Legal provisions of COM(2022)197 - European Health Data Space

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2022)197 - European Health Data Space.
document COM(2022)197 EN
date May  3, 2022


Chapter I

General provisions

Contents

Article 1 - Subject matter and scope

1. This Regulation establishes the European Health Data Space (‘EHDS’) by providing for rules, common standards and practices, infrastructures and a governance framework for the primary and secondary use of electronic health data. 

2. This Regulation:

(a)strengthens the rights of natural persons in relation to the availability and control of their electronic health data;

(b)lays down rules for the placing on the market, making available on the market or putting into service of electronic health records systems (‘EHR systems’) in the Union;

(c)lays down rules and mechanisms supporting the secondary use of electronic health data;

(d)establishes a mandatory cross-border infrastructure enabling the primary use of electronic health data across the Union;

(e)establishes a mandatory cross-border infrastructure for the secondary use of electronic health data.

3. This Regulation applies to:

(a)manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;

(b)controllers and processors established in the Union processing electronic health data of Union citizens and third-country nationals legally residing in the territories of Member States;

(c)controllers and processors established in a third country that has been connected to or are interoperable with MyHealth@EU, pursuant to Article 12(5);

(d)data users to whom electronic health data are made available by data holders in the Union.

4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final].

5. This Regulation shall be without prejudice to Regulations (EU) 2017/745 and […] [AI Act COM/2021/206 final], as regards the security of medical devices and AI systems that interact with EHR systems.

6. This Regulation shall not affect the rights and obligations laid down in Union or national law concerning data processing for the purposes of reporting, complying with information requests or demonstrating or verifying compliance with legal obligations.

Article 2 - Definitions

1. For the purposes of this Regulation, following definitions shall apply:

(a)the definitions in Regulation (EU) 2016/679;

(b)the definitions of ‘healthcare’, ‘Member State of affiliation’, ‘Member State of treatment’, ‘health professional’, ‘healthcare provider’, ‘medicinal product’ and ‘prescription’, pursuant to Article 3 (a), (c), (d), (f), (g), (i) and (k) of Article 3 of the Directive 2011/24/EU;

(c)the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2 (1), (8), (10), (11) and (14) of [Data Governance Act COM/2020/767 final];

(d)the definitions of ‘making available on the market’, ‘placing on the market’, ‘market surveillance’, ‘market surveillance authority’, ‘non-compliance’, ‘manufacturer’, ‘importer’, ‘distributor’, ‘economic operator’, ‘corrective action’, ‘risk’, ‘recall’ and ‘withdrawal’, pursuant to Article 2 (1), (2), (3), (4), (7), (8), (9), (10), (13), (16), (18), (22) and (23) of the Regulation (EU) 2019/1020;

(e)the definitions of ‘medical device’, ‘intended purpose’, ‘instructions for use’, ‘performance’, ‘health institution’ and ‘common specifications’, pursuant to Article 2 (1), (12), (14), (22), (36) and (71) of the Regulation (EU) 2017/745;

(f)the definitions of ‘electronic identification’, ‘electronic identification means’ and ‘person identification data’ pursuant to Article 3 (1), (2) and (3) of the Regulation (EU) No 910/2014.

2. In addition, for the purposes of this Regulation the following definitions shall apply:

(a)‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form;

(b)‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;

(c)‘electronic health data’ means personal or non-personal electronic health data;

(d)‘primary use of electronic health data’ means the processing of personal electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;

(e)‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use; 

(f)‘interoperability’ means the ability of organisations as well as software applications or devices from the same manufacturer or different manufacturers to interact towards mutually beneficial goals, involving the exchange of information and knowledge without changing the content of the data between these organisations, software applications or devices, through the processes they support;

(g)‘European electronic health record exchange format’ means a structured, commonly used and machine-readable format that allows transmission of personal electronic health data between different software applications, devices and healthcare providers;

(h)‘registration of electronic health data’ means the recording of health data in an electronic format, through manual entry of data, through the collection of data by a device, or through the conversion of non-electronic health data into an electronic format, to be processed in an EHR system or a wellness application;

(i)‘electronic health data access service’ means an online service, such as a portal or a mobile application, that enables natural persons not acting in their professional role to access their own electronic health data or electronic health data of those natural persons whose electronic health data they are legally authorised to access;

(j)‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their treatment;

(k)‘data recipient’ means a natural or legal person that receives data from another controller in the context of the primary use of electronic health data;

(l)‘telemedicine’ means the provision of healthcare services, including remote care and online pharmacies, through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;

(m)‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for healthcare purposes; 

(n)‘EHR system’ (electronic health record system) means any appliance or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records; 

(o)‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data for other purposes than healthcare, such as well-being and pursuing healthy life-styles;

(p)‘CE marking of conformity’ means a marking by which the manufacturer indicates that the EHR system is in conformity with the applicable requirements set out in this Regulation and other applicable Union legislation providing for its affixing;

(q)‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads, might have led or might lead to any of the following:

(i)the death of a natural person or serious damage to a natural person’s health;

(ii)a serious disruption of the management and operation of critical infrastructure in the health sector; 

(r)‘national contact point for digital health’ means an organisational and technical gateway for the provision of cross-border digital health information services for primary use of electronic health data, under the responsibility of the Member States;

(s)‘central platform for digital health’ means an interoperability platform providing services to support and facilitate the exchange of electronic health data between national contact points for digital health;

