Activities of Konstantinos ARVANITIS related to 2022/0140(COD)
Plenary speeches (1)
European Health Data Space (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space
Amendments (177)
Amendment 208 #
Proposal for a regulation
Recital 7
Recital 7
(7) In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved acess to their own personal electronic health data and are empowered to share it.
Amendment 267 #
Proposal for a regulation
Recital 22
Recital 22
(22) Regulation (EU) No 910/2014 of the European Parliament and of the Council47lays down the conditions under which Members States perform identification of natural persons in cross- border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level. Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. Digital Health Authorities should be in charge of promoting digital literacy and public awareness, while ensuring that the implementation of this Regulation contributes to reducing inequalities and does not discriminate against people lacking digital skills.In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities. _________________ 47 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
Amendment 274 #
Proposal for a regulation
Recital 23
Recital 23
(23) Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
Amendment 294 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory self-third-party certification scheme by an independent body for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through this self- certification, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council48. _________________ 48 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 298 #
Proposal for a regulation
Recital 28
Recital 28
(28) While EHR systems specifically intended by the manufacturer to be used for processing one or more specific categories of electronic health data should be subject to mandatory self-third-party certification scheme by an independent body, software for general purposes should not be considered as EHR systems, even when used in a healthcare setting, and should therefore not be required to comply with the provisions of Chapter III.
Amendment 307 #
Proposal for a regulation
Recital 35
Recital 35
Amendment 313 #
Proposal for a regulation
Recital 36
Recital 36
(36) The distribution of information on certified EHR systems and labelled wellness applications is necessary to enable procurers and users of such products to find interoperable solutions for their specific needs. A database of interoperable EHR systems and wellness applications, which are not falling within the scope of Regulations (EU) 2017/745 and […] [AI act COM/2021/206 final] should therefore be established at Union level, similar to the European database on medical devices (Eudamed) established by Regulation (EU) 2017/745. The objectives of the EU database of interoperable EHR systems and wellness applications should be to enhance overall transparency, to avoid multiple reporting requirements and to streamline and facilitate the flow of information. For medical devices and AI systems, the registration should be maintained under the existing databases established respectively under Regulations (EU) 2017/745 and […] [AI act COM/2021/206 final], but the compliance with interoperability requirements should be indicated when claimed by manufacturers, to provide information to procurers.
Amendment 337 #
Proposal for a regulation
Recital 39
Recital 39
(39) The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances, homelessness, health insurance, minimum income, professional status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include person-generated data, such as data from medical devices, wellness applications or other wearables and digital health applications. The data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.
Amendment 357 #
Proposal for a regulation
Recital 41
Recital 41
(41) The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society and lead to better, more affordable and accessible health products and services for all natural persons. For this purpose, pharmaceutical and medical devices companies must be fully transparent about the uses of EHDS data and their contribution to product development. In addition, to maximise public return, data access requests should include commitments on the availability and affordability of end products such as medicines. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of AI algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.
Amendment 379 #
Proposal for a regulation
Recital 44
Recital 44
(44) Considering the administrative burden for health data access bodies to inform the natural persons whose data are used in data projects within a secure processing environment, the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the data subject or his health professional, with due regard for the stated preference of the data subject to not be contacted. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
Amendment 394 #
Proposal for a regulation
Recital 49
Recital 49
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person(s), with due regard for the stated preference of the data subject to not be contacted. Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
Amendment 415 #
Proposal for a regulation
Recital 53
Recital 53
Amendment 423 #
Proposal for a regulation
Recital 54
Recital 54
(54) Given the sensitivity of electronic health data, data users should notonly have an unrestricted access to such data, in accordance with the data minimisation principle. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body or, where relevant, single data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
Amendment 448 #
Proposal for a regulation
Recital 64 a (new)
Recital 64 a (new)
(64 a) The functioning of the EHDS involves processing of a large quantity of personal and non-personal data of a highly sensitive nature. Article 8(3) of the Charter requires control over its processing by an independent authority. Such a control of compliance with the requirements of protection and security by an independent supervisory authority, carried out on the basis of Union law, is an essential component of the protection of individuals with regard to the processing of personal data and cannot be fully ensured in the absence of a requirement to retain the electronic health data in question within the Union. Therefore, bearing in mind the need to mitigate the risks of unlawful access and ineffective supervision, in compliance with the principle of proportionality, this Regulation should require Member States to store electronic health data within the territory of the Union. Such harmonisation of storage requirements should ensure a uniform high level of protection for data subjects across the Union, preserve the proper functioning of the internal market, in line with Article 114 TFEU on which this Regulation is based and serve to enhance citizens’ trust in the EHDS.
Amendment 451 #
Proposal for a regulation
Recital 64 b (new)
Recital 64 b (new)
(64 b) An obligation to store electronic health data in the Union does not preclude transfers of those data to third countries or international organisations. Indeed, it is possible to reconcile a general requirement to store personal data in the Union with specific transfers being allowed in compliance with Union law on personal data protection, for instance in the context of scientific research, disbursement of care or international cooperation. In particular, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by Regulation (EU) 2016/679 should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. Transfers of personal health data to third countries and international organisations may only be carried out in full compliance with Chapter V of Regulation (EU) 2016/679. Hence, controllers and processors processing personal electronic health data remain subject to Article 48 of that Regulation on transfers or disclosures not authorised by Union law and should comply with this provision in case of an access request stemming from a third country. In accordance with and under the conditions of Article 9(4) of Regulation (EU) 2016/679, Member States can maintain or introduce further conditions, including limitations, to transfers of personal health data to third countries or international organisations.
