data’ means data concerning physical or mental health, and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, ~~or data processed in relation to the provision of healthcare services,~~that are processed in an electronic form;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point b

(b) ‘non-personal electronic health data’ means data concerning health and aggregated genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point e

(e) ‘secondary use of electronic health data’ means the further processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for other purpose ~~of the secondary use~~s;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point f

(f) ‘interoperability’ means the ability of organisations as well as software applications or devices from the same manufacturer or different manufacturers to interact towards mutually beneficial goals using commonly accepted open standards and open data formats, involving the exchange of information and knowledge without changing the content of the data between these organisations, software applications or devices, through the processes they support;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point k

~~(k) ‘data recipient’ means a natural or legal person that receives data from another controller in the context of the primary use of electronic health data;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point l

(l) ‘telemedicine’ means the provision of healthcare services, including remote care and online pharmacies, through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point q – point i

(i) the death of a natural person or serious damage to a natural person’s health or rights;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point y

(y) ‘data holder’ means a~~ny natural or legal person, which is an entity or a body~~ controller in the meaning of Regulation (EU) 2016/679 in the health or care or social security sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies whoich are a controller in the meaning of Regulation (EU) 2018/1725, which has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, to process personal health data, or in the case of non-personal health data, through control of the technical design of a product and related services, the lawful ability to make available, including to register, provide, restrict access or exchange certain data;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point z

(z) ‘data user’ means a natural or legal person, including public authorities and EU institutions, bodies or agencies, who has lawful access to personal or non- personal electronic health data for secondary use, pursuant to a data permit in accordance with this Regulation;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

(aa) ‘data permit’ means an administrative decision issued to a data user by a health data access body ~~or data holder~~ to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 2 – paragraph 2 – point ae a (new)

(ae a) ‘common specifications’ (CS) means a set of technical and/or clinical requirements, other than a standard, that provides a means of complying with the legal obligations applicable to an EHR system.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 1

1. Natural persons shall have the right to access their personal electronic health data processed in the context of primary use of electronic health data, and any available information as to their origin, immediately, free of charge and in an easily readable, consolidated and accessible form, in accordance with Article 14 of Regulation (EU) 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 2

2. Natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format referred to in Article 6, of ~~at least~~ their electronic health data ~~in the priority categories referred to in Article 5~~, or a printed copy thereof, in accordance with paragraph 3 of Article 15 of Regulation (EU) 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 2 a (new)

2 a. Paragraphs 1 and 2 shall be without prejudice to Article 15 of Regulation (EU) 2016/679 and Article 17 of Regulation (EU) 2018/1725.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 3

3. In accordance with paragraph 1, point (i) of Article 23 of Regulation (EU) 2016/679, Member States may by law restrict the scope of this right whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on this ~~or her health~~person.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 4

4. Where the personal health data have not been registered electronically ~~prior to the application of this Regulation~~, Member States may require that such data is made available in electronic format pursuant to this Article~~. This shall not affect the obligation to make personal electronic health data registered after the application of this Regulation available in electronic format pursuant to this Article~~, where the data subject consents to such electronic processing.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point b

(b) establish one or more proxy services enabling a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf and on their request.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 6

6. Natural persons may, in accordance with the rules of the respective healthcare provider, insert their electronic health data in their own EHR or in that of natural persons whose health information they can access because they are proxies pursuant to paragraph 5, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative, shall not be available for secondary use, and shall only be considered as a clinical fact and made available for secondary use if validated by a registered healthcare professional of relevant specialisation responsible for the natural person’s treatment.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 7

7. Member States shall ensure that, when exercising the right to rectification under Article 16 of Regulation (EU) 2016/679, natural persons can easily request rectification online through the electronic health data access services referred to in paragraph 5, point (a), of this Article. In accordance with Article 16 of Regulation (EU) 2016/679, natural persons shall not have the possibility to directly change data inserted by healthcare professionals. Such rectifications of clinical facts shall be validated by a registered healthcare professional of relevant specialisation responsible for the natural person’s treatment. The original data holder shall be responsible for the rectification.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1

NIn accordance with paragraph 2 of Article 20 of Regulation (EU) 2016/679, natural persons shall have the right to give access to or request a data holder from the health or social security sector to transmit all of or part of their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder. That data recipient shall be properly identified, including demonstrating that it belongs to the health or social security sectors.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 3

~~By way of derogation from Article 9 of Regulation […] [Data Act COM/2022/68 final], the data recipient shall not be required to compensate the data holder for making electronic heath data available~~The data recipient shall compensate the data holder for the reasonable and non- discriminatory costs of making electronic health data available. A data holder, a data recipient or a third party shall not directly or indirectly charge data subjects a fee, compensation or costs for sharing data or accessing it.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 4 a (new)

This paragraph is without prejudice to limitations for the processing of personal health or genetic data under Member State law, pursuant to paragraph 4 of Article 9 of Regulation (EU) 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 9

9. ~~Notwithstanding~~Without prejudice to Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of certain health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms, which may also include the possibility of restrictions related to a specific category of health professionals. Natural persons shall be informed of the patient safety risks associated with limiting access to health data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 9 a (new)

9 a. Member States may require the explicit consent of natural persons, or provide for the possibility for natural persons to refuse, the access to their personal electronic health data registered in an EHR system by electronic health data access services referred to in paragraph 5(a) of this Article and by health professional access services referred to in Article 4(3).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 10

10. Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare, including access to restricted data pursuant to paragraph 9. The information shall be provided immediately and free of charge through electronic health data access services, whenever such access has taken place. For this purpose, providers of electronic health records shall keep a record of who has accessed which data in the previous 24 months. Member States may provide for restrictions to this right in exceptional circumstances, where there are factual indications that disclosure would endanger the vital interests or rights of the health professional.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 11

11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 3 – paragraph 12 a (new)

12 a. Member States, including regional and local authorities, shall provide guidance to natural persons in relation to the use of the electronic health records and primary use of their personal electronic health data laid down in this Article. Such guidance shall take into account digital health literacy of vulnerable groups, including migrants, the elderly and persons with disabilities.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 4 – paragraph 1 – point a

(a) have access to the electronic health data of natural persons ~~under their treatment~~, where, and to the extent that, this is necessary for the purposes spelled out in point (h) of paragraph 2 of Article 9 of Regulation (EU) 2016/679, irrespective of the Member State of affiliation and the Member State of treatment, with the exceptions provided for in paragraphs 9 and 9a of Article 3;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 4 – paragraph 2

2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States ~~may~~shall establish rules providing for the categories of personal electronic health data required by different categories of health professions. Such rules shall not be based on the source of electronic health data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 4 – paragraph 3

3. Member States and, where appropriate, local or regional authorities shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services, where, and to the extent to, this is necessary for the purposes spelled out in point (h) of paragraph 2 of Regulation (EU) 2016/679, and with the exceptions provided for in paragraphs 9 and 9a of Article 3. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services regarding the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and treatment, free of charge.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 4 – paragraph 4

4. Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior ~~authorisation~~explicit consent by the natural person, including where the provider or professional is informed of the existence and nature of the restricted electronic health data. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3

AMember States may by law enable access to and exchange of electronic health data for primary use ~~may be enabled~~ for other categories of personal electronic health data available in the EHR of natural persons.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 5 – paragraph 2

~~2. The Commission is empowered to adopt~~ delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. Such delegated acts may also amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data and indicating, where relevant, deferred application date. The categories of electronic health data added through such delegated acts shall satisfy the following criteria: (a) the category is relevant for health services provided to natural persons; (b) according to the most recent information, the category is used in a significant number of EHR systems used in Member States; (c) international standards exist for the category that have been examined for the possibility of their application in the Union.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 6 – paragraph 1 – introductory part

1. The Commission shall, by means of implementing acts, lay down the open technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format pursuant to the FAIR principle (findability, accessibility, interoperability, re-use). The format shall include the following elements:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 7 – paragraph 1

1. Member States shall ensure that, where data is processed in electronic format, health professionals ~~systematically~~ register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 7 – paragraph 1 a (new)

