Activities of Javier ZARZALEJOS related to 2022/0140(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space
Amendments (38)
Amendment 231 #
Proposal for a regulation
Recital 13
Recital 13
(13) Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services. In this sense, health professionals will be able to know that they are not endowed with entire access to electronic health records, a consideration they shall take into account when dealing with patients.
Amendment 264 #
Proposal for a regulation
Recital 21
Recital 21
(21) Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services (including telemedicine) that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.
Amendment 342 #
Proposal for a regulation
Recital 39 a (new)
Recital 39 a (new)
(39 a) A relationship of trust between patients and health or care providers is a paramount element of the provision of health or social care or treatment. It is within that delicate context that the patient and/or the legitimate legal representative of the patient should have a say in the processing of their health data for secondary use. It is necessary to empower patients - data subjects - by giving them the possibility to restrict full or partial access to their personal health data for secondary use. Moreover, it is imperative to provide them with the sufficient information regarding this possibility. Therefore, an opt-out option for the patients and/or the legitimate legal representative of the patient for secondary use of their electronic health data should be envisaged, as the purpose of the secondary processing causes the patient's individual interests to prevail over the general interest of society.
Amendment 439 #
Proposal for a regulation
Recital 63
Recital 63
(63) The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds. EU funds must be distributed adequately and sufficiently among the Member States, ensuring its well-endowment and taking into account different levels of health system digitalisation and the costs involved in making national data infrastructures interoperable and compatible with the requirements of the EHDS.
Amendment 442 #
Proposal for a regulation
Recital 63 a (new)
Recital 63 a (new)
(63 a) The initial Union funding to achieve a timely application of the EHDS is limited to what can be mobilised under the 2021-2027 Multiannual Financial Framework (MFF) where 220 million EUR can be made available under the EU4Health and Digital Europe programmes. The successful and coherent application of the EHDS across all Member States will however require a higher funding. The implementation of the EHDS requires appropriate investments in capacity bulding and training and a well-funded commitment to public consultation and engagement. The Commission should therefore mobilise further resources for the EHDS as part of the review of the 2021-2027 MFF and for the forthcoming MFF under the principle that new initiatives should be matched with new funding.
Amendment 445 #
Proposal for a regulation
Recital 64
Recital 64
(64) Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically foreseen in the Data Governance Act. Even in situations of the use of state of the art anonymization techniques, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases (a life-threatening or chronically debilitating condition affecting not more than five in 10 thousand persons in the Union), where the limited numbers of case reduce the possibility to fully aggregate the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. It can affect different types of health data depending on the level of granularity and description of the characteristics of data subjects, the number of people affected or and for instance in cases of data included in electronic health records, disease registries, biobanks, person generated data etc. where the identification characteristics are broader and where, in combination with other information (e.g. in very small geographical areas) or through the technological evolution of methods which had not been available at the moment of anonymisation, can lead to the re- identification of the data subjects using means that are beyond those reasonably likely to be used. The realisation of such risk of re-identification of natural persons would present a major concern and is likely to put the acceptance of the policy and rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as in the reporting on clinical trials, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for these types of health data, there remains a risk for re-identification after the anonymisation or aggregation, which could not be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. These types of health data would thus fall within the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final] for transfer to third countries. The protective measures, proportional to the risk of re-identification, would need to take into account the specificities of different data categories or of different anonymization or aggregation techniques and will be detailed in the context of the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. In case of mixed datasets, where personal and non- personal data are inextricably linked, and where a distinction between categories of personal and non-personal data is difficult to apply and results in the possibility to infer personal data from non-personal data, protections of Regulation (EU) 2016/679 and of this Regulation concerning personal electronic health data should be applicable.
Amendment 480 #
Proposal for a regulation
Article 1 – paragraph 3 – point a
Article 1 – paragraph 3 – point a
(a) manufacturers and suppliers of EHR systems and, medical devices, wellness applications and other digital health applications that are able to process electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health and that are placed on the market and put into service in the Union and the users of such products;
Amendment 487 #
Proposal for a regulation
Article 1 – paragraph 3 – point b
Article 1 – paragraph 3 – point b
(b) contrdata hollders and processodata users established in the Union processing electronic health data of Union citizens and third-country nationals legally residing in the territories of Member States;
Amendment 489 #
Proposal for a regulation
Article 1 – paragraph 3 – point d
Article 1 – paragraph 3 – point d
(d) data users to whom electronic health data are made available by data holders in the Union or third countries or international institutions.