Amendment 452 #
Proposal for a regulation
Recital 64 c (new)
Recital 64 c (new)
Amendment 453 #
Proposal for a regulation
Recital 64 d (new)
Recital 64 d (new)
(64 d) Electronic health data provide valuable information to anyone who processes it. Access to electronic health data for entities from third countries should take place only on the basis of the reciprocity principle. Making available health data to a third country may take place only where the Commission has established by means of a delegated act that the third country concerned allows for the use of health data by Union entities under the same conditions and with the same safeguards as within the Union. The Commission should monitor such decisions, and should provide for a periodic review mechanism of their functioning. The Commission may recognise that a third country no longer ensures access on the same terms and revoke its decision.
Amendment 460 #
Proposal for a regulation
Recital 69 a (new)
Recital 69 a (new)
(69 a) In accordance with Article 42 of Regulation (EU) 2018/1725, the Commission should, when preparing delegated acts or implementing acts, consult the European Data Protection Supervisor where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, and, in cases where such an act is of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data, the Commission should also consult the European Data Protection Board. The Commission should moreover consult the European Data Protection Board in the cases specified in Regulation (EU) 2016/679 and when relevant in the context of this Regulation.
Amendment 465 #
Proposal for a regulation
Recital 71
Recital 71
(71) In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, on the self-certification of EHR systems, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
Amendment 483 #
Proposal for a regulation
Article 1 – paragraph 3 – point a
Article 1 – paragraph 3 – point a
(a) manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;
Amendment 486 #
Proposal for a regulation
Article 1 – paragraph 3 – point b
Article 1 – paragraph 3 – point b
(b) controllers and processors established in the Union processing electronic health data of Union citizens and third-country nationals legally residing in the territories of Member Statespersons in the EU;
Amendment 494 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, […] [Data Governance Act COM/2020/767 final](EU) 2022/868, Directive 2002/58/EC, and […] [Data Act COM/2022/68 final].
Amendment 500 #
Proposal for a regulation
Article 2 – paragraph 1 – introductory part
Article 2 – paragraph 1 – introductory part
1. For the purposes of this Regulation, the following definitions shall apply:
Amendment 504 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
(a) ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form;
Amendment 512 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
(b) ‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679; where such data are part of a mixed dataset where personal and non-personal data are inextricably linked, the entire dataset shall be considered as personal electronic health data;
Amendment 531 #
Proposal for a regulation
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) ‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may includeSecondary use of personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use;shall have Article 6(1)(e) of Regulation (EU) 2016/679 as its legal basis.
Amendment 540 #
Proposal for a regulation
Article 2 – paragraph 2 – point h
Article 2 – paragraph 2 – point h
(h) ‘registration of electronic health data’ means the recording of health data in an electronic format, through manual entry of data, through the collection of data by a device, or through the conversion of non- electronic health data into an electronic format, to be processed in an EHR system or a wellness application;
Amendment 543 #
Proposal for a regulation
Article 2 – paragraph 2 – point k
Article 2 – paragraph 2 – point k
(k) ‘health data recipient’ means a natural or legal person that receives data from another controller in the context of the primary use of electronic health data;
Amendment 551 #
Proposal for a regulation
Article 2 – paragraph 2 – point m
Article 2 – paragraph 2 – point m
(m) ‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare purposservices;
Amendment 557 #
Proposal for a regulation
Article 2 – paragraph 2 – point n
Article 2 – paragraph 2 – point n
(n) ‘EHR system’ (electronic health record system) means any appliancproduct (hardware or software) primarily intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records;
Amendment 561 #
Proposal for a regulation
Article 2 – paragraph 2 – point o
Article 2 – paragraph 2 – point o
Amendment 565 #
Proposal for a regulation
Article 2 – paragraph 2 – point q – introductory part
Article 2 – paragraph 2 – point q – introductory part
(q) ‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads, might have led or mightd, leads, was or is likely to lead to any of the following:
Amendment 574 #
Proposal for a regulation
Article 2 – paragraph 2 – point y
Article 2 – paragraph 2 – point y
(y) ‘health data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;either:
Amendment 579 #
Proposal for a regulation
Article 2 – paragraph 2 – point y
Article 2 – paragraph 2 – point y
(y) ‘health data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;
Amendment 581 #
Proposal for a regulation
Article 2 – paragraph 2 – point y – point i (new)
Article 2 – paragraph 2 – point y – point i (new)
i) the right or obligation, in accordance with applicable Union law or national legislation, to process personal electronic health data for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, in its capacity as a controller; or
Amendment 582 #
Proposal for a regulation
Article 2 – paragraph 2 – point y – point ii (new)
Article 2 – paragraph 2 – point y – point ii (new)
ii) the ability to make available, including to register, provide, restrict access or exchange electronic health data that do not constitute personal data in the meaning of Article 4 (1) of Regulation (EU) 2016/679, through control of the technical design of a product and related services;
Amendment 585 #
Proposal for a regulation
Article 2 – paragraph 2 – point z
Article 2 – paragraph 2 – point z
(z) ‘health data user’ means a natural or legal person who has lawful access to personal or non-personal electronic health data for secondary use pursuant to a health data permit or a health data request in accordance with this Regulation;
Amendment 587 #
Proposal for a regulation
Article 2 – paragraph 2 – point z a (new)
Article 2 – paragraph 2 – point z a (new)
(z a) ‘health data applicant’ means a natural or legal person who has submitted a health data access application for access to personal or non-personal electronic health data for secondary use in accordance with this Regulation;
Amendment 589 #
Proposal for a regulation
Article 2 – paragraph 2 – point aa
Article 2 – paragraph 2 – point aa
(aa) ‘health data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
Amendment 593 #
Proposal for a regulation
Article 2 – paragraph 2 – point ab
Article 2 – paragraph 2 – point ab
(ab) ‘health dataset’ means a structured collection of electronic health data;
Amendment 595 #
Proposal for a regulation
Article 2 – paragraph 2 – point ac
Article 2 – paragraph 2 – point ac
(ac) ‘health dataset catalogue’ means a collection of datasets descriptions, which is arranged in a systematic manner and consists of a user-oriented public part, where information concerning individual dataset parameters is accessible by electronic means through an online portal;
Amendment 631 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. In accordance with Article 23 of Regulation (EU) 2016/679, Member States may restrict the scope of this righte rights under paragraphs 1 and 2 whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on his or her health.