1 a. Member States may require the explicit consent of natural persons for, or provide for the possibility for natural persons to refuse, the registration of their health data by all or selected healthcare professionals in an EHR system.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

The Commission shall, by means of ~~implementing~~delegated acts, determine the requirements for the registration of electronic health data by healthcare pro~~vider~~fessionals and natural persons, as relevant. Those ~~implementing~~delegated acts shall establish the following:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point a

(a) categories of healthcare pro~~viders~~ fessionals that are to register health data electronically;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point b

(b) categories of health data that are to be registered systematically in electronic format by healthcare pro~~vider~~fessionals referred to in point (a);

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 2

Those ~~implementing~~delegated acts shall be adopted in accordance with the advisory procedure referred to in Article 6~~8(2)~~7.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 8 – paragraph 1

Where a Member State accepts the provision of telemedicine services, it shall, under the same conditions, accept the provision of the services of the same type by healthcare providers located in other Member States.deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 9 – paragraph 1

1. Where a natural person uses ~~telemedicine services or~~ personal health data access services referred to in Article 3(5), point (a), that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 9 – paragraph 2

2. The Commission shall, by means of ~~implementing~~delegated acts, determine the requirements for the interoperable, cross- border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014 as amended by [COM(2021) 281 final]. The mechanism shall facilitate the secure transferability of electronic health data in a cross-border context. Those ~~implementing~~delegated acts shall be adopted in accordance with ~~the advisory procedure referred to in~~ Article 6~~8(2)~~7.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 9 – paragraph 3

3. The Commission and Member States shall implement services required by the interoperable, cross-border identification and authentication mechanism referred to in paragraph 2 of this Article at Union level, as part of the cross-border digital health infrastructure referred to in Article 12(3).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 9 – paragraph 4

4. The ~~digital health authoriti~~Member States and the Commission shall implement the cross- border identification and authentication mechanism at Union and Member States’ level, respectively, in accordance with Regulation (EU) No 910/2014 as amended by [COM(2021) 281 final].

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – introductory part

2. Each digital health authority shall be entrusted with the following tasks and powers:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point g

(g) ensure the implementation, at national level, of the European electronic health record exchange format, in cooperation with national authorities and stakeholders, including representatives of patients, consumers and healthcare professionals;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point h

(h) contribute, at Union level, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing quality, interoperability, security, safety, ease of use, accessibility, non-discrimination or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems ~~and wellness applications referred to in Article 32~~;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point h a (new)

(h a) support digital health literacy and promote awareness and understanding about the benefits, risks, rules and rights in relation to the use of EHR systems;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point k

(k) offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, do not discriminate and offer the possibility of choosing between in person and digital services;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point m

(m) cooperate with other relevant entities and bodies at local, regional, national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives, including patients’ and consumers’ representatives, healthcare providers, health professionals, industry associations;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point n

(n) cooperate in the enforcement of this Regulation, within the remit of their respective competences, with supervisory authorities in accordance with Regulation (EU) 910/2014, Regulation (EU) 2016/679 and Directive (EU) 2016/1148 of the European Parliament and of the Council56with other relevant authorities, including those competent for cybersecurity, electronic identification, the European Artificial Intelligence Board, the Medical Device Coordination Group, the European Data Innovation Board and the competent authorities under Regulation […] [Data Act COM/2022/68 final]; _________________ 56 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point o – introductory part

(o) draw up, in collaboration where relevant with market surveillance authorities, an annual activity report, which shall contain a comprehensive overview of its activities. The report shall be transmitted to the Commission and shall be published. The annual activity report shall follow a structure that is agreed at Union level within EHDS Board, to support benchmarking pursuant to Article 59. The report shall contain at least information concerning:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point o – point vi a (new)

(vi a) amount of persons who have restricted or refused access to their data pursuant to paragraphs 9 and 9a of Article 3, and information about the scope of such restrictions by type of health professional or health data;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point o a (new)

(o a) enforce the compliance with this Regulation, including by: (i) conducting on-site and remote inspections, including unannounced ones; (ii) issuing of administrative fines; (iii) imposing on providers of EHRs or on other healthcare providers and professionals and other data holders and data users a ban on certain activities that are in violation of this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 2 – point o b (new)

(o b) promote public awareness and understanding of the benefits, risks, rules, safeguards and rights in relation to the EHDS system.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 3

~~3. The Commission is empowered to adopt~~ delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 10 – paragraph 4

4. Each Member State shall ensure that each digital health authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. Each Member State shall by law provide for the details of the enforcement powers pursuant to point (p) of paragraph 2. (Linked to point (p) of paragraph 2)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

5. In the performance of its tasks, the digital health authority shall actively cooperate with stakeholders’ representatives, including patients, consumers and healthcare professionals’ representatives. Members of the digital health authority shall hav~~oid any conflicts~~e no direct or indirect economic, financial or personal interest that might be considered prejudicial to their independence and, in particular, that they are not in a situation that may, directly ofr in~~teres~~directly, affect the impartiality of their professional conduct.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 11 – paragraph 1

1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or~~, where relevant,~~ collectively, with the digital health authority. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall ~~inform~~send a copy of the complaint to and consult with the supervisory authorities under Regulation (EU) 2016/679. Those supervisory authorities shall be competent to treat the complaint in a separate proceeding, pursuant to their tasks and powers under that Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 12 – paragraph 1

1. The Commission shall establish a central platform for digital health to provide services to support and facilitate the exchange of electronic health data between national contact points for digital health of the Member States. The central platform shall be licenced under an open- source licence and published in the Open Source code repository of the EU institutions.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 12 – paragraph 4

4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The European Union Agency for Cyber Security shall be consulted and closely involved in all steps of the procedure. Any measures adopted shall meet the highest technical standards in terms of security, confidentiality and protection of electronic health data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 1

Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing act, a compliance check of the national contact point of the third country or of the system established at an international level, as well as a compliance check with the requirements of Chapter V of Regulation (EU) 2016/679, shall be performed under the control of the Commission.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Chapter III – title

III EHR systems ~~and wellness applications~~

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 14 – paragraph 3

3. Manufacturers of medical devices as defined in Article 2(1) of Regulation (EU) 2017/745 that claim interoperability of those medical devices with EHR systems shall prove compliance with the essential requirements on quality and interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those medical devices.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

4. PNotwithstanding the obligations laid down in Regulation [AI act COM/2021/206 final], providers of high- risk AI systems as defined in Article 6 of Regulation […] [AI act COM/2021/206 final], which does not fall within the scope of Regulation (EU) 2017/745, that claim interoperability of those AI systems with EHR systems will need to prove compliance with the essential requirements on quality and interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those high-risk AI systems. .

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 15 – paragraph 1

1. EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in this Chapter and in Annex II of this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point b

(b) draw up and keep up to date the technical documentation of their EHR systems in accordance with Article 24;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point c

(c) ensure that their EHR systems are accompanied, free of charge for the user, by the information sheet provided for in Article 25 and by clear and complete instructions for use, including in accessible formats for vulnerable populations, including migrants, the elderly and persons with disabilities;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point g

(g) take ~~without undue d~~immediatelay any necessary corrective action in respect of their EHR systems wh~~ich~~en manufacturers consider or have reasons to believe that such systems are not in conformity with the essential requirements laid down in Annex II, or recall or withdraw such systems;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point h

(h) immediately inform the distributors of their EHR systems and, where applicable, the authorised representative and importers of any corrective action, recall or withdrawal;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point i

(i) immediately inform the market surveillance authorities of the Member States in which they made their EHR systems available or put them into service of the non- conformity and of any corrective action taken;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point i a (new)

(i a) immediately inform the market surveillance authorities of the Member States in which they made their EHR systems available, where manufacturers consider or have reasons to believe that such systems present a risk to the health or safety of natural persons or to other aspects of public interest protection;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 – point j

(j) ~~upon request of a market surveillance authority, provide it~~at least 6 months before placing on the market or putting into service their EHR systems, provide market surveillance authorities in the Member States concerned with all the information and documentation necessary to demonstrate the conformity of their EHR system with the essential requirements laid down in Annex II.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 1 a (new)