Amendment 496 #
Proposal for a regulation
Article 1 – paragraph 4 a (new)
Article 1 – paragraph 4 a (new)
4 a. This regulation shall be without prejudice to the Directive on the Protection of Trade Secrets (Directive (EU) 2016/943) which shall take precedence.
Amendment 498 #
Proposal for a regulation
Article 1 – paragraph 6 a (new)
Article 1 – paragraph 6 a (new)
6 a. This Regulation shall not apply to activities concerning defence and national security.
Amendment 499 #
Proposal for a regulation
Article 1 – paragraph 6 b (new)
Article 1 – paragraph 6 b (new)
6 b. This Regulation shall be without prejudice to Regulations (EU) 2016/679, (EU) 2018/1725, (EU) No 536/2014 and Directive 2022/58/EC.
Amendment 508 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
(a) ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, that are processed in an electronic form;
Amendment 553 #
Proposal for a regulation
Article 2 – paragraph 2 – point m
Article 2 – paragraph 2 – point m
(m) ‘EHR’ (electronic health record) means a collection of electronic health dataset related to a natural person and collected in the health system, processed for healthcare purposes;
Amendment 617 #
Proposal for a regulation
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2 a. “Legitimate legal representative of the patient” means a natural person of the patient’s choice, such as to their relatives or other close natural persons, legitimately authorised under the national rules of the Member State to access or control access to their personal electronic health data or to use digital health services on their behalf. Under no circumstances will the legitimate legal representative be a legal entity, without prejudice to the protection that may be provided by the judicial authorities. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications.
Amendment 620 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Natural persons shall have the right to access their personal electronic health data processed in the context of primary use of electronic health data, immediatwithout undue delay, free of charge and in an easily readable, consolidated and accessible form.
Amendment 647 #
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point b
Article 3 – paragraph 5 – subparagraph 1 – point b
(b) establish one or more proxy services enabling a natural person to legitimately authorise, under other natural persons of their choiceional rules of the Member State, a legitimate legal representative of the patient to access their electronic health data on their behalf.
Amendment 657 #
Proposal for a regulation
Article 3 – paragraph 6
Article 3 – paragraph 6
6. Natural persons may insert, access and download their electronic health data in and from their own EHR or in that of natural persons whose health information they can access, through electronic health data access services orand applications linked to these services. That information shall be marked as inserted, accessed or downloaded by the natural person or by his or her representativethe legitimate legal representative of the patient.
Amendment 666 #
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1
Article 3 – paragraph 8 – subparagraph 1
Natural persons shall have the right to give access to or request a data holder from the health or social security sector to transmit their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder. The data recipients shall be easily identifiable to the natural persons transmitting their electronic health data and demonstrate their affiliation to the health or social security sector.
Amendment 715 #
Proposal for a regulation
Article 4 – paragraph 1 – point a
Article 4 – paragraph 1 – point a
(a) have access to the electronic health data of natural persons under their treatment, on a need-to-know basis, irrespective of the Member State of affiliation and the Member State of treatment;
Amendment 720 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States mayshall establish rules providing for the categories of personal electronic health data required by different health professions in accordance with the principles of purpose limitation and data minimisation. Such rules shall not be based on the source of electronic health data.
Amendment 746 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior authorisation by the natural person, including wher which case the provider or professional iswill be informed of the existence and nature of the restricted electronic health data. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
Amendment 762 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f
Article 5 – paragraph 1 – subparagraph 1 – point f
(f) patient discharge reports.
Amendment 920 #
Proposal for a regulation
Article 12 – paragraph 4 a (new)
Article 12 – paragraph 4 a (new)
4 a. The Commission shall in the development of technical implementing measures related to the security, confidentiality and data protection aspects of MyHealth@EU consult the European Union Agency for Cyber Security.
Amendment 923 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU, granted that the requirements in Article 11 of Directive 2011/24/EU are fulfilled. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.
Amendment 1138 #
Proposal for a regulation
Article 33 – paragraph 1 – point a
Article 33 – paragraph 1 – point a
(a) EHRs;electronic health data from EHRs, including the categories in Article 5 of this Regulation.