Amendment 641 #
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point a
Article 3 – paragraph 5 – subparagraph 1 – point a
(a) establish one or more public electronic health data access services at national, regional or local level enabling the exercise of rights referred to in paragraphs 1 and 2;
Amendment 645 #
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point b
Article 3 – paragraph 5 – subparagraph 1 – point b
(b) establish one or more proxy services enabling a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf or to enable legal guardians as recognized by national law to act on behalf of their dependent children.
Amendment 658 #
Proposal for a regulation
Article 3 – paragraph 6
Article 3 – paragraph 6
6. Natural persons may insert, access and export their electronic health data in and from their own EHR or in that of natural persons whose health information they can access, through electronic health data access services orand applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative.
Amendment 664 #
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1
Article 3 – paragraph 8 – subparagraph 1
Natural persons shall have the right to give access to or request a data holdercontroller or a data holder, including from the health or social security sector, to transmit all or part of their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder. Where requested by the data subject, the controller, data holders, data recipients and their processors shall comply with the request and shall transmit the data in the format provided for in Article 5.
Amendment 675 #
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 4
Article 3 – paragraph 8 – subparagraph 4
Natural persons shall have the right that, where priority categories of personal electronic health data referred to in Article 5 are transmitted or made available by the natural person according to the European electronic health record exchange format referred to in Article 6, such dataother healthcare providers shall be able to read and accepted by other healthcare providers such data.
Amendment 676 #
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 4 a (new)
Article 3 – paragraph 8 – subparagraph 4 a (new)
The Commission shall, by means of implementing acts, determine the requirements for the interoperable, cross- border mechanism for identifying data recipients and authenticating the receiving entity’s belonging to the health or social security sector.
Amendment 685 #
Proposal for a regulation
Article 3 – paragraph 9
Article 3 – paragraph 9
9. Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms, which may also include the possibility to exercise geographical and temporal restrictions and restrictions related to a specific category of health professionals.
Amendment 690 #
Proposal for a regulation
Article 3 – paragraph 10
Article 3 – paragraph 10
10. Natural persons shall have the right to obtain informreceive an automatic notification on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare. The information shall be provided immediately and free of charge through electronic health data access serviceIn order to demonstrate compliance with this provision, all relevant entities shall also maintain a record of those healthcare providers and health professionals who had access to data. The information shall be provided immediately and free of charge through electronic health data access services in a commonly accepted, interoperable, and machine-readable format. The information shall at least include the names of the health care providers controlling the data processing, the health data that was accessed, and the time of access.
Amendment 705 #
Proposal for a regulation
Article 3 – paragraph 11
Article 3 – paragraph 11
11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to inin accordance with Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences.
Amendment 706 #
Proposal for a regulation
Article 3 – paragraph 12
Article 3 – paragraph 12
12. The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article, including technical and organisational measures to ensure the process of authentication of the authorised person referred to in point (b) of paragraph 5. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 710 #
Proposal for a regulation
Article 4 – paragraph 1 – introductory part
Article 4 – paragraph 1 – introductory part
1. Where they process data in an electronic format, health professionals shall, upon explicit consent from the natural persons under their treatment:
Amendment 717 #
Proposal for a regulation
Article 4 – paragraph 1 – point a
Article 4 – paragraph 1 – point a
(a) have access on a need-to-know basis to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
Amendment 722 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States mayshall establish rules providing for the categories of personal electronic health data required by different health professions or different healthcare tasks. Such rules shall not be based on the source of electronic health data.
Amendment 737 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services, where the processing of health data is necessary. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.
Amendment 748 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior authorisationexplicit consent by the natural person, including where the provider or professional is informed of the existence and nature of the restricted electronic health data. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
Amendment 764 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f a (new)
Article 5 – paragraph 1 – subparagraph 1 – point f a (new)
(f a) International Classification of Diseases (ICD) codes
Amendment 766 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Article 5 – paragraph 1 – subparagraph 3
Amendment 770 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
Amendment 780 #
Proposal for a regulation
Article 5 – paragraph 2 a (new)
Article 5 – paragraph 2 a (new)
2 a. The Commission shall, by means of implementing acts, lay down rules determining which health information domains and interoperability specifications, including standards, and profiles for representing and exchanging health data shall be included in the European electronic health record exchange format.