1 a. If the manufacturer fails to cooperate with market surveillance authorities or if the information and documentation provided is incomplete or incorrect, market surveillance authorities shall take all appropriate measures to prohibit or restrict the relevant EHR system from being available on the market, to withdraw it from the market or to recall it until the manufacturer cooperates or provides complete and correct information;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 3

3. Manufacturers of EHR systems shall keep the technical documentation and the EU declaration of conformity for at least 10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 3 a (new)

3 a. A manufacturer of EHR systems established outside of the Union shall ensure that its authorised representative has the necessary documentation permanently available in order to fulfil the tasks referred to in Article 18(2).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 3 b (new)

3 b. Natural or legal persons may claim compensation for damage caused by a defective EHR system in accordance with applicable Union and national law. Manufacturers shall have measures in place to provide sufficient financial coverage in respect of their potential liability under Directive 85/374/EEC, without prejudice to more protective measures under national law.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 3 c (new)

3 c. Manufacturers shall make publicly available communication channels such as a telephone number, electronic address or dedicated section of their website, taking into account accessibility needs for vulnerable populations, including migrants, the elderly and persons with disabilities, allowing consumers and professional users to file complaints and to inform them of risks related to their health and safety or to other aspects of public interest protection and of any serious incident involving an EHR system;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 3 d (new)

3 d. Manufacturers shall investigate complaints and information on incidents involving an EHR system they made available on the market without undue delay and shall keep an internal register of those complaints as well as of systems recalls and any corrective measures taken to bring the EHR system into conformity;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 17 – paragraph 3 e (new)

3 e. Personal data stored in the internal register of complaints shall only be those personal data that are necessary for the manufacturer to investigate the complaint. Such data shall only be kept as long as it is necessary for the purpose of investigation and no longer than five years after they have been encoded.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 – introductory part

2. An authorised representative shall perform the tasks specified in the mandate ~~received from~~agreed with the manufacturer. The mandate shall allow the authorised representative to do at least the following:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 – point b

(b) ~~further to a reasoned request from a market surveillance authority, provide that authority~~at least 6 months before an EHR system is placed on the market or putting into service provide market surveillance authorities of the Member States concerned a copy of the mandate with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II in an official language of the authority;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 – point b a (new)

(b a) immediately inform the manufacturer if the authorised representative has a reason to believe that an EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection or if it is aware of any serious incident involving an EHR system;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 – point b b (new)

(b b) immediately inform the manufacturer about complaints received by consumers and professional users;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 – point c a (new)

(c a) terminate the mandate if the manufacturer acts contrary to its obligations under this Regulation and immediately inform the market surveillance authority of the Member State in which is established.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 a (new)

2 a. Where the manufacturer is not established in a Member State and has not complied with the obligations laid down in Article 17, the authorised representative shall be legally liable for non-compliance with this Regulation on the same basis as, and jointly and severally with, the manufacturer.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 18 – paragraph 2 c (new)

2 c. In case of change of the authorised representative, the detailed arrangements for the change shall be clearly defined in an agreement between the manufacturer, or where practicable the outgoing authorised representative, and the incoming authorised representative.That agreement shall address at least the following aspects: (a) the date of termination of the mandate of the outgoing authorised representative and date of beginning of the mandate of the incoming authorised representative; (b) the transfer of documents, including confidentiality aspects and property rights.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 2 – point a

(a) the manufacturer has drawn up the technical documentation and the EU declaration of conformity and ensure that it is made available to market surveillance authorities at least 6 months before an EHR system is placed on the market or put into service;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 2 – point a a (new)

(a a) the manufacturer is identified and an authorised representative in accordance with Article 18 has been appointed;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 2 – point c

(c) the EHR system is accompanied by the information sheet referred to in Article 25 and ~~appropria~~clear and complete instructions for use in accessible formats, including for persons with disabilities.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 3

3. Importers shall indicate their name, registered trade name or registered trade mark and the ~~address~~postal and electronic address and a telephone number at which they can be contacted in a document accompanying the EHR system. They shall ensure that any additional label does not obscure any information on the label provided by the manufacturer.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 5

5. Where an importer considers or has reason to believe that an EHR system is not in conformity with the essential requirements in Annex II, it shall not make that system available on the market until that system has been brought into conformity. The importer shall i~~nform without undue delay~~mmediately inform the manufacturer of such EHR system and the market surveillance authorities of the Member State in which it made the EHR system available, to that effect. Where an importer considers or has reason to believe that an EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection, it shall immediately inform the market surveillance authority of the Member State in which the importer is established, as well as the manufacturer and where applicable, the authorised representative.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 7

7. Importers shall, ~~further to a reasoned request from a market surveillance authority, provide it~~at least 6 months before placing on the market or putting into service an EHR system, provide market surveillance authorities of Member States concerned with all the information and documentation necessary to demonstrate the conformity of an EHR system in the official language of the Member State where the market surveillance authority is located. They shall cooperate with that authority, at its request, and with the manufacturer and, where applicable, with the manufacturer’s authorised representative on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II, or to ensure that their EHR systems are withdrawn or recalled.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 7 a (new)

7 a. Importers shall verify whether the communication channels referred to in Article 17(3c), are publicly available to consumers and professional users allowing them to submit complaints and communicate any risk related to their health and safety or to other aspects of public interest protection and of any serious incident involving an EHR system. If such channels are not available, the importer shall provide for them, taking into account accessibility needs of vulnerable populations including migrants, the elderly and persons with disabilities.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 7 b (new)

7 b. If the importer fails to cooperate with market surveillance authorities or if the information and documentation provided is incomplete or incorrect, market surveillance authorities shall take all appropriate measures to prohibit or restrict its EHR system from being available on the market, to withdraw it from the market or to recall it until the importer cooperates or provides complete and correct information.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 7 c (new)

7 c. Importers shall investigate complaints and information on incidents involving an EHR system they made available on the market and file those complaints, as well as of systems recalls and any corrective measures taken to bring the EHR system into conformity, in the register referred to in Article 17(3e) or in their own internal register. Importers shall keep the manufacturer, distributors and, where relevant, authorised representatives informed in a timely manner of the investigation performed and of the results of the investigation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 19 – paragraph 7 d (new)

7 d. Personal data stored in the internal register of complaints shall only be those personal data that are necessary for the importer to investigate the complaint. Such data shall only be kept as long as it is necessary for the purpose of investigation and no longer than five years after they have been encoded.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 20 – paragraph 1 – point c

(c) the EHR system is accompanied by the information sheet referred to in Article 25 and ~~appropria~~by clear and complete instructions for use in accessible formats, including for persons with disabilities;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 20 – paragraph 3

3. Where a distributor considers or has reason to believe that an EHR system is not in conformity with the essential requirements laid down in Annex II, it shall not make the EHR system available on the market until it has been brought into conformity. Furthermore, the distributor shall i~~nform without undue delay~~mmediately inform the manufacturer or the importer, as well as the market surveillance authorities of the Member states where the EHR system has been made available on the market, to that effect. Where a distributor considers or has reason to believe that an EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection, it shall immediately inform the market surveillance authority of the Member State in which the distributor is established, as well as the manufacturer, the importer and where applicable, the authorised representative.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 20 – paragraph 4

4. Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of an EHR system. They shall cooperate with that authority, at its request, and with the manufacturer, the importer and, where applicable, with the manufacturer’s authorised representative on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II or to ensure that their EHR systems are withdrawn or recalled.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 20 – paragraph 4 a (new)

4 a. Distributors that have received complaints from consumers or professional users about suspected incidents involving an EHR system they made available on the market, shall immediately forward this information to the manufacturer and, where applicable, the manufacturer's authorised representative, and the importer. They shall keep a register of complaints, of non-conforming EHR systems and of recalls and withdrawals, and keep the manufacturer and, where available, the authorised representative and the importer informed of such monitoring and provide them with any information upon their request.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 21 – title

Cases in which obligations of manufacturers of an EHR system apply to ~~importers and distribu~~other economic operators