(t)‘MyHealth@EU’ means the cross-border infrastructure for primary use of electronic health data formed by the combination of national contact points for digital health and the central platform for digital health;

(u)‘national contact point for secondary use of electronic health data’ means an organisational and technical gateway enabling the cross-border secondary use of electronic health data, under the responsibility of the Member States;

(v)‘central platform for secondary use of electronic health data’ means an interoperability platform established by the Commission, providing services to support and facilitate the exchange of information between national contact points for secondary use of electronic health data;

(x)‘HealthData@EU’ means the infrastructure connecting national contact points for secondary use of electronic health data and the central platform; 

(y)‘data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;

(z)‘data user’ means a natural or legal person who has lawful access to personal or non-personal electronic health data for secondary use;

(aa)‘data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;

(ab)‘dataset’ means a structured collection of electronic health data;

(ac)‘dataset catalogue’ means a collection of datasets descriptions, which is arranged in a systematic manner and consists of a user-oriented public part, where information concerning individual dataset parameters is accessible by electronic means through an online portal;

(ad)‘data quality’ means the degree to which characteristics of electronic health data are suitable for secondary use;

(ae)‘data quality and utility label’ means a graphic diagram, including a scale, describing the data quality and conditions of use of a dataset. 

Chapter II

Primary use of electronic health data

Section 1

Access to and transmission of personal electronic health data for primary use

Article 3 - Rights of natural persons in relation to the primary use of their personal electronic health data

1. Natural persons shall have the right to access their personal electronic health data processed in the context of primary use of electronic health data, immediately, free of charge and in an easily readable, consolidated and accessible form.

2. Natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format referred to in Article 6, of at least their electronic health data in the priority categories referred to in Article 5.

3. In accordance with Article 23 of Regulation (EU) 2016/679, Member States may restrict the scope of this right whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on his or her health.

4. Where the personal health data have not been registered electronically prior to the application of this Regulation, Member States may require that such data is made available in electronic format pursuant to this Article. This shall not affect the obligation to make personal electronic health data registered after the application of this Regulation available in electronic format pursuant to this Article. 

5. Member States shall:

(a)establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in paragraphs 1 and 2;

(b)establish one or more proxy services enabling a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf.

The proxy services shall provide authorisations free of charge, electronically or on paper. They shall enable guardians or other representatives to be authorised, either automatically or upon request, to access electronic health data of the natural persons whose affairs they administer. Member States may provide that authorisations do not apply whenever necessary for reasons related to the protection of the natural person, and in particular based on patient safety and ethics. The proxy services shall be interoperable among Member States.

6. Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative.

7. Member States shall ensure that, when exercising the right to rectification under Article 16 of Regulation (EU) 2016/679, natural persons can easily request rectification online through the electronic health data access services referred to in paragraph 5, point (a), of this Article. 

8. Natural persons shall have the right to give access to or request a data holder from the health or social security sector to transmit their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder. 

Natural persons shall have the right that, where the data holder and the data recipient are located in different Member States and such electronic health data belongs to the categories referred to in Article 5, the data holder shall transmit the data in the European electronic health record exchange format referred to in Article 6 and the data recipient shall read and accept it.

By way of derogation from Article 9 of Regulation […] [Data Act COM/2022/68 final], the data recipient shall not be required to compensate the data holder for making electronic heath data available.

Natural persons shall have the right that, where priority categories of personal electronic health data referred to in Article 5 are transmitted or made available by the natural person according to the European electronic health record exchange format referred to in Article 6, such data shall be read and accepted by other healthcare providers.

9. Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms. 

10. Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare. The information shall be provided immediately and free of charge through electronic health data access services. 

11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences. 

12. The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 4 - Access by health professionals to personal electronic health data

1. Where they process data in an electronic format, health professionals shall:

(a)have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment; 

(b)ensure that the personal electronic health data of the natural persons they treat are updated with information related to the health services provided.

2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States may establish rules providing for the categories of personal electronic health data required by different health professions. Such rules shall not be based on the source of electronic health data.

3. Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.

4. Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior authorisation by the natural person, including where the provider or professional is informed of the existence and nature of the restricted electronic health data. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.

Article 5 - Priority categories of personal electronic health data for primary use

1. Where data is processed in electronic format, Member States shall implement access to and exchange of personal electronic health data for primary use fully or partially falling under the following categories: 

(a)patient summaries;

(b)electronic prescriptions;

(c)electronic dispensations;

(d)medical images and image reports;

(e)laboratory results;

(f)discharge reports.

The main characteristics of the categories of electronic health data in the first subparagraph shall be as set out in Annex I.

Access to and exchange of electronic health data for primary use may be enabled for other categories of personal electronic health data available in the EHR of natural persons.

2. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. Such delegated acts may also amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data and indicating, where relevant, deferred application date. The categories of electronic health data added through such delegated acts shall satisfy the following criteria:

(a)the category is relevant for health services provided to natural persons;

(b)according to the most recent information, the category is used in a significant number of EHR systems used in Member States;

(c)international standards exist for the category that have been examined for the possibility of their application in the Union.

Article 6 - European electronic health record exchange format

1. The Commission shall, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format. The format shall include the following elements:

(a)datasets containing electronic health data and defining structures, such as data fields and data groups for the content representation of clinical content and other parts of the electronic health data;

(b)coding systems and values to be used in datasets containing electronic health data;

(c)technical specifications for the exchange of electronic health data, including its content representation, standards and profiles.

2. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). Member States shall ensure that where the priority categories of personal electronic health data referred to in Article 5 are provided by a natural person directly or transmitted to a healthcare provider by automatic means in the format referred to in paragraph 1, such data shall be read and accepted by the data recipient.

3. Member States shall ensure that the priority categories of personal electronic health data referred to in Article 5 are issued in the format referred to in paragraph 1 and such data shall be read and accepted by the data recipient.

Article 7 - Registration of personal electronic health data

1. Member States shall ensure that, where data is processed in electronic format, health professionals systematically register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system. 

2. Where electronic health data of a natural person is registered in a Member State that is not the Member State of affiliation of that person, the Member State of treatment shall ensure that the registration is performed under the person identification data of the natural person in the Member State of affiliation.

3. The Commission shall, by means of implementing acts, determine the requirements for the registration of electronic health data by healthcare providers and natural persons, as relevant. Those implementing acts shall establish the following:

(a)categories of healthcare providers that are to register health data electronically; 

(b)categories of health data that are to be registered systematically in electronic format by healthcare providers referred to in point (a);

(c)data quality requirements pertaining to the electronic registration of health data.

Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 8 - Telemedicine in the context of cross-border healthcare

Where a Member State accepts the provision of telemedicine services, it shall, under the same conditions, accept the provision of the services of the same type by healthcare providers located in other Member States.

Article 9 - Identification management 

1. Where a natural person uses telemedicine services or personal health data access services referred to in Article 3(5), point (a), that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.

2. The Commission shall, by means of implementing acts, determine the requirements for the interoperable, cross-border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014 as amended by [COM(2021) 281 final]. The mechanism shall facilitate the transferability of electronic health data in a cross-border context. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

3. The Commission shall implement services required by the interoperable, cross-border identification and authentication mechanism referred to in paragraph 2 of this Article at Union level, as part of the cross-border digital health infrastructure referred to in Article 12(3).

4. The digital health authorities and the Commission shall implement the cross-border identification and authentication mechanism at Union and Member States’ level, respectively.

Article 10 - Digital health authority

1. Each Member State shall designate a digital health authority responsible for the implementation and enforcement of this Chapter at national level. The Member State shall communicate the identity of the digital health authority to the Commission by the date of application of this Regulation. Where a designated digital health authority is an entity consisting of multiple organisations, the Member State shall communicate to the Commission a description of the separation of tasks between the organisations. The Commission shall make this information publicly available.

2. Each digital health authority shall be entrusted with the following tasks:

(a)ensure the implementation of the rights and obligations provided for in Chapters II and III by adopting necessary national, regional or local technical solutions and by establishing relevant rules and mechanisms;

(b)ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers;

(c)in the implementation of technical solutions referred to in point (a), enforce their compliance with Chapter II, III and Annex II;

(d)contribute, at Union level, to the development of technical solutions enabling natural persons and health professionals to exercise their rights and obligations set out in this Chapter;

(e)facilitate for persons with disabilities to exercise their rights listed in Article 3 of this Regulation in accordance with Directive (EU) 2019/882 of the European Parliament and of the Council 55 .

(f)supervise the national contact points for digital health and cooperate with other digital health authorities and the Commission on further development of MyHealth@EU;

(g)ensure the implementation, at national level, of the European electronic health record exchange format, in cooperation with national authorities and stakeholders;

(h)contribute, at Union level, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing interoperability, security, safety or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;

(i)where applicable, perform market surveillance activities in accordance with Article 28, while ensuring that any conflict of interest is avoided;

(j)build national capacity for implementing interoperability and security of the primary use of electronic health data and participate in information exchanges and capacity building activities at Union level;

(k)offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, do not discriminate and offer the possibility of choosing between in person and digital services;

(l)cooperate with market surveillance authorities, participate in the activities related to handling of risks posed by EHR systems and of serious incidents and supervise the implementation of corrective actions in accordance with Article 29;

(m)cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals, industry associations;

(n)cooperate with supervisory authorities in accordance with Regulation (EU) 910/2014, Regulation (EU) 2016/679 and Directive (EU) 2016/1148 of the European Parliament and of the Council 56 with other relevant authorities, including those competent for cybersecurity, electronic identification, the European Artificial Intelligence Board, the Medical Device Coordination Group, the European Data Innovation Board and the competent authorities under Regulation […] [Data Act COM/2022/68 final];

(o)draw up, in collaboration where relevant with market surveillance authorities, an annual activity report, which shall contain a comprehensive overview of its activities. The report shall be transmitted to the Commission. The annual activity report shall follow a structure that is agreed at Union level within EHDS Board, to support benchmarking pursuant to Article 59. The report shall contain at least information concerning:

(i)measures taken to implement this Regulation;

(ii)percentage of natural persons having access to different data categories of their electronic health records;

(iii)information on the handling of requests from natural persons on the exercise of their rights pursuant to this Regulation;

(iv)number of healthcare providers of different types, including pharmacies, hospitals and other points of care, connected to MyHealth@EU calculated a) in absolute terms, b) as share of all healthcare providers of the same type and c) as share of natural persons that can use the services;

(v)volumes of electronic health data of different categories shared across borders through MyHealth@EU;

(vi)level of natural person satisfaction with MyHealth@EU services;

(vii)number of certified EHR systems and labelled wellness applications enrolled in the EU database;

(viii)number of non-compliance cases with the mandatory requirements;

(ix)a description of its activities carried out in relation to engagement with and consultation of relevant stakeholders, including representatives of natural persons, patient organisations, health professionals, researchers, and ethical committees;

(x)information on cooperation with other competent bodies in particular in the area of data protection, cybersecurity, and artificial intelligence.