Amendment 1147 #
Proposal for a regulation
Article 33 – paragraph 1 – point b
Article 33 – paragraph 1 – point b
(b) data on factors impacting on health, including social, environmental behavioural determinants of health, but excluding data relating to criminal convictions and offences;
Amendment 1184 #
Proposal for a regulation
Article 33 – paragraph 1 – point j
Article 33 – paragraph 1 – point j
Amendment 1212 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
1 a. Data holders have the right to refuse access to their data if there are legal or contractual impediments that prevent them from sharing, if it could compromise the scientific integrity of a scientific research study, including a clinical trial, or if it could compromise the protection of IP rights (including trade secrets) or commercial property.
Amendment 1233 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
4. Electronic health data entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, all measures necessary to preserve the confidentiality of IP rights and trade secrets shall be takenWithout prejudice to the law relating to the protection of intellectual property, industrial property and commercial property rights, and subject to other provisions of this Regulation, electronic health data entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use only if all measures necessary to preserve the confidentiality of IP rights (including trade secrets) are taken. Data sharing should be based on a data sharing agreement that respects the provisions of Union legislation, in particular of Directive on the Protection of Trade Secrets (Directive (EU) 2016/943, Article 6(2)(e) of the Data Act, Article 39 of TRIPS, and of Articles 9, 11 and 13 Directive 2004/48 on the enforcement of intellectual property rights in relation to preliminary injunctions, injunctions and damages.
Amendment 1252 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
5. Where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down Natural persons that are subjects to secondary use of health data shall have the right to decline the processing of their health data. Health data access bodies shall provide for an accessible and easily understandable opt-out mechanism, whereby natural persons must be offered the possibility to restrict full or partial access to their personal health data for all or parts of secondary use. Data subjects should indicate this decision to the health data access bodies. In situation where natural persons explicitly express their wish to use opt-out mechanism to data holders, data holders shall direct natural persons to the health data access bodies, which shall provide an opt-out template for the data subject. The exercise of this right to opt-out shall not affect the lawfulness of the processing this Chapter to provide access to electronic health dataat took place under Chapter IV before the individual opted-out. The opt-out mechanism shall function without prejudice to Article 21(6) of Regulation (EU) 2016/679, whereby the right to object may be restricted when the processing of personal data is necessary for the performance of a task carried out for reasons of public interest.
Amendment 1408 #
Proposal for a regulation
Article 35 – paragraph 1 – point e a (new)
Article 35 – paragraph 1 – point e a (new)
(e a) data of pharmaceutical prescriptions or medical devices used, by commercial name.
Amendment 1474 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
(f) take all measures necessary to preserve the confidentiality of IP rights and of trade secrets included in, but not limited to the Directive on the Protection of Trade Secrets (Directive (EU) 2016/943);
Amendment 1500 #
Proposal for a regulation
Article 37 – paragraph 1 – point n
Article 37 – paragraph 1 – point n
(n) cooperate at Union and national level and provide advice to the Commission on techniques and best practices for the secondary use of electronic health data use and management;
Amendment 1647 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Any fees charged to data users pursuant to this Article by the health data access bodies or data holders shall be transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition. The support received by the data holder from donations, public national or Union funds, to set up, develop or update tat dataset shall be excluded from this calculation. The specific interests and needs of SMEs, public bodies, Union institutions, bodies, offices and agencies involved in research, health policy or analysis, educational institutions and healthcare providers shall be taken into account when setting the fees, by reducing those fees proportionately to their size or budgetobjective parameters relating to budget, size, and research importance.
Amendment 1711 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessaryrequired to reverse the pseudonymisation shall be available only to the health data access body, which will eliminate it after pseudonymisation completion. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties.
Amendment 2115 #
Proposal for a regulation
Article 72 – paragraph 3 – point a
Article 72 – paragraph 3 – point a
(a) from 1two years after date of entry into application to categories of personal electronic health data referred to in Article 5(1), points (a), (b) and (c), and to EHR systems intended by the manufacturer to process such categories of data.;
Amendment 2117 #
Proposal for a regulation
Article 72 – paragraph 3 – point b
Article 72 – paragraph 3 – point b
(b) from 3four years after date of entry into application to categories of personal electronic health data referred to in Article 5(1), points (d), (e) and (f), and to EHR systems intended by the manufacturer to process such categories of data;