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 21 – paragraph 1

An ~~importer or distributo~~economic operator other than the manufacturer shall be considered a manufacturer for the purposes of this Regulation and shall be subject to the obligations laid down in Article 17, where they made an EHR system available on the market under their own name or trademark or modify an EHR system already placed on the market in such a way that conformity with the applicable requirements may be affected.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 23 – paragraph 5

5. Where common specifications covering interoperability and security requirements of EHR systems affect medical devices or high-risk AI systems falling under other acts, such as Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], the adoption of those common specifications ~~may~~shall be preceded by a consultation with the Medical Devices Coordination Group (MDCG) referred to in Article 103 of Regulation (EU) 2017/745 or the European Artificial Intelligence Board referred to in Article 56 of Regulation […] [AI Act COM/2021/206 final], as applicable, as well as the European Data Protection Board referred to in Article 68 of Regulation (EU) 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 23 – paragraph 6

6. Where common specifications covering interoperability and security requirements of medical devices or high- risk AI systems falling under other acts such as Regulation (EU) 2017/745 or Regulation […] [AI Act COM/2021/206 final], impact EHR systems, the adoption of those common specifications shall be preceded by a consultation with the EHDS Board, especially its subgroup for Chapters II and III of this Regulation and, where applicable, the European Data Protection Board referred to in Article 68 of Regulation (EU) 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 24 – paragraph 1

1. ~~The~~Manufacturers shall draw up technical documentation ~~shall be drawn up~~ before the EHR system is placed on the market or put into service and shall be kept up-to-date. The technical documentation shall be submitted to the market surveillance authorities of the Member States concerned at least 6 months before an EHR system is placed on the market or put into service.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 24 – paragraph 2

2. The technical documentation shall be drawn up in such a way as to demonstrate that the EHR system complies with the essential requirements laid down in Annex II and provide market surveillance authorities with all the necessary information to assess the conformity of the EHR system with those requirements. It shall contain, at a minimum, the elements set out in Annex III. In case the system or any part of it complies with European standards or common specifications, the list of the relevant European standards and common specifications shall also be indicated.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 25 – paragraph 2 – point a

(a) the identity, registered trade name or registered trademark, and the contact details of the manufacturer including the postal and electronic address and the telephone number and, where applicable, of its authorised representative;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 25 – paragraph 3

3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by allowing manufacturers to enter the information referred to in paragraph 2 into the EU database of EHR systems ~~and wellness applications referred to in Article 32~~, as an alternative to supplying the information sheet referred to in paragraph 1 with the EHR system.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 26 – paragraph 1

1. The EU declaration of conformity shall state that the manufacturer of the EHR system has demonstrated that the essential requirements laid down in Annex II have been fulfilled. The manufacturer shall continuously update the EU declaration of conformity.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 26 – paragraph 4

4. By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for ~~the conformity of the~~compliance with the requirements of this Regulation and all Union acts applicable to EHR systems.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 26 – paragraph 4 a (new)

4 a. The Commission is empowered to adopt delegated acts in accordance with Article 67 amending the minimum content of the EU declaration of conformity set out in Annex IV.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 27 – paragraph 1 a (new)

1 a. The CE marking shall be affixed before making the EHR system available on the market.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 27 – paragraph 2 a (new)

2 a. Where EHR systems are subject to other Union legislation in respect of aspects not covered by this Regulation, which also requires the affixing of the CE marking, the CE marking shall indicate that the systems also fulfil the requirements of that other legislation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 28 – paragraph 2

2. Member States shall designate the market surveillance authority or authorities responsible for the implementation of this Chapter. They shall entrust their market surveillance authorities with the ~~powers, resources, equipment~~necessary powers, financial resources, equipment, technical expertise, adequate staffing, and knowledge necessary for the proper performance of their tasks pursuant to this Regulation. Member States shall communicate the identity of the market surveillance authorities to the Commission which shall publish a list of those authorities.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 28 – paragraph 2 a (new)

2 a. Staff of market surveillance authorities shall have no direct or indirect economic, financial or personal conflicts of interest that might be considered prejudicial to their independence and, in particular, that they are not in a situation that may, directly or indirectly, affect the impartiality of their professional conduct.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 28 – paragraph 2 b (new)

2 b. Pursuant to paragraph 2 of this article, Member States shall determine and publish the selection procedure for market surveillance authorities. They shall ensure that the procedure is transparent and does not allow for conflicts of interest.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 29 – paragraph 1 a (new)

1 a. Where a market surveillance authority, on the basis of the information and documentation demonstrating the conformity of an EHR system provided by the relevant economic operator, considers or has reason to believe that the EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection, including before the EHR system is placed on the market or put into service, it shall perform all the necessary checks to ensure that the system is compliant with this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 29 – paragraph 1 b (new)

1 b. Where a market surveillance authority considers or has reason to believe that an EHR system has caused damage to the health or safety of natural persons or to other aspects of public interest protection, it shall immediately provide information and documentation, as applicable, to the affected person or user and, as appropriate, other third parties affected by the damage caused to the person or user, without prejudice to data protection rules.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 30 – paragraph 1 – introductory part

1. Where a market surveillance authority makes one, inter alia, of the following findings, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to ~~put an end to the non-compliance concerned~~bring the EHR system into conformity:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 30 – paragraph 1 – point a

(a) the EHR system is not in conformity with essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 30 – paragraph 1 – point b

(b) the technical documentation is either not available or not complete; or not in accordance with Article 24;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 30 – paragraph 1 – point b a (new)

(b a) the EHR systems is not accompanied by the information sheet provided for in Article 25, free of charge by the user, and by clear and complete instructions for use in accessible formats for persons with disabilities;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 30 – paragraph 1 – point c

(c) the EU declaration of conformity has not been drawn up or has not been drawn up correctly as referred to in Article 26;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 30 – paragraph 1 – point d a (new)

(d a) the registration obligations of Article 32 has not been fulfilled.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 31

Voluntary labelling of wellness 1. Where a manufacturer of a wellness application claims interoperability with an EHR system and therefore compliance with the essential requirements laid down in Annex II and common specifications in Article 23, such wellness application may be accompanied by a label, clearly indicating its compliance with those requirements. The label shall be issued by the manufacturer of the wellness application. 2. The label shall indicate the following information: (a) categories of electronic health data for which compliance with essential requirements laid down in Annex II has been confirmed; (b) reference to common specifications to demonstrate compliance; (c) validity period of the label. 3. The Commission may, by means of implementing acts, determine the format and content of the label. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). 4. The label shall be drawn-up in one or more official languages of the Union or languages determined by the Member State(s) in which the in which the wellness application is placed on the market. 5. The validity of the label shall not exceed 5 years. 6. If the wellness application is embedded in a device, the accompanying label shall be placed on the device. 2D barcodes may also be used to display the label. 7. The market surveillance authorities shall check the compliance of wellness applications with the essential requirements laid down in Annex II. 8. Each supplier of a wellness application, for which a label has been issued, shall ensure that the wellness application that is placed on the market or put into service is accompanied with the label for each individual unit, free of charge. 9. Each distributor of a wellness application for which a label has been issued shall make the label available to customers at the point of sale in electronic form or, upon request, in physical form. 10. The requirements of this Article shall not apply to wellness applications which are high-risk AI systems as defined under Regulation […] [AI Act COM/2021/206 final].Article 31 deleted applications

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 32 – title

Registration of EHR systems ~~and wellness applications~~

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 32 – title

Registration of EHR systems ~~and wellness applications~~

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 32 – paragraph 1

1. The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Article 26 ~~and wellness applications for which a label has been issued pursuant to Article 31~~.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 32 – paragraph 2

2. Before placing on the market or putting into service an EHR system referred to in Article 14 ~~or a wellness application referred to in Article 31~~, the manufacturer of such EHR system ~~or wellness application~~ or, where applicable, its authorised representative shall register the required data into the EU database referred to in paragraph 1.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 32 – paragraph 4

4. The Commission is empowered to adopt delegated acts in accordance with Article 67 to determine the list of required data to be registered by the manufacturers of EHR systems ~~and wellness applications~~ pursuant to paragraph 2.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 1 – introductory part