3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.

4. Each Member State shall ensure that each digital health authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers.

5. In the performance of its tasks, the digital health authority shall actively cooperate with stakeholders’ representatives, including patients’ representatives. Members of the digital health authority shall avoid any conflicts of interest. 

Article 11 - Right to lodge a complaint with a digital health authority

1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall inform the supervisory authorities under Regulation (EU) 2016/679.

2. The digital health authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken.

3. Digital health authorities shall cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means, without undue delay.

Section 2

Cross-border infrastructure for primary use of electronic health data

Article 12 - MyHealth@EU

1. The Commission shall establish a central platform for digital health to provide services to support and facilitate the exchange of electronic health data between national contact points for digital health of the Member States.

2. Each Member State shall designate one national contact point for digital health to ensure the connection to all other national contact points for digital health and to the central platform for digital health. Where a designated national contact point is an entity consisting of multiple organisations responsible for implementing different services, the Member State shall communicate to the Commission a description of the separation of tasks between the organisations. The national contact point for digital health shall be considered an authorised participant in the infrastructure. Each Member State shall communicate the identity of its national contact point to the Commission by [the date of application of this Regulation]. Such contact point may be established within the digital health authority established by Article 10 of this Regulation. Member States shall communicate to the Commission any subsequent modification of the identity of those contact points. The Commission and the Member States shall make this information publicly available.

3. Each national contact point for digital health shall enable the exchange of the personal electronic health data referred to in Article 5 with all other national contact points. The exchange shall be based on the European electronic health record exchange format.

4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

5. Member States shall ensure connection of all healthcare providers to their national contact points for digital health and shall ensure that those connected are enabled to perform two-way exchange of electronic health data with the national contact point for digital health.

6. Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.

7. The national contact points for digital health shall act as joint controllers of the electronic health data communicated through ‘MyHealth@EU’ for the processing operations in which they are involved. The Commission shall act as processor.

8. The Commission shall, by means of implementing acts, allocate responsibilities among controllers and as regards the processor referred to in paragraph 7 of this Article, in accordance with Chapter IV of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). 

9. The approval for individual authorised participants to join MyHealth@EU for different services, or to disconnect a participant shall be issued by the Joint Controllership group, based on the results of the compliance checks.

Article 13 - Supplementary cross-border digital health services and infrastructures

1. Member States may provide through MyHealth@EU supplementary services that facilitate telemedicine, mobile health, access by natural persons to their translated health data, exchange or verification of health-related certificates, including vaccination card services supporting public health and public health monitoring or digital health systems, services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of care and ensuring access to safe and high-quality healthcare. The Commission shall, by means of implementing acts, set out the technical aspects of such provision. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

2. The Commission and Member States may facilitate the exchange of electronic health data with other infrastructures, such as the Clinical Patient Management System or other services or infrastructures in the health, care or social security fields which may become authorised participants to MyHealth@EU. The Commission shall, by means of implementing acts, set out the technical aspects of such exchanges. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The connection of another infrastructure to the central platform for digital health shall be subject to a decision of the joint controllership group for MyHealth@EU referred to in Article 66.

3. Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing act, a compliance check of the national contact point of the third country or of the system established at an international level shall be performed under the control of the Commission.

The implementing acts referred to in the first subparagraph of this paragraph shall be adopted in accordance with the procedure referred to in Article 68. The connection of the national contact point of the third country or of the system established at an international level to the central platform for digital health, as well as the decision to be disconnected shall be subject to a decision of the joint controllership group for MyHealth@EU referred to in Article 66.

The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.

CHAPTER III

EHR systems and wellness applications

Section 1

General provisions for EHR systems

Article 14 - Interplay with legislation governing medical devices and AI systems

1. EHR systems intended by their manufacturer for primary use of priority categories of electronic health data referred to in Article 5 shall be subject to the provisions laid down in this Chapter.

2. This Chapter shall not apply to general software used in a healthcare environment.

3. Manufacturers of medical devices as defined in Article 2(1) of Regulation (EU) 2017/745 that claim interoperability of those medical devices with EHR systems shall prove compliance with the essential requirements on interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those medical devices. 

4. Providers of high-risk AI systems as defined in Article 6 of Regulation […] [AI act COM/2021/206 final], which does not fall within the scope of Regulation (EU) 2017/745, that claim interoperability of those AI systems with EHR systems will need to prove compliance with the essential requirements on interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those high-risk AI systems. 

5. Member States may maintain or define specific rules for the procurement, reimbursement or financing of EHR systems in the context of the organisation, delivery or financing of healthcare services.

Article 15 - Placing on the market and putting into service

1. EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in this Chapter.

2. EHR systems that are manufactured and used within health institutions established in the Union and EHR systems offered as a service within the meaning of Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council 57 to a natural or legal person established in the Union shall be considered as having been put into service.