Amendment 781 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. The Commission shall, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format. The exchange format must be chosen in accordance with the feasibility of technical and organisational measures pursuant to Article 32 of Regulation (EU) 2016/679. The format shall include the following elements:
Amendment 794 #
Proposal for a regulation
Article 6 – paragraph 3 a (new)
Article 6 – paragraph 3 a (new)
3 a. When drafting the implementing acts, the Commission shall take all proper measures to ensure compatibility with existing data formats in Member States.
Amendment 805 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – introductory part
Article 7 – paragraph 3 – subparagraph 1 – introductory part
The Commission shall, by means of implementing acts, determine the requirements for the quality of data for the registration of electronic health data by healthcare providers and natural persons, as relevant. Those implementing acts shall establish the following:
Amendment 807 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point a
Article 7 – paragraph 3 – subparagraph 1 – point a
Amendment 810 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point b
Article 7 – paragraph 3 – subparagraph 1 – point b
Amendment 813 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1 – point c
Article 7 – paragraph 3 – subparagraph 1 – point c
Amendment 814 #
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 2
Article 7 – paragraph 3 – subparagraph 2
Those implementing acts shall be adopted in accordance with the advisoryexamination procedure referred to in Article 68(2).
Amendment 824 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
Amendment 834 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. The Commission shall, by means of implementing acts, determine the requirements for the interoperable, cross- border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014 as amended by [COM(2021) 281 final]. The mechanism shall facilitate the transferability of electronic health data in a cross-border context. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 859 #
Proposal for a regulation
Article 10 – paragraph 2 – point m
Article 10 – paragraph 2 – point m
(m) cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals or their representatives, industry associations;
Amendment 870 #
Proposal for a regulation
Article 10 – paragraph 2 – point o a (new)
Article 10 – paragraph 2 – point o a (new)
(o a) promote public awareness and understanding of the benefits, risks, rules, safeguards and rights in relation to the EHDS system.
Amendment 873 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
Article 10 – paragraph 2 a (new)
2 a. Digital health authorities shall consult relevant data protection authorities on matters of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data.
Amendment 877 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.
Amendment 891 #
Proposal for a regulation
Article 10 – paragraph 5
Article 10 – paragraph 5
5. In the performance of its tasks, the digital health authority shall actively cooperate with stakeholders’ representatives, including patients’ representatives. Members of the digital health authority shall avoidbe free of any conflicts of interest.
Amendment 892 #
Proposal for a regulation
Article 10 – paragraph 5 a (new)
Article 10 – paragraph 5 a (new)
5 a. Each Member State shall establish a complaint and redress mechanism to address conflicts of interests, negligence, or any other wrongdoing by the digital health authority.
Amendment 899 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall informsend a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679.
Amendment 906 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article 11 a Right to an effective remedy against a digital health authority 1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a digital health authority concerning them. 2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the digital health authority which is competent pursuant to Article 10 does not handle a complaint or does not inform the natural or legal person within three months on the progress or outcome of the complaint lodged pursuant to Article 11. 3. Proceedings against a digital health authority shall be brought before the courts of the Member States where the digital health authority is established.
Amendment 909 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The Commission shall establish a central platform for digital health to provide services to support and facilitate the exchange of electronic health data between national contact points for digital health of the Member States.
Amendment 912 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
3. Each national contact point for digital health shall enable the exchange of the personal electronic health data referred to in Article 5 with all other national contact points. The exchange shall be based on the European electronic health record exchange format in accordance with Directive 2011/24/EU.
Amendment 914 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The implementing act shall include the target implementation dates, including for improved cross border health data interoperability, in consultation with the EHDS board. The European Union Agency for Cyber Security shall be consulted and closely involved in all steps of the procedure. Any measures adopted shall meet the highest technical standards in terms of security, confidentiality and protection of electronic health data.
Amendment 930 #
Proposal for a regulation
Article 12 – paragraph 8
Article 12 – paragraph 8
Amendment 939 #
Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 1
Article 13 – paragraph 3 – subparagraph 1
Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing act, a compliance check of the national contact point of the third country or of the system established at an international level shall be performed under the control of the Commission, including on whether the health data transfer stemming from such exchange complies with the rules in Chapter V of Regulation (EU) 2016/679.
Amendment 946 #
Proposal for a regulation
Chapter III – title
Chapter III – title
III EHR systems and wellness applications
Amendment 954 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. EHR systems may be placed on the market or put into service only if theyafter a Notified Body confirms that the EHR system complyies with the provisions laid down in this Chapter.
Amendment 957 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
If any economic operator, other than the manufacturer, makes modifications to the EHR system while deploying or using it, which lead to changes in the intended purpose and deployments recommendations for the EHR system as declared by the manufacturer, the economic operator shall assume the responsibilities of a manufacturer under this Regulation for the EHR system’s compliance with this Regulation. In case of any malfunctioning or deterioration in performance quality due to the changes made by the economic operator during deployment or use of the EHR system contrary to the manufacturer's recommendations for technical deployment of the system or purpose of its use, full responsibility for those modifications lays with the economic operator.
Amendment 1030 #
Proposal for a regulation
Article 23 – paragraph 1 – subparagraph 1
Article 23 – paragraph 1 – subparagraph 1
The Commission shall, by means of implementing acts, adopt common specifications in respect of the essential requirements set out in Annex II, including a uniform template document and a time limit for implementing those common specifications. Where relevant, the common specifications shall take into account the specificities of medical devices and high risk AI systems referred to in paragraphs 3 and 4 of Article 14.