1. Data holders shall make the following categories of electronic data available for secondary use upon request and only with consent from the data subject in the case of personal data, and with the option to give or refuse consent for individual data categories and purposes, in accordance with the provisions of this Chapter:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 1 – point b

(b) ~~data~~non-personal data about determinants impacting on health, including social, environmental and behavioural ~~determinants of health~~;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 1 – point e

(e) human genetic, genomic and proteomic data. This data shall only be used for the purposes in points (a), (b) or (c) of paragraph 1 of Article 34;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 1 – point f

~~(f) person generated electronic health data, including medical devices, wellness applications or other digital health applications;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 1 – point g

~~(g) identification data related to health professionals involved in the treatment of a natural person;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

(l) data from research cohorts, questionnaires and surveys related to health;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 1 – point n

~~(n) electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 2

2. The requirement in the first subparagraph shall not apply to data holders that qualify as micro enterprises and small enterprises in the context of healthcare professionals’ practices and pharmacies as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC59. _________________ 59 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 3 a (new)

3 a. When electronic health data is made available for secondary use through health data access bodies, the beneficiary shall respect the principle of open science, and provide open access to research or processing results, following the principle ‘as open as possible, as closed as necessary’, in full respect of this Regulation and other applicable laws. Derogations from the open access requirements and open access practices shall be duly justified. The Commission shall closely monitor this, and any derogations shall be made public on the Commission’s web-portal.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 5

5. Where the explicit consent of the natural person is required by ~~national law, health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health data.~~ Member State law pursuant to paragraph 4 of Article 9 of Regulation (EU) 2016/679, health data access bodies shall ensure the related obligations are met prior to providing access to electronic health data pursuant to Chapter IV of this Regulation. Where Member State law, pursuant to the same provision, excludes the giving of consent for certain data categories or processing purposes, the data must not be processed under the provisions of this Chapter.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 6

6. Where a public sector body obtains data in emergency situations as defined in Article 15, point (a) or (b) of the Regulation […] [Data Act COM/2022/68 final], in accordance with the rules laid down in that Regulation, it may be supported by a health data access body to provide technical support to process the data or combining it with other data for joint analysis.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 7

~~7. The Commission is empowered to adopt~~ delegated ~~acts in accordance with Article 67 to amend the list in paragraph 1 to adapt it to the evolution of available electronic health data.~~

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 33 – paragraph 8

8. Health data access bodies may provide access to additional categories of electronic health data that they have been entrusted with pursuant to national law ~~or based on voluntary cooperation with the relevant data holders at national level~~, in particular to electronic health data held by private entities in the health sector, in accordance with the relevant security and data protection provisions.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – introductory part

1. Health data access bodies shall only provide access to electronic health data referred to in Article 33 to a health data user only with the explicit consent from the data subject in the case of personal data. Without such consent, any health data may only be made accessible after it has been fully and irreversibly anonymised, where necessary by aggregating the health data of several groups of persons. In addition, any data may only be made accessible where the intended purpose of processing pursued by the applicant complies with:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – point b

(b) to support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates, where this is necessary to meet a substantial public interest;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – point d

~~(d) education or teaching activities in health or care sectors;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – point e

(e) scientific research and development related to health or care sectors for the prevention, early detection, diagnosis, treatment, rehabilitation, supportive care or healthcare management, including behavioural, fundamental, exploratory or applied health research;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – point f

(f) development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – point g

(g) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 1 – point h

~~(h) providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 34 – paragraph 4

4. Public sector bodies or Union institutions, agencies and bodies that obtain access to non-personal electronic health data entailing IP rights and trade secrets in the exercise of the tasks conferred to them by Union law or national law, shall take all specific measures necessary to preserve the confidentiality of such data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 35 – paragraph 1 – introductory part

Seeking ~~access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 for the following purposes shall be prohibited:~~ or gaining access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 for any purposes not listed in Article 34 shall be prohibited and subject to penalties laid down in Articles 43 and 69. Seeking or gaining access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 for the following purposes shall constitute an aggravated case of breaching the rules of this Regulation, and shall be subject to higher penalties, in accordance with point (i) of paragraph 2a of Article 69: (Linked to article 69)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 35 – paragraph 1 – point c

(c) advertising or marketing activities ~~towards health professionals, organisations in health or natural persons~~;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 35 – paragraph 1 – point c a (new)

(c a) developing or conducting any activity aimed at profiling of or discriminating against individuals;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 35 – paragraph 1 – point e

(e) developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco and nicotine products, or goods or services which are designed or modified in such a way that they ~~contravene public order or morality~~incite addiction, harm public health and environment or contravene public order or morality or result in behavioural changes that reduce the freedom of choice or security of the natural persons.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 36 – paragraph 1 a (new)

1 a. Health data access bodies shall consist of two distinct parts, which shall be legally and organisationally separate from each other: (a) Authorisation bodies, which decide about data access applications pursuant to Article 37(1) and make the data accessible to authorised data users in a secure processing environment; (b) Trust bodies, which receive the electronic health data from data holders pursuant to Article 37(1a) and are responsible for disclosing the data to the authorisation bodies.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 36 – paragraph 2

2. Member States shall ensure that each health data access body is provided with ~~the hum~~human resources with necessary legal an,d technical expertise, including ethical boards and committees, and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 36 – paragraph 3

3. In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients and consumers, data holders and data users~~. Staff~~, and with data protection experts. Health data access bodies shall actively cooperate with the authorities responsible for the application of EU and national data protection legislation. Staff members of health data access bodies shall hav~~oid any conflicts of interes~~e no direct or indirect economic, financial or personal conflicts of interest that might be considered prejudicial to their independence and, in particular, that they are not in a situation that may, directly or indirectly, affect the impartiality of their professional conduct. Health data access bodies shall not be bound by any instructions, when making their decisions.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 36 – paragraph 3 a (new)

3 a. Member States shall determine and publish the selection procedure for health stakeholders referred to in paragraph 3. They shall ensure that the procedure is transparent and does not allow for conflicts of interest.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – introductory part

1. HThe authorisation bodies within the health data access bodies shall carry out the following tasks:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point a

(a) decide on data access applications pursuant to Article 45, authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter. This includes deciding on whether the data shall be made accessible in anonymised or pseudonymised form, based on its own thorough assessment of any reasons provided by the data applicant pursuant to paragraph (d) of paragraph 2 of Article 45;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point c

(c) support Union institutions, bodies, offices and agencies in carrying out the tasks enshrined in their mandate ~~of Union institutions, bodies, offices and agencies, based on national or~~, based on Union law;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point d

(d) process electronic health data for the purposes set out in Article 34, including the collection, combination, preparation and disclosure of those data for secondary use on the basis of a data permit;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point e

~~(e) process electronic health data from other relevant data holders based on a data permit or a data request for a purposes laid down in Article 34;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point f

~~(f) take all measures necessary to preserve the confidentiality of IP rights and of trade secrets;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point g

(g) gather and compile or provide access to the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point h

~~(h) contribute to data altruism activities in accordance with Article 40;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point i

(i) support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health;deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point j

~~(j) cooperate with and supervise data holders to ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56;~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point o

~~(o) facilitate cross-border access to electronic health data for secondary use hosted in other Member States through HealthData@EU and cooperate closely with each other and with the Commission.~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 – point q – point iii

(iii) penalties applied pursuant to Article ~~43;~~69; (Due to alignment of art. 43 with art. 69)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 1 a (new)

1 a. The trust bodies within the health data access bodies shall carry out the following tasks: (a) process electronic health data for the purposes set out in Article 34, including the collection, combination, preparation and disclosure of those data for secondary use on the basis of a data permit; (b) process electronic health data from other relevant data holders based on a data permit or a data request for a purpose laid down in Article 34; (c) take all measures necessary to preserve the confidentiality of IP rights and of trade secrets; (d) gather and compile or provide access to the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50; (e) contribute to data altruism activities in accordance with Article 40; (f) support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health; (g) cooperate with and supervise data holders to ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56;assist data holders to ensure they fully respect any refusals or restrictions for access for primary use pursuant to paragraphs 9 and 9a of Article 3; (h) facilitate cross-border access to anonymised electronic health data for secondary use hosted in other Member States through HealthData@EU and cooperate closely with each other and with the Commission.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 2 – point a