Article 16 - Claims

In the information sheet, instructions for use or other information accompanying EHR systems, and in the advertising of EHR systems, it shall be prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user with regard to its intended purpose, interoperability and security by:

(a)ascribing functions and properties to the EHR system which it does not have;

(b)failing to inform the user of likely limitations related to interoperability or security features of the EHR system in relation to its intended purpose;

(c)suggesting uses for the EHR system other than those stated in the technical documentation to form part of the intended purpose.

Section 2

Obligations of economic operators with regard to EHR systems

Article 17 - Obligations of manufacturers of EHR systems

1. Manufacturers of EHR systems shall:

(a)ensure that their EHR systems are in conformity with the essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;

(b)draw up the technical documentation of their EHR systems in accordance with Article 24;

(c)ensure that their EHR systems are accompanied, free of charge for the user, by the information sheet provided for in Article 25 and clear and complete instructions for use;

(d)draw up an EU declaration of conformity as referred to in Article 26;

(e)affix the CE marking in accordance with Article 27;

(f)comply with the registration obligations in Article 32;

(g)take without undue delay any necessary corrective action in respect of their EHR systems which are not in conformity with the essential requirements laid down in Annex II, or recall or withdraw such systems;

(h)inform the distributors of their EHR systems and, where applicable, the authorised representative and importers of any corrective action, recall or withdrawal;

(i)inform the market surveillance authorities of the Member States in which they made their EHR systems available or put them into service of the non-conformity and of any corrective action taken;

(j)upon request of a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of their EHR system with the essential requirements laid down in Annex II.

(k)cooperate with market surveillance authorities, at their request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.

2. Manufacturers of EHR systems shall ensure that procedures are in place to ensure that the design, development and deployment of an EHR system continues to comply with the essential requirements laid down in Annex II and the common specifications referred to in Article 23. Changes in EHR system design or characteristics shall be adequately taken into account and reflected in the technical documentation.

3. Manufacturers of EHR systems shall keep the technical documentation and the EU declaration of conformity for 10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market.

Article 18 - Authorised representatives

1. Prior to making an EHR system available on the Union market, a manufacturer of an EHR system established outside of the Union shall, by written mandate, appoint an authorised representative which is established in the Union.

2. An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The mandate shall allow the authorised representative to do at least the following:

(a)keep the EU declaration of conformity and the technical documentation at the disposal of market surveillance authorities for the period referred to in Article 17(3);

(b)further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II;

(c)cooperate with the market surveillance authorities, at their request, on any corrective action taken in relation to the EHR systems covered by their mandate.

Article 19 - Obligations of importers

1. Importers shall place on the Union market only EHR systems which are in conformity with the essential requirements laid down in Annex II.

2. Before making an EHR system available on the market, importers shall ensure that:

(a)the manufacturer has drawn up the technical documentation and the EU declaration of conformity;

(b)the EHR system bears the CE marking of conformity;

(c)the EHR system is accompanied by the information sheet referred to in Article 25 and appropriate instructions for use.

3. Importers shall indicate their name, registered trade name or registered trade mark and the address at which they can be contacted in a document accompanying the EHR system.

4. Importers shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II is jeopardised.

5. Where an importer considers or has reason to believe that an EHR system is not in conformity with the essential requirements in Annex II, it shall not make that system available on the market until that system has been brought into conformity. The importer shall inform without undue delay the manufacturer of such EHR system and the market surveillance authorities of the Member State in which it made the EHR system available, to that effect.

6. Importers shall keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities for the period referred to in Article 17(3) and ensure that the technical documentation can be made available to those authorities, upon request.

7. Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of an EHR system in the official language of the Member State where the market surveillance authority is located. They shall cooperate with that authority, at its request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.

Article 20 - Obligations of distributors

1. Before making an EHR system available on the market, distributors shall verify that:

(a)the manufacturer has drawn up the EU declaration of conformity;

(b)the EHR system bears the CE marking of conformity;

(c)the EHR system is accompanied by the information sheet referred to in Article 25 and appropriate instructions for use;

(d)where applicable, the importer has complied with the requirements set out in Article 19(3). 

2. Distributors shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II is jeopardised.

3. Where a distributor considers or has reason to believe that an EHR system is not in conformity with the essential requirements laid down in Annex II, it shall not make the EHR system available on the market until it has been brought into conformity. Furthermore, the distributor shall inform without undue delay the manufacturer or the importer, as well as the market surveillance authorities of the Member states where the EHR system has been made available on the market, to that effect.

4. Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of an EHR system. They shall cooperate with that authority, at its request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.

Article 21 - Cases in which obligations of manufacturers of an EHR system apply to importers and distributors

An importer or distributor shall be considered a manufacturer for the purposes of this Regulation and shall be subject to the obligations laid down in Article 17, where they made an EHR system available on the market under their own name or trademark or modify an EHR system already placed on the market in such a way that conformity with the applicable requirements may be affected.

Article 22 - Identification of economic operators

Economic operators shall, on request, identify the following to the market surveillance authorities, for 10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market:

(a)any economic operator who has supplied them with an EHR system;

(b)any economic operator to whom they have supplied an EHR system.

Section 3

Conformity of the EHR system

Article 23 - Common specifications

1. The Commission shall, by means of implementing acts, adopt common specifications in respect of the essential requirements set out in Annex II, including a time limit for implementing those common specifications. Where relevant, the common specifications shall take into account the specificities of medical devices and high risk AI systems referred to in paragraphs 3 and 4 of Article 14.

Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

2. The common specifications referred to in paragraph 1 shall include the following elements:

(a)scope;

(b)applicability to different categories of EHR systems or functions included in them;

(c)version;

(d)validity period;

(e)normative part;

(f)explanatory part, including any relevant implementation guidelines.

3. The common specifications may include elements related to the following:

(a)datasets containing electronic health data and defining structures, such as data fields and data groups for the representation of clinical content and other parts of the electronic health data;

(b)coding systems and values to be used in datasets containing electronic health data;

(c)other requirements related to data quality, such as the completeness and accuracy of electronic health data;

(d)technical specifications, standards and profiles for the exchange of electronic health data;

(e)requirements and principles related to security, confidentiality, integrity, patient safety and protection of electronic health data;

(f)specifications and requirements related to identification management and the use of electronic identification.

4. EHR systems, medical devices and high risk AI systems referred to in Article 14 that are in conformity with the common specifications referred to in paragraph 1 shall be considered to be in conformity with the essential requirements covered by those specifications or parts thereof, set out in Annex II covered by those common specifications or the relevant parts of those common specifications.

5. Where common specifications covering interoperability and security requirements of EHR systems affect medical devices or high-risk AI systems falling under other acts, such as Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], the adoption of those common specifications may be preceded by a consultation with the Medical Devices Coordination Group (MDCG) referred to in Article 103 of Regulation (EU) 2017/745 or the European Artificial Intelligence Board referred to in Article 56 of Regulation […] [AI Act COM/2021/206 final], as applicable.

6. Where common specifications covering interoperability and security requirements of medical devices or high-risk AI systems falling under other acts such as Regulation (EU) 2017/745 or Regulation […] [AI Act COM/2021/206 final], impact EHR systems, the adoption of those common specifications shall be preceded by a consultation with the EHDS Board, especially its subgroup for Chapters II and III of this Regulation.

Article 24 - Technical documentation

1. The technical documentation shall be drawn up before the EHR system is placed on the market or put into service and shall be kept up-to-date.

2. The technical documentation shall be drawn up in such a way as to demonstrate that the EHR system complies with the essential requirements laid down in Annex II and provide market surveillance authorities with all the necessary information to assess the conformity of the EHR system with those requirements. It shall contain, at a minimum, the elements set out in Annex III.

3. The technical documentation shall be drawn up in one of the official languages of the Union. Following a reasoned request from the market surveillance authority of a Member State, the manufacturer shall provide a translation of the relevant parts of the technical documentation into the official language of that Member State.

4. When a market surveillance authority requests the technical documentation or a translation of parts thereof from a manufacturer, it shall set a deadline of 30 days for receipt of such documentation or translation, unless a shorter deadline is justified because of a serious and immediate risk. If the manufacturer does not comply with the requirements of paragraphs 1, 2 and 3, the market surveillance authority may require it to have a test performed by an independent body at its own expense within a specified period in order to verify the conformity with the essential requirements laid down in Annex II and the common specifications referred to in Article 23.

Article 25 - Information sheet accompanying the EHR system

1. EHR systems shall be accompanied by an information sheet that includes concise, complete, correct and clear information that is relevant, accessible and comprehensible to users.

2. The information sheet referred to in paragraph 1 shall specify:

(a)the identity, registered trade name or registered trademark, and the contact details of the manufacturer and, where applicable, of its authorised representative;

(b)the name and version of the EHR system and date of its release; 

(c)its intended purpose;

(d)the categories of electronic health data that the EHR system has been designed to process;

(e)the standards, formats and specifications and versions thereof supported by the EHR system.

3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by allowing manufacturers to enter the information referred to in paragraph 2 into the EU database of EHR systems and wellness applications referred to in Article 32, as an alternative to supplying the information sheet referred to in paragraph 1 with the EHR system.

Article 26 - EU declaration of conformity

1. The EU declaration of conformity shall state that the manufacturer of the EHR system has demonstrated that the essential requirements laid down in Annex II have been fulfilled.

2. Where EHR systems are subject to other Union legislation in respect of aspects not covered by this Regulation, which also requires an EU declaration of conformity by the manufacturer that fulfilment of the requirements of that legislation has been demonstrated, a single EU declaration of conformity shall be drawn up in respect of all Union acts applicable to the EHR system. The declaration shall contain all the information required for the identification of the Union legislation to which the declaration relates.

3. The EU declaration of conformity shall, as a minimum, contain the information set out in Annex IV and shall be translated into one or more official Union languages determined by the Member State(s) in which the EHR system is made available.

4. By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the conformity of the EHR system.

Article 27 - CE marking

1. The CE marking shall be affixed visibly, legibly and indelibly to the accompanying documents of the EHR system and, where applicable, to the packaging.

2. The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) 765/2008 of the European Parliament and of the Council 58 .

Section 4

Market surveillance of EHR systems

Article 28 - Market surveillance authorities

1. Regulation (EU) 2019/1020 shall apply to EHR systems covered by Chapter III of this Regulation.

2. Member States shall designate the market surveillance authority or authorities responsible for the implementation of this Chapter. They shall entrust their market surveillance authorities with the powers, resources, equipment and knowledge necessary for the proper performance of their tasks pursuant to this Regulation. Member States shall communicate the identity of the market surveillance authorities to the Commission which shall publish a list of those authorities.