Amendment 1032 #
Proposal for a regulation
Article 23 – paragraph 1 – subparagraph 2
Article 23 – paragraph 1 – subparagraph 2
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2) after consultation with the EHDS Board and relevant stakeholders.
Amendment 1042 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by allowing manufacturers to enter the information referred to in paragraph 2 into the EU database of EHR systems and wellness applications referred to in Article 32, as an alternative to supplying the information sheet referred to in paragraph 1 with the EHR system.
Amendment 1051 #
Proposal for a regulation
Article 26 – paragraph 4 a (new)
Article 26 – paragraph 4 a (new)
4 a. The Commission shall draw up a standard uniform EU declaration of conformity and make it available in digital format in all the official Union languages.
Amendment 1056 #
Proposal for a regulation
Article 27 a (new)
Article 27 a (new)
Article 27 a Assessment of conformity Before an EHR system may be placed on the market a Notified Body has to: (1) assess if the EHR system is in conformity with the essential requirements laid down in Annex II; (2) assess if the EHR system is in conformity with the requirements laid down in Regulation... (Cyber Resilience Act COM/2022/457). (3) assess if the technical documentation is available and complete; (4) assess if the EHR system fulfils the requirements of the EU declaration of conformity Only after EU-wide approval has been issued, the CE marking can be affixed, together with an identification number.
Amendment 1105 #
Proposal for a regulation
Article 31
Article 31
Amendment 1114 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Article 26 and wellness applications for which a label has been issued pursuant to Article 31.
Amendment 1118 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. Before placing on the market or putting into service an EHR system referred to in Article 14 or a wellness application referred to in Article 31, the manufacturer of such EHR system or wellness application or, where applicable, its authorised representative shall register the required data into the EU database referred to in paragraph 1.
Amendment 1121 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Medical devices or high-risk AI systems referred to in paragraphs 3 and 4 of Article 14 of this Regulation shall also be registered in the database established pursuant to Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], as applicable.
Amendment 1124 #
Proposal for a regulation
Article 32 – paragraph 4
Article 32 – paragraph 4
4. The Commission is empowered to adopt delegated acts in accordance with Article 67 to determine the list of required data to be registered by the manufacturers of EHR systems and wellness applications pursuant to paragraph 2.
Amendment 1133 #
Proposal for a regulation
Article 33 – paragraph 1 – introductory part
Article 33 – paragraph 1 – introductory part
1. DAfter having obtained consent of the data subjects, data holders shall make the following categories of electronic data available for secondary use in accordance with the provisions of this Chapter:
Amendment 1162 #
Proposal for a regulation
Article 33 – paragraph 1 – point e
Article 33 – paragraph 1 – point e
Amendment 1169 #
Proposal for a regulation
Article 33 – paragraph 1 – point f
Article 33 – paragraph 1 – point f
Amendment 1200 #
Proposal for a regulation
Article 33 – paragraph 1 – point n
Article 33 – paragraph 1 – point n
Amendment 1214 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
1 a. Health data of natural persons registered by health professionals in accordance with Article 7 shall be requested from the EHR systems concerned.
Amendment 1227 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
3. The electronic health data referred to in paragraph 1 shall cover data processed for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, collected by entities and bodies in the health or care sectors, including public and private providers of health or care, entities or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies.
Amendment 1249 #
Amendment 1256 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
5. Where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health dataNatural persons that are subjects to secondary use of health data shall have the right to decline the processing of their health data. Health data access bodies shall provide for an accessible and easily understandable opt-out mechanism, whereby natural persons must be offered the possibility to explicitly express their wish not to have all or part of their personal electronic health data processed for some or all secondary use purposes. Health data access bodies shall maintain an opt-out register for this purpose. In situation where natural persons explicitly express their wish to use opt-out mechanism to data holders, data holders shall direct natural persons to the health data access bodies.
Amendment 1272 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
Amendment 1287 #
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
Article 34 – paragraph 1 – introductory part
1. Health data access bodies shall only provide access to electronic health data referred to in Article 33 where the intended purpose ofto a health data user where the processing pursuedof the data by the applicant complies with: is necessary for one of the following purposes, and in accordance with Article 6(1)(c) and Article 9(2)(g), (h), (i) and (j) of Regulation (EU) 2016/679:
Amendment 1305 #
Proposal for a regulation
Article 34 – paragraph 1 – point c
Article 34 – paragraph 1 – point c
(c) to produce national, multi-national and Union level official statistics as defined in Regulation (EU) 223/2009 related to health or care sectors;
Amendment 1321 #
Proposal for a regulation
Article 34 – paragraph 1 – point f
Article 34 – paragraph 1 – point f
Amendment 1333 #
Proposal for a regulation
Article 34 – paragraph 1 – point g
Article 34 – paragraph 1 – point g
Amendment 1344 #
Proposal for a regulation
Article 34 – paragraph 1 – point h
Article 34 – paragraph 1 – point h
Amendment 1355 #
Proposal for a regulation
Article 34 – paragraph 2
Article 34 – paragraph 2
2. Access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant fulfils one of the purposes referred to in points (a) toand (cb) of paragraph 1 shall only be granted to public sector bodies and Union institutions, bodies, offices and agencies exercising their tasks conferred to them by Union or national law, including where processing of data for carrying out these tasks is done by a third party on behalf of that public sector body or of Union institutions, agencies and bodies.