(a) cooperate with supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 in relation to personal electronic health data ~~and the EHDS Board~~;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 2 – point b

(b) inform the relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 where a health data access body has imposed penalties or other measures pursuant to Article 4369 in relation to processing personal electronic health data ~~and~~, or where such processing refers to an attempt to re-identify an individual or unlawful processing of personal electronic health data; (Due to alignment between art. 43 and art. 69)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 2 – point c

(c) cooperate with stakeholders, including patient and consumer organisations, representatives from natural persons, health professionals, researchers, and ethical committees, where applicable in accordance with Union and national law;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 37 – paragraph 4

~~4. The Commission is empowered to adopt~~ delegated ~~acts in accordance with Article 67 to amend the list of tasks in paragraph 1 of this Article, to reflect the evolution of activities performed by health data access bodies.~~

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 – paragraph 1 – point c

(c) the applicable rights of natural persons in relation to secondary use of electronic health data, including the rights pursuant to Regulation (EU) 2016/679;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 – paragraph 2

2. Health data access bodies shall ~~not be obliged to~~ provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and shall provide general public information on all the data permits issued pursuant to Article 46.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 – paragraph 3

3. Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body ~~may~~shall inform the natural person and his or her treating health professional about that finding, while respecting the principles of medical confidentiality and professional secrecy. In accordance with Article 23(1), point (i), of Regulation (EU) 2016/679, Member States may by law restrict the scope of the obligation to inform the natural person whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their information for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have an impact on them.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 – paragraph 4

4. Member States shall regularly inform the public at large about the role ~~and benefits of health data access bodies~~of the health data access bodies and the benefits and risk of sharing health data for research and decision-making.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 a (new)

Article 38 a Right to lodge a complaint with a health data access body 1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the health data access body, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 38(1), point (d), of this Regulation, the health data access body shall inform and send a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679. 2. The health data access body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 b (new)

Article 38 b Right to an effective remedy against a health data access body 1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a health data access body concerning them. 2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the health data access body which is competent pursuant to Article 37 does not handle a complaint or does not inform the natural or legal person within three months on the progress or outcome of the complaint lodged pursuant to Article 38a. 3. Proceedings against a health data access body shall be brought before the courts of the Member State where the health data access body is established.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 38 c (new)

Article 38 c Right to compensation 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the entity responsible for the infringement. 2. Any entity processing electronic health data shall be liable for the damage caused by infringing this Regulation.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 39 – paragraph 2

2. The report shall be transmitted to the Commission, which shall make it publicly available on its website.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 41 – paragraph 1

1. Where a data holder is obliged to make electronic health data available ~~under Article 33 or under other Union law or national legislation implementing Union law~~to a health data access body under Article 33, it shall cooperate in good faith with the health data access bodies, where relevant.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 41 – paragraph 2 a (new)

2 a. Paragraph 1 constitutes a legal obligation in the sense of Article 6(1)(c) of Regulation 2016/679 for the data holder to disclose personal electronic health data to the health data access body, in combination with Article 9(2), points (h), (i) and (j), of Regulation 2016/679.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 41 – paragraph 3 a (new)

3 a. Where the health data access body finds that the purpose pursuant to the data access application under Article 45 can be fulfilled with anonymised data, the health data access body shall anonymise the data. Where the health data access body finds that the purpose pursuant to the data access application under Article 45 cannot be fulfilled with anonymised data, because it requires combination of data from different data holders, the data holder shall request the explicit consent from each data subject. Only data for which explicit consent has been given shall be put at the disposal of health data access bodies. Both anonymisation and pseudonymisation shall be done following the procedures and requirements pursuant to Article 44(3a). After having anonymised or pseudonymised the data, the health data access body shall delete the fully identifiable data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 41 – paragraph 3 b (new)

3 b. By derogation from paragraph 3a, where the anonymisation can be done in an automated procedure that does not require an unreasonable effort, the data holder shall anonymise the data following the procedures and requirements pursuant to Article 44(3a), before putting it at the disposal of the health data access body.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 42 – paragraph 1

1. Health data access bodies ~~and single data holders~~ may charge fees for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final], as well as the technical and operational costs to prepare the data sets, including anonymization and pseudonymization, and to make them available.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 42 – paragraph 3

3. The electronic health data referred to in Article 33(1), point (o), shall be made available to a new user ~~free of charge or~~ against a fee matching the compensation for the costs of the human and technical resources used to enrich the electronic health data. That fee shall be paid to the entity that enriched the electronic health data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 42 – paragraph 4

4. Any fees charged to data users pursuant to this Article by the health data access bodies or data holders shall be transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition. The support received by the data holder from donations, public national or Union funds, to set up, develop or update that dataset shall be excluded from this calculation. The specific interests and needs of SMEs, public bodies, Union institutions, bodies, offices and agencies involved in research, health policy or analysis, educational institutions and healthcare providers shall be taken into account when setting the fees, by ~~reduc~~aligning those fees proportionately towith their size or budget.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 42 – paragraph 6

6. The Commission ~~may~~shall, by means of ~~implementing~~delegated acts, lay down principles and rules for the fee policies and fee structures. Those ~~implementing~~delegated acts shall be adopted in accordance with the ~~advisory~~ procedure referred to in Article 6~~8(2)~~7.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 43 – title

~~Penalties~~Enforcement by health data access bodies

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 43 – paragraph 4

4. Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non- compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to fine up to 10% of the data user's annual turnover for the previous financial year or revoke the data permit and to exclude the data user from any access to electronic health data for a period of up to 5 years. Where an EU institution, body or agency is the data user, the power to impose such penalties shall rest with the European Data Protection Supervisor, after notification from the health data access body.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 43 – paragraph 5

5. Where data holders withhold the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or do not respect the deadlines set out in Article 41, the health data access body shall have the power to fine the data holder with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body. In case of repeated breaches by the data holder of the obligation of loyal cooperation with the health data access body, that body can exclude the data holder from participation in the EHDS for a period of up to 5 years. Where a data holder has been excluded from the participation in the EHDS pursuant to this Article, following manifest intention of obstructing the secondary use of electronic health data, it shall not have the right to provide access to health data in accordance withsubmitting data access applications pursuant to Chapter IV for a period of up to 5 years, while still being obliged to make data accessible pursuant to Chapter IV, where applicable. (Deletion of last sentence linked to the proposed deletion of Article 49.)

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 43 – paragraph 7

7. Any penalties and measures imposed pursuant to paragraph 4 shall be made available to other health data access bodies and publicly available on the Commission’s website.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 43 – paragraph 9

~~9. Any natural or legal person affected by a decision of a health data access body shall have the right to an effective judicial remedy against such decision.~~deleted

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 43 – paragraph 10

10. The Commission ~~may~~shall issues guidelines on penalties to be applied by the health data access bodies, in line with the principles set out in Article 69.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 44 – paragraph 1

1. The health data access body shall ensure that access is only provided to requested electronic health data ~~relevant~~necessary and relevant and as long as needed for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 44 – paragraph 2

2. The health data access bodies shall provide the electronic health data in an anonymised format~~, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.~~:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 44 – paragraph 2 – point a (new)

(a) where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user, or

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 44 – paragraph 2 – point b (new)

(b) where the data subject has not given explicit consent for the secondary use of their personal data.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 44 – paragraph 3

3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format where the data subject has given their explicit consent. The information necessary to reverse the pseudonymisation shall be available only to ~~the health data access body~~data holder. Data users shall not re- identify the electronic health data provided to them in anonymised or pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring anonymisation or pseudonymisation shall be subject to appropriate penalties.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 44 – paragraph 3 a (new)

3 a. The Commission shall, by means of implementing acts, set out the procedures and requirements, and provide technical tools, for a unified and irreversible procedure for anonymising and pseudonymising the electronic health data. Those implementing act sshall be adopted in accordance with the advisory procedure referred to in Article 68(2).