3. Market surveillance authorities designated pursuant to this Article may be the digital health authorities designated pursuant to Article 10. Where a digital health authority carries out tasks of market surveillance authority, any conflict of interest shall be avoided.

4. Market surveillance authorities shall report to the Commission on a regular basis the outcomes of relevant market surveillance activities.

5. The market surveillance authorities of the Member States shall cooperate with each other and with the Commission. The Commission shall provide for the organisation of exchanges of information necessary to that effect. 

6. For medical devices or high-risk AI systems referred to in Article 14 (3) and (4), the responsible authorities for market surveillance shall be those referred to in Article 93 of Regulation (EU) 2017/745 or Article 59 of Regulation […] [AI act COM/2021/206 final], as applicable.

Article 29 - Handling of risks posed by EHR systems and of serious incidents

1. Where a market surveillance authority finds that an EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to take all appropriate measures to ensure that the EHR system concerned no longer presents that risk when placed on the market to withdraw the EHR system from the market or to recall it within a reasonable period.

2. The economic operator referred to in paragraph 1 shall ensure that corrective action is taken in respect of all the EHR systems concerned that it has placed on market throughout the Union.

3. The market surveillance authority shall immediately inform the Commission and the market surveillance authorities of other Member States of the measures ordered pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.

4. Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.

Such notification shall be made, without prejudice to incident notification requirements under Directive (EU) 2016/1148, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the manufacturer becomes aware of the serious incident involving the EHR system.

5. The market surveillance authorities referred to in paragraph 4 shall inform the other market surveillance authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.

6. Where the tasks of the market surveillance authority are not performed by the digital health authority, it shall cooperate with the digital health authority. It shall inform the digital health authority of any serious incidents and of EHR systems presenting a risk, including risks related to interoperability, security and patient safety, and of any corrective action, recall or withdrawal of such EHR systems.

Article 30 - Handling of non-compliance

1. Where a market surveillance authority makes one of the following findings, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to put an end to the non-compliance concerned:

(a)the EHR system is not in conformity with essential requirements laid down in Annex II;

(b)the technical documentation is either not available or not complete;

(c)the EU declaration of conformity has not been drawn up or has not been drawn up correctly;

(d)the CE marking has been affixed in violation of Article 27 or has not been affixed.

2. Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the EHR system being placed on the market or ensure that it is recalled or withdrawn from the market.

Section 5

Other provisions on interoperability

Article 31 - Voluntary labelling of wellness applications

1. Where a manufacturer of a wellness application claims interoperability with an EHR system and therefore compliance with the essential requirements laid down in Annex II and common specifications in Article 23, such wellness application may be accompanied by a label, clearly indicating its compliance with those requirements. The label shall be issued by the manufacturer of the wellness application.

2. The label shall indicate the following information:

(a)categories of electronic health data for which compliance with essential requirements laid down in Annex II has been confirmed;

(b)reference to common specifications to demonstrate compliance;

(c)validity period of the label.

3. The Commission may, by means of implementing acts, determine the format and content of the label. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). 

4. The label shall be drawn-up in one or more official languages of the Union or languages determined by the Member State(s) in which the in which the wellness application is placed on the market. 

5. The validity of the label shall not exceed 5 years.

6. If the wellness application is embedded in a device, the accompanying label shall be placed on the device. 2D barcodes may also be used to display the label.

7. The market surveillance authorities shall check the compliance of wellness applications with the essential requirements laid down in Annex II.

8. Each supplier of a wellness application, for which a label has been issued, shall ensure that the wellness application that is placed on the market or put into service is accompanied with the label for each individual unit, free of charge.

9. Each distributor of a wellness application for which a label has been issued shall make the label available to customers at the point of sale in electronic form or, upon request, in physical form.

10. The requirements of this Article shall not apply to wellness applications which are high-risk AI systems as defined under Regulation […] [AI Act COM/2021/206 final].

Article 32 - Registration of EHR systems and wellness applications

1. The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Article 26 and wellness applications for which a label has been issued pursuant to Article 31. 

2. Before placing on the market or putting into service an EHR system referred to in Article 14 or a wellness application referred to in Article 31, the manufacturer of such EHR system or wellness application or, where applicable, its authorised representative shall register the required data into the EU database referred to in paragraph 1. 

3. Medical devices or high-risk AI systems referred to in paragraphs 3 and 4 of Article 14 of this Regulation shall be registered in the database established pursuant to Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], as applicable.

4. The Commission is empowered to adopt delegated acts in accordance with Article 67 to determine the list of required data to be registered by the manufacturers of EHR systems and wellness applications pursuant to paragraph 2.

CHAPTER IV

Secondary use of electronic health data

Section 1

General conditions with regard to the secondary use of electronic health data

Article 33 - Minimum categories of electronic data for secondary use

1. Data holders shall make the following categories of electronic data available for secondary use in accordance with the provisions of this Chapter:

(a)EHRs;

(b)data impacting on health, including social, environmental behavioural determinants of health;

(c)relevant pathogen genomic data, impacting on human health;

(d)health-related administrative data, including claims and reimbursement data;

(e)human genetic, genomic and proteomic data;

(f)person generated electronic health data, including medical devices, wellness applications or other digital health applications;

(g)identification data related to health professionals involved in the treatment of a natural person;

(h)population wide health data registries (public health registries);

(i)electronic health data from medical registries for specific diseases;

(j)electronic health data from clinical trials;

(k)electronic health data from medical devices and from registries for medicinal products and medical devices;

(l)research cohorts, questionnaires and surveys related to health;

(m)electronic health data from biobanks and dedicated databases;

(n)electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health;

(o)electronic health data containing various improvements such as correction, annotation, enrichment received by the data holder following a processing based on a data permit.