Amendment 1363 #
4 a. Scientific research referred to in Article 34 point (e) of paragraph 1, as well as further research based on results of research through secondary use of health data according to this Regulation, shall provide a public return and be publicly accessible.
Amendment 1370 #
Proposal for a regulation
Article 35 – paragraph 1 – point a
Article 35 – paragraph 1 – point a
(a) taking decisions detrimental to a natural person based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons;
Amendment 1380 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
(b) taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance or credit contract or to modify their contributions and insurance premiums or durations of loans;
Amendment 1386 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) advertising or marketing activities towards health professionals, organisations in health or natural persons;
Amendment 1397 #
Proposal for a regulation
Article 35 – paragraph 1 – point e
Article 35 – paragraph 1 – point e
(e) developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco or nicotine or vaping products, or goods or services which are designed or modified in such a way that they contravene public order or morality.
Amendment 1449 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoidbe free of any conflicts of interest. Health data access bodies shall not be bound by any instructions, when making their decisactively cooperate with the relevant bodies or authorities responsible for the application of EU and national data protection legislation. When making their decisions, health data access bodies shall otherwise not be bound by any instructions.
Amendment 1485 #
Proposal for a regulation
Article 37 – paragraph 1 – point i
Article 37 – paragraph 1 – point i
Amendment 1536 #
Proposal for a regulation
Article 37 – paragraph 4 – subparagraph 1 (new)
Article 37 – paragraph 4 – subparagraph 1 (new)
The Commission shall adopt guidelines on the functioning of the health data access bodies to ensure coherent processes among them.
Amendment 1548 #
Proposal for a regulation
Article 38 – paragraph 1 – point d a (new)
Article 38 – paragraph 1 – point d a (new)
(d a) the identity and the contact details of the health data access body and, where applicable, other information required pursuant to Article 13(1), point (a), of Regulation (EU) 2016/679;
Amendment 1552 #
Proposal for a regulation
Article 38 – paragraph 1 – point e a (new)
Article 38 – paragraph 1 – point e a (new)
(e a) the record on who has been granted access to which sets of electronic health data and a justification regarding the purposes for processing them as referred to in Article 34(1), Union and national law.
Amendment 1559 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. Health data access bodies shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and shall provide general public information on all the data permits issued pursuant to Article 46.
Amendment 1569 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
3. Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body mayshall notify the data holder in order for them to inform the natural person and his or her treating health professional about that finding.
Amendment 1576 #
Proposal for a regulation
Article 38 – paragraph 4
Article 38 – paragraph 4
4. Member States shall regularly inform the public at large about the role, risks and benefits of the secondary use of health data and the role of health data access bodies.
Amendment 1582 #
Proposal for a regulation
Article 38 a (new)
Article 38 a (new)
Article 38 a Right to lodge a complaint with a health data access body 1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the health data access body, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 38(1), point (d), of this Regulation, the health data access body shall send a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679. 2. The health data access body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken. 3. Health data access body shall cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means, without undue delay.
Amendment 1586 #
Proposal for a regulation
Article 38 b (new)
Article 38 b (new)
Amendment 1604 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
Amendment 1608 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
1. When processing personal electronic health data, data altruism organisations shall comply with the rules set out in Chapter IV of Regulation […] [Data Governance Act COM/2020/767 final]. Where data altruism organisations process personal electronic health data usingn processing electronic health data, data altruism organisations shall make use of a secure processing environment, such environments shalland also comply with the requirements set out in Article 50 of this Regulation.
Amendment 1620 #
Proposal for a regulation
Article 41 – paragraph 2 a (new)
Article 41 – paragraph 2 a (new)
2 a. Paragraph 1 constitutes a legal obligation in the sense of Article 6(1)(c) of Regulation 2016/679 for the data holder to disclose personal electronic health data to the health data access body, in accordance with Article 9(2), points (h), (i) and (j), of Regulation 2016/679.
Amendment 1636 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Health data access bodies and single data holders may charge fees for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]
Amendment 1664 #
Proposal for a regulation
Article 43 – paragraph 4
Article 43 – paragraph 4
4. HNotwithstanding the right for Member States to impose penalties in accordance with Article 69, health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non- compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to revoke the data permit and to exclude the data user from any access to electronic health data for a period of up to 5 years.
Amendment 1673 #
Proposal for a regulation
Article 43 – paragraph 5
Article 43 – paragraph 5
5. Where data holders withhold the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or do not respect the deadlines set out in Article 41, the health data access body shall have the power to fine the data holder with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body. In case of repeated breaches by the data holder of the obligation of loyal cooperation with the health data access body, that body can exclude the data holder from participation in the EHDS for a period of up to 5 years. Where a data holder has been excluded from the participation in the EHDS pursuant to this Article, following manifest intention of obstructing the secondary use of electronic health data, it shall not have the right to provide access to health data in accordance with Article 49.
Amendment 1691 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. The health data access body shall ensure that access is only provided to requested electronic health data relevant forthat are adequate, relevant and limited to what is necessary in relation to the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
Amendment 1697 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. The health data access bodies shall provide the electronic health data in an anonymised format, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user. The health data access bodies shall indicate the entity in charge of the anonymization and the anonymization standard applied. Special safeguards shall be applied in the case of rare diseases. Data users shall not attempt to re-identify the data subject of the anonymised data.
Amendment 1705 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. For that purpose, health data access points shall verify in advance the compliance of the pseudonymisation of the data for processing by the data user with Article 6 and, where relevant, Article 9 of Regulation (EU) 2016/679. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties.