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 45 – paragraph 1

1. Any ~~natural or legal person~~entity active in the area of health care, public health, or scientific or medical research may submit a data access application for the purposes referred to in Article 34.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 45 – paragraph 2 – point a

(a) a detailed explanation of the intended use of the electronic health data, including for which of the purposes referred to in Article 9(2) of Regulation (EU) 2016/679, in combination with Article 34(1), access is ~~sought~~necessary;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 45 – paragraph 2 – point a a (new)

(a a) a description of the applicant’s identity, professional function and operation, including the identity of who will have access to the electronic health data;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 45 – paragraph 2 – point h

(h) a description of the free and open- source tools and computing resources needed for a secure environment.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 45 – paragraph 4 – point a

(a) a description of how the processing would comply with ~~Article 6(1) of~~ Regulation (EU) 2016/679;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1

1. Health data access bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data access body shall issue a data permit.all of the following criteria:

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1 – point a (new)

(a) the purposes described in the application match one of the purposes listed in Article 9(2) of Regulation (EU) 2016/679 in combination with Article 34(1) of this Regulation;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1 – point b (new)

(b) the requested data is necessary, adequate and proportionate for the purpose listed in the application;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1 – point c (new)

(c) the processing complies with applicable Union and national data protection law. The health data access bodies shall seek the advice from the competent data protection authorities for this matter;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1 – point d (new)

(d) the information provided in the application demonstrates sufficient safeguards planned to protect the rights and interests of the health data holder and of the natural persons concerned and to prevent any misuse;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1 – point e (new)

(e) the information on the assessment of ethical aspects of the processing, where applicable, is in line with national law;

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 1 – point f (new)

(f) other requirements in this Chapter.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 2

2. Health data access bodies shall refuse all applications including one or more purposes listed in Article 35 or, applications where the necessity of processing for the intended purpose has not been sufficiently demonstrated, applications that do not sufficiently provide safeguards on re-identification, and applications where requirements in this Chapter are not met.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 3

3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from ~~that~~ Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. ~~Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued~~.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 4

4. Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the data holder and inform them whether the data shall be made accessible in anonymised or pseudonymised form. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe due to circumstances beyond its control.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 7

7. Data users shall have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of this Regulation, after they have demonstrated that the security measures pursuant to in Article 52, points (e) and (f), are effectively implemented.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 46 – paragraph 14 a (new)

14 a. The authorities competent pursuant to applicable data protection legislation shall have the possibility to scrutinise and, if necessary, overturn the assessment of the data processing legal basis of data permit requests made to the health data access bodies.

2023/03/30
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 47 – paragraph 1

1. Any ~~natural or legal person~~entity active in the area of health care, public health, or scientific or medical research may submit a data request for the purposes referred to in Article 34. A health data access body shall only provide an answer to a data request in an anonymised statistical format and the data user shall have no access to the electronic health data used to provide this answer.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 48 – paragraph 1

The requirement for a data permit shall be without prejudice to the right to access the electronic health data of public sector bodies and Union institutions, bodies, offices and agencies that carry out relevant activities within their mandate pursuant to Union or Member State law, where this mandate provides for such data access under this Regulation. By derogation from Article 46 of this Regulation, athe data permit ~~shall not be required to access the electronic health data under this Article~~for public authorities may allow for data access for unlimited periods and for the possibility for periodic updates of data under a single data access application. When carrying out those tasks under Article 37 (1), points (b) and (c), the health data access body shall inform public sector bodies and the Union institutions, offices, agencies and bodies, about the availability of data within 2 months of the data access application, in accordance with Article 9 of Regulation […] [Data Governance Act COM/2020/767 final]. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final ], the health data access body may extend the period by 2 additional months where necessary, taking into account the complexity of the request. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless it specifies that it will provide the data within a longer specified timeframe. that shall not be longer than 2 additional months. Accelerated timelines shall be established in exceptional circumstances, including public health emergencies.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 49

Access to electronic health data from a 1. access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies. 2. issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. 3. 51, the single data provider and the data user shall be deemed joint controllers. 4. shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.rticle 49 deleted single data holder Where an applicant requests In such case, the data holder may By way of derogation from Article Within 3 months the data holder

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 50 – paragraph 1 – point b

(b) minimise the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art techn~~ologic~~ical and organisational meansures;

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 50 – paragraph 1 – point e

(e) keep identifiable logs of access to the secure processing environment for the period of time necessary to verify and audit all processing operations in that environment and not shorter than one year;

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 50 – paragraph 2

2. The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download or copy non- personal electronic health data from the secure processing environment.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 50 – paragraph 3 a (new)

3a. The tools and computing resources provided in the secure processing environment shall be based on free and open-source software.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 50 – paragraph 4

4. The Commission shall, by means of implementing acts, provide for the technical, organisational, information security and interoperability requirements for the secure processing environments. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 51 – paragraph 2

2. The Commission shall, by means of implementing acts, establish a template for the joint controllers’ arrangement that meets the requirements laid down in Article 28(3) of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisory procedure set out in Article 68(2). The use of that template shall not relieve the health data access bodies or the data users from any of their duties and responsibilities.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 5

5. Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation and provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68 (2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available. This paragraph is without prejudice to the requirements and safeguards for international transfer of personal data pursuant to Chapter V of Regulation (EU) 2016/679.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 9

9. The Commission shall develop, deploy and operate a core platform for HealthData@EU by providing information technology services needed to facilitate the connection between health data access bodies as part of the cross-border infrastructure for the secondary use of electronic health data. ~~The Commission shall only process electronic health data on behalf of the joint controllers as a processor.~~

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 10

10. Where requested by two or more health data access bodies, the Commission may provide a secure processing environment for data from more than one Member State compliant with the requirements of Article 50. Where two or more health data access bodies put electronic health data in the secure processing environment managed by the Commission, they shall be joint controllers and the Commission shall be processor.deleted

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 11

~~11. The authorised participants shall act as joint controllers of the processing operations in which they are involved carried out in HealthData@EU and the Commission shall act as a processor.~~deleted

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 12

12. Member States and the Commission shall seek to ensure interoperability of HealthData@EU with other relevant common European data spaces as referred to in Regulations […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final].deleted

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – introductory part

The Commission may, by means of ~~implementing~~delegated acts, set out:

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point a

(a) requirements, technical specifications, the IT architecture of HealthData@EU, ~~conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU~~which shall guarantee a high level of data security, confidentiality and protection of electronic data pursuant to the state-of-the-art;

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point a a (new)

(aa) conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU;

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point c

~~(c) the responsibilities of the joint controllers and processor(s) participating in the cross-border infrastructures;~~deleted

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point d

~~(d) the responsibilities of the joint controllers and processor(s) for the secure environment managed by the Commission;~~deleted

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point e

~~(e) common specifications for the interoperability and architecture concerning HealthData@EU with other common European data spaces.~~deleted

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 2

Those ~~implementing~~delegated acts shall be adopted in accordance with the ~~advisory~~ procedure referred to in Article 6~~8(2)~~7.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 53 – paragraph 3

3. The Commission may, by means of ~~implementing~~delegated acts, adopt the necessary rules for facilitating the handling of data access applications for HealthData@EU, including a common application form, a common data permit template, standard forms for common electronic health data access contractual arrangements, and common procedures for handling cross- border requests, pursuant to Articles 45, 46, 47 and 48. Those ~~implementing~~delegated acts shall be adopted in accordance with the ~~advisory~~ procedure referred to in Article 6~~8(2)~~7.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 55 – paragraph 2

2. The Commission shall, by means of ~~implementing~~delegated acts, set out the minimum information elements data holders are to provide for datasets and their characteristics. Those ~~implementing~~delegated acts shall be adopted in accordance with the ~~advisory~~ procedure referred to in Article 6~~8(2)~~7.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 59 – paragraph 1

The Commission shall support sharing of best practices and expertise, aimed to build the capacity of Member States to strengthen digital health literacy and systems for primary and secondary use of electronic health data. To support capacity building, the Commission shall draw up benchmarking guidelines for the primary and secondary use of electronic health data.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 60 – paragraph 2 a (new)