2. The requirement in the first subparagraph shall not apply to data holders that qualify as micro enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC 59 .

3. The electronic health data referred to in paragraph 1 shall cover data processed for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, collected by entities and bodies in the health or care sectors, including public and private providers of health or care, entities or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies.

4. Electronic health data entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, all measures necessary to preserve the confidentiality of IP rights and trade secrets shall be taken. 

5. Where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health data.

6. Where a public sector body obtains data in emergency situations as defined in Article 15, point (a) or (b) of the Regulation […] [Data Act COM/2022/68 final], in accordance with the rules laid down in that Regulation, it may be supported by a health data access body to provide technical support to process the data or combing it with other data for joint analysis.

7. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list in paragraph 1 to adapt it to the evolution of available electronic health data.

8. Health data access bodies may provide access to additional categories of electronic health data that they have been entrusted with pursuant to national law or based on voluntary cooperation with the relevant data holders at national level, in particular to electronic health data held by private entities in the health sector.

Article 34 - Purposes for which electronic health data can be processed for secondary use

1. Health data access bodies shall only provide access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant complies with: 

(a)activities for reasons of public interest in the area of public and occupational health, such as protection against serious cross-border threats to health, public health surveillance or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices;

(b)to support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates;

(c)to produce national, multi-national and Union level official statistics related to health or care sectors;

(d)education or teaching activities in health or care sectors;

(e)scientific research related to health or care sectors;

(f)development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;

(g)training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;

(h)providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.

2. Access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant fulfils one of the purposes referred to in points (a) to (c) of paragraph 1 shall only be granted to public sector bodies and Union institutions, bodies, offices and agencies exercising their tasks conferred to them by Union or national law, including where processing of data for carrying out these tasks is done by a third party on behalf of that public sector body or of Union institutions, agencies and bodies. 

3. The access to privately held data for the purpose of preventing, responding to or assisting in the recovery from public emergencies shall be ensured in accordance with Article 15 of the Regulation […] [Data Act COM/2022/68 final].

4. Public sector bodies or Union institutions, agencies and bodies that obtain access to electronic health data entailing IP rights and trade secrets in the exercise of the tasks conferred to them by Union law or national law, shall take all specific measures necessary to preserve the confidentiality of such data.

Article 35 - Prohibited secondary use of electronic health data

Seeking access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 for the following purposes shall be prohibited:

(a)taking decisions detrimental to a natural person based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons; 

(b)taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance contract or to modify their contributions and insurance premiums;

(c)advertising or marketing activities towards health professionals, organisations in health or natural persons;

(d)providing access to, or otherwise making available, the electronic health data to third parties not mentioned in the data permit;

(e)developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco products, or goods or services which are designed or modified in such a way that they contravene public order or morality.

Section 2

Governance and mechanisms for the secondary use of electronic health data

Article 36 - Health data access bodies

1. Member States shall designate one or more health data access bodies responsible for granting access to electronic health data for secondary use. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies that fulfil the conditions set out in this Article. Where a Member State designates several health data access bodies, it shall designate one health data access body to act as coordinator, with responsibility for coordinating requests with the other health data access bodies.

2. Member States shall ensure that each health data access body is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers.

3. In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodies shall not be bound by any instructions, when making their decisions.

4. Member States shall communicate to the Commission the identity of the health data access bodies designated pursuant to paragraph 1 by the date of application of this Regulation. They shall also communicate to the Commission any subsequent modification of the identity of those bodies. The Commission and the Member States shall make this information publicly available.

Article 37 - Tasks of health data access bodies

1. Health data access bodies shall carry out the following tasks:

(a)decide on data access applications pursuant to Article 45, authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter;

(b)support public sector bodies in carrying out the tasks enshrined in their mandate, based on national or Union law;

(c)support Union institutions, bodies, offices and agencies in carrying out tasks enshrined in the mandate of Union institutions, bodies, offices and agencies, based on national or Union law;

(d)process electronic health data for the purposes set out in Article 34, including the collection, combination, preparation and disclosure of those data for secondary use on the basis of a data permit; 

(e)process electronic health data from other relevant data holders based on a data permit or a data request for a purposes laid down in Article 34; 

(f)take all measures necessary to preserve the confidentiality of IP rights and of trade secrets;

(g)gather and compile or provide access to the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50;

(h)contribute to data altruism activities in accordance with Article 40;

(i)support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health;

(j)cooperate with and supervise data holders to ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56; 

(k)maintain a management system to record and process data access applications, data requests and the data permits issued and data requests answered, providing at least information on the name of the data applicant, the purpose of access the date of issuance, duration of the data permit and a description of the data application or the data request;

(l)maintain a public information system to comply with the obligations laid down in Article 38;

(m)cooperate at Union and national level to lay down appropriate measures and requirements for accessing electronic health data in a secure processing environment;

(n)cooperate at Union and national level and provide advice to the Commission on techniques and best practices for electronic health data use and management;

(o)facilitate cross-border access to electronic health data