Amendment 1719 #
Proposal for a regulation
Article 44 – paragraph 3 a (new)
Article 44 – paragraph 3 a (new)
3 a. Taking into account the state of the art and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the health data access body shall apply appropriate anonymisation or pseudonymisation techniques to ensure a high level of security appropriate to the risk of re-identification.
Amendment 1733 #
Proposal for a regulation
Article 45 – paragraph 2 – point a
Article 45 – paragraph 2 – point a
(a) a detailed explanation of the intended use and benefit related to that use of the electronic health data, including for which of the purposes referred to in Article 34(1) access is sought;:
Amendment 1734 #
Proposal for a regulation
Article 45 – paragraph 2 – point a – point i (new)
Article 45 – paragraph 2 – point a – point i (new)
i) the purposes referred to in Article 9 (2), points (i) and (j), of Regulation 2016/679, combined with Article 34(1);
Amendment 1735 #
Proposal for a regulation
Article 45 – paragraph 2 – point a – point ii (new)
Article 45 – paragraph 2 – point a – point ii (new)
ii) demonstrable evidence that the stated purpose is of public interest.
Amendment 1738 #
Proposal for a regulation
Article 45 – paragraph 2 – point a a (new)
Article 45 – paragraph 2 – point a a (new)
(a a) a description of the applicant's identity, professional function and operation, including the identity of anyone with access to the electronic health data;
Amendment 1742 #
Proposal for a regulation
Article 45 – paragraph 2 – point c
Article 45 – paragraph 2 – point c
(c) an indication whether electronic health data shouldneed to be made available in an anonymised form pseudonymised format and the reason why the envisaged purpose for processing cannot be pursued using anonymised data;
Amendment 1748 #
Proposal for a regulation
Article 45 – paragraph 2 – point e
Article 45 – paragraph 2 – point e
(e) a description of the safeguards planned to prevent any other misuse of the electronic health data, including the re- identification of natural persons in the dataset;
Amendment 1750 #
Proposal for a regulation
Article 45 – paragraph 2 – point f a (new)
Article 45 – paragraph 2 – point f a (new)
(f a) a description of the necessary technical and organizational measures pursuant to Article 32 of Regulation (EU) 2016/679;
Amendment 1751 #
Proposal for a regulation
Article 45 – paragraph 2 – point f b (new)
Article 45 – paragraph 2 – point f b (new)
(f b) a description of how the data applicant is qualified vis-à-vis the intended purposes of data use, such as professional qualifications to demonstrate appropriate expertise;
Amendment 1755 #
Proposal for a regulation
Article 45 – paragraph 2 – point h a (new)
Article 45 – paragraph 2 – point h a (new)
(h a) all information under Article 14 of Regulation (EU) 2016/679 and information regarding the exercise of the rights of natural persons according to Chapter III of Regulation (EU) 2016/67;
Amendment 1758 #
Proposal for a regulation
Article 45 – paragraph 2 – point h b (new)
Article 45 – paragraph 2 – point h b (new)
(h b) a signed agreement pledging to respect the common code of ethical conduct for the secondary uses of personal health data as developed by the EHDS Board in accordance with Article 65(2), point (g).
Amendment 1762 #
Proposal for a regulation
Article 45 – paragraph 2 a (new)
Article 45 – paragraph 2 a (new)
2 a. Data users that are private entities shall have a proven track-record of trustworthy and successful involvement in medical research or education. They shall submit a declaration setting out their vested interest in the processing as described in point a of paragraph 1.
Amendment 1768 #
Proposal for a regulation
Article 45 – paragraph 4 – introductory part
Article 45 – paragraph 4 – introductory part
4. Where the applicant intendrequests to access the personal electronic health data in a pseudonymised format, the following additional information shall be provided together with the data access application:
Amendment 1771 #
Proposal for a regulation
Article 45 – paragraph 4 – point a
Article 45 – paragraph 4 – point a
(a) a description of how the processing would comply with Article 6(1) and, where applicable, Article 9 of Regulation (EU) 2016/679;
Amendment 1778 #
Proposal for a regulation
Article 45 – paragraph 5 – subparagraph 1
Article 45 – paragraph 5 – subparagraph 1
For the implementation of the tasks referred to in Article 37(1), points (b) and (c), the public sector bodies and the Union institutions, bodies, offices and agencies shall provide the same information as requested under Article 45(2), except for point (g), where they shall submit information concerning the period for which the data can be accessed, the frequency of that access or the frequency of the data updates.
Amendment 1780 #
Proposal for a regulation
Article 45 – paragraph 5 – subparagraph 2
Article 45 – paragraph 5 – subparagraph 2
Where the public sector bodies and the Union institutions, bodies, offices and agencies intend to access the electronic health data in pseudonymised format, a description of how the processing would comply with Article 6(1) and Article 9 of Regulation (EU) 2016/679, or Article 5(1) and Article 10 of Regulation (EU) 2018/1725, as applicable, shall also be provided.
Amendment 1792 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Health data access bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. They shall also assess if the entity applying for the permit has a proven track record of genuine activity in the field of medical research or education. If that is the case, the health data access body shall issue a data permit.