2a. Public procurers, national, regional and local competent authorities, including digital health authorities and health data access bodies, and the Commission shall require, as a condition to procure or fund services provided by controllers and processors established in the Union processing personal electronic health data, that such controllers and processors: (a) will store this data in the Union, in accordance with Article 60a of this Chapter, and (b) have duly demonstrated that they are not subject to third country legislation conflicting with Union data protection rules.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 60 a (new)

Article 60a Storage of electronic health data For the purposes of primary and secondary use of electronic health data, Member States shall ensure that the storage, processing and analysis of electronic health data shall be carried out exclusively within a secure location or locations within the territory of the Union, without prejudice to the possibility to transfer personal electronic health data in compliance with Chapter V of Regulation (EU) 2016/679.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 61 – paragraph 1

1. Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 ~~[(a), (e), (f), (i), (j), (k), (m)]~~ shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 61 – paragraph 2

2. ~~The~~Additional protective measures for the categories of data mentioned in paragraph ~~1 shall depend on the nature of the data and anonymization techniques and~~ shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 64 – paragraph 1

1. A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of the high level representatives of digital health authorities and health data access bodies of all the Member States~~. Other national authorities, including market surveillance authori~~, and high-level representatives ~~referred to in Article 28,~~of the European Data Protection Board and the European Data Protection Supervisor ~~may be invited to the meetings, where the issues discussed are of relevance for them~~. Other national authorities, including market surveillance authorities referred to in Article 28, shall be invited to the meetings as permanent observers. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an ad hoc observer role where the issues discussed are of relevance for them.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 64 – paragraph 1 a (new)

1a. Permanent and alternate members of the EHDS Board shall act independently, in the public interest and free from any external influence. EHDS Board permanent and alternate members shall have no direct or indirect economic, financial or personal interest that might be considered prejudicial to their independence and, in particular, that they are not in a situation that may, directly or indirectly, affect the impartiality of their professional conduct. Permanent and alternate members of the EHDS Board shall make an annual declaration of their interests, which shall be available on the Commission’s web-portal.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 64 – paragraph 3

3. The composition, organisation, functioning and cooperation of the sub- groups shall be set out in the rules of procedure put forward by the Commission. The Commission shall make publicly available the membership and observers of the EHDS Board and its outputs, including rules of procedure, guidance, minutes, and meeting agendas.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 64 – paragraph 4

4. Stakeholders and relevant third parties, including patients’, consumers’ and healthcare professionals’ representatives, shall be invited to attend meetings of the EHDS Board and to participate in its work, depending on the topics discussed and their degree of sensitivity. All invited stakeholders shall provide a declaration of all direct and indirect economic, financial or personal interests ahead of the meeting to the EHDS Board.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 65 – paragraph 1 – point b – point iii

(iii) other aspects of the primary use of electronic health data, with the exception of aspects concerning the protection of natural persons when processing their personal data.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 65 – paragraph 1 – point d

(d) to share information concerning risks posed by EHR systems and serious incidents as well as their handling, without prejudice to the obligation to inform competent supervisory authorities pursuant to Regulation (EU) 2016/679;

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 65 – paragraph 1 – point e

(e) to facilitate the exchange of views on the primary use of electronic health data with the relevant stakeholders, including representatives of patients, consumers, health professionals, ~~researchers,~~ regulators and policy makers in the health sector.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 65 – paragraph 2 – point b – point vi

(vi) other aspects of the secondary use of electronic health data, with the exception of aspects concerning the protection of natural persons when processing their personal data.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 65 – paragraph 2 – point c

(c) to facilitate cooperation and exchange of best practices between health data access bodies through capacity- building, establishing the structure for annual activity reporting, peer-review of annual activity reports and exchange of information pursuant to the obligations laid down in Article 37(1), point (q);

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 66 – paragraph 3

3. Stakeholders and relevant third parties, including patients’ ~~representative~~, consumers’ and healthcare professionals’ representatives and data protection experts, may be invited to attend meetings of the groups and to participate in their work.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 67 – paragraph 2

2. The power to adopt delegated acts referred to in Articles ~~5(2), 10(3), 25(3), 32(4), 33(7), 37~~7(3), 9(2), 25(3), 26(4a) 32(4), 39(3), 41(7), 42(6) 45(7), 46(8), 52(7), 52(13), 53(3), 55(2), 56(4) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 67 – paragraph 3

3. The power to adopt delegated acts referred to in Articles ~~5(2), 10(3~~7(3), 9(2), 25(3), 326(4a), 3~~3(7), 37~~2(4), 39(3), 41(7), 42(6), 45(7), 46(8), 52(7), 52(13), 53(3), 55(2), 56(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 67 – paragraph 6

6. A delegated act adopted pursuant to Articles ~~5(2), 10(3~~7(3), 9(2), 25(3), 326(4a), 3~~3(7), 37~~2(4), 39(3), 41(7), 42(6), 45(7), 46(8), 52(7), 52(13), 53(3), 55(2), 56(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 3 months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 69 – paragraph 1

Member States shall lay down the rules on penalties applicable to infringements of this Regulation, for all public and private stakeholders, in particular for the non- respect of data access and usage provisions with intent or by negligence, and shall take all measures necessary to ensure that they are properly and effectively implemented. The penalties shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them. Penalties shall cover infringements not addressed by Regulation (EU) 2017/745, Regulation (EU) 2017/746, Regulation (EU) No 536/2014 and Regulation (EU) 2016/679.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 69 – paragraph 1 a (new)

When deciding on the amount of the penalty in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following: (a) the nature, gravity and duration of the infringement and of its consequences, taking into account the nature, scope as well as the number of users affected and the level of damage suffered by them; (b) whether penalties have been already applied by other competent authorities to the same infringing party; (c) the size and market share of the economic operator committing the infringement; (d) the intentional or negligent character of the infringement; (e) any action taken by the infringing party to mitigate the damage of the infringement; (f) the degree of responsibility of the infringing party taking into account technical and organisational measures implemented to prevent the infringement; (g) the degree of cooperation with the competent authorities, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (h) the manner in which the infringement became known to the competent authorities, in particular whether, and if so to what extent, the infringing party notified the infringement; (i) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement, or a violation of Article 35(2).

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 69 – paragraph 1 b (new)

The non-compliance of an entity with any requirements or obligations under this Regulation, including the supply of incorrect, incomplete or misleading information to national competent authorities, shall be subject to penalties of up to 20 million EUR or, or in the case of an undertaking, up to 10% of its total worldwide annual turnover for the preceding financial year, whichever is higher. In case the non-compliance is still going on, the health data access body shall have the power to fine the entity with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body pursuant to paragraph 1a.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 70 – paragraph 1

1. After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapter III and IV, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self- certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies, as well as the need to designate a public testing facility of a Member State as a Union testing facility, pursuant to Article 21 of Regulation (EU) 2019/1020. The evaluation shall also assess the added value, associated risks and feasibility of adding wellness applications and other digital health applications in the scope of primary and secondary use of the EHDS.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Article 71 a (new)

Article 71a Amendment to Directive (EU) 2020/1828 In the Annex of Directive (EU) 2020/1828, the following point is added:“(XX) Regulation (EU) XXX of the European Parliament and of the Council on the European Health Data Space”

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Annex II – point 2 – point 2.3

2.3. An EHR system that includes a functionality for entering structured personal electronic health data shall enable the entry of data structured in a structured way that supports the data sharing in a structured, commonly used, open and machine- readable format, enabling system to system communication.

2023/04/05
Committee: ENVI LIBE

Tilly METZ, Patrick BREYER

Proposal for a regulation
Annex II – point 2 – point 2.4

2.4. An EHR system shall not include features that prohibit, restrict or place undue burden on authorised access, personal electronic health data sharing, or use of personal electronic health data for permitted purposes, in particular on the basis of commercial considerations and beyond security and legal safeguards requirements.

2023/04/05
Committee: ENVI LIBE

Activities of Tilly METZ related to 2022/0140(COD)

Plenary speeches (1)

Shadow reports (1)

Amendments (317)

ParlTrack - 2011-2024