Amendment 1803 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1 a. Furthermore, when the health data access bodies make their decisions to grant or refuse access to electronic health data, they shall assess if the applicant fulfils the following criteria: (a) the purposes described in the data access application match one or more of the purposes listed in Article 34(1) of this Regulation; (b) the requested data is necessary for the purpose described in the data access application; (c) the processing complies with applicable Union and national data protection law.The health data access bodies shall seek the advice from the competent data protection authorities for this matter; (d) the information provided in the application demonstrates sufficient safeguards planned to protect the rights and interests of the health data holder and of the natural persons concerned and to prevent any misuse (e) the information on the assessment of ethical aspects of the processing, where applicable, is in line with national law; (f) the option of individuals to opt-out with respect to the secondary use of their personal health data; (g) other requirements in this Chapter.
Amendment 1819 #
Proposal for a regulation
Article 46 – paragraph 3
Article 46 – paragraph 3
3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.
Amendment 1825 #
4. Following the issuance of the data permit, the health data access body shall immediately, without undue delay, request the electronic health data from the data holder. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe.
Amendment 1835 #
Proposal for a regulation
Article 46 – paragraph 6 a (new)
Article 46 – paragraph 6 a (new)
6 a. Relevant bodies or authorities competent pursuant to applicable data protection legislation shall have the possibility to scrutinise and, if necessary, overturn the assessment of the data processing legal basis of data permit requests made to the health data access bodies.
Amendment 1883 #
Amendment 1891 #
Proposal for a regulation
Article 49
Article 49
Access to electronic health data from a 1. access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies. 2. issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. 3. 51, the single data provider and the data user shall be deemed joint controllers. 4. shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.rticle 49 deleted single data holder Where an applicant requests In such case, the data holder may By way of derogation from Article Within 3 months the data holder
Amendment 1901 #
(b) minimise the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technological and organisational means;
Amendment 1949 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point a
Article 52 – paragraph 13 – subparagraph 1 – point a
(a) requirements, technical specifications, the IT architecture of HealthData@EU, conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EUwhich shall guarantee a high level of data security, confidentiality and protection of electronic data;
Amendment 1953 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point b
Article 52 – paragraph 13 – subparagraph 1 – point b
Amendment 1955 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point c
Article 52 – paragraph 13 – subparagraph 1 – point c
Amendment 1957 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point d
Article 52 – paragraph 13 – subparagraph 1 – point d
Amendment 1959 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point e a (new)
Article 52 – paragraph 13 – subparagraph 1 – point e a (new)
(ea) conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU;
Amendment 1962 #
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 2
Article 52 – paragraph 13 – subparagraph 2
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The European Union Agency for Cyber Security (ENISA) shall be consulted and closely involved in the process.
Amendment 1995 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 [(a), (e), (f), (i), (j), (k), (m)] shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future.
Amendment 2003 #
Proposal for a regulation
Article 61 – paragraph 2
Article 61 – paragraph 2
2. The protective measures for the categories of data mentioned in paragraph 1 shall depend on the nature of the data and anonymization techniques and shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].
Amendment 2007 #
Proposal for a regulation
Article 61 – paragraph 2 a (new)
Article 61 – paragraph 2 a (new)
2a. Where a health data access body has reason to believe that the transfer or access to non-personal data may lead to the risk of re-identification of non- personal or anonymised data, the health data access body shall request the relevant bodies or authorities competent pursuant to applicable data protection legislation for authorisation before transferring or giving access to data.
Amendment 2016 #
Proposal for a regulation
Article 63 – paragraph 1
Article 63 – paragraph 1
Controllers and processors located in the EU who process personal electronic health data within the scope of this Regulation shall process that data within the territory of the EU. In the context of international access and transfer of personal electronic health data, Member States may maintain or introduce further conditions, including limitations, in accordance with and under the conditions of article 9(4) of the Regulation (EU) 2016/679.
Amendment 2019 #
Proposal for a regulation
Article 63 – paragraph 1 – subparagraph 1 (new)
Article 63 – paragraph 1 – subparagraph 1 (new)
Where a controller that processes personal data in accordance with this Regulation and uses a processor for the purposes referred to in Article 28(3) of Regulation (EU) 2016/679, no transfer of personal data by the processor to a third country shall take place.
Amendment 2030 #
Proposal for a regulation
Article 64 – paragraph 1
Article 64 – paragraph 1
1. A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of the high level representatives of digital health authorities and health data access bodies of all the Member States. Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor mayshall be invited to the meetings, where the issues discussed are of relevance for them. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an observer role.
Amendment 2041 #
Proposal for a regulation
Article 64 – paragraph 6
Article 64 – paragraph 6
Amendment 2069 #
Proposal for a regulation
Article 65 – paragraph 2 – point f a (new)
Article 65 – paragraph 2 – point f a (new)
(fa) to elaborate and monitor the implementation of a common code of ethical conduct for the secondary uses of personal health data.
Amendment 2079 #
Proposal for a regulation
Article 67 – paragraph 3
Article 67 – paragraph 3
3. The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 2095 #
Proposal for a regulation
Article 69 a (new)
Article 69 a (new)
Article 69a Right to compensation Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation, in accordance to national and Union law, from the data holder, data user, data recipient, health professional, healthcare provider, EHR system manufacturer, EHR system importer, EHR system distributor, EHR system authorised representative or Health Data Access Body responsible for the infringement.
Amendment 2104 #
Proposal for a regulation
Article 70 – paragraph 1
Article 70 – paragraph 1
1. After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapter III, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self-certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies.
Amendment 2109 #
Proposal for a regulation
Article 71 a (new)
Article 71 a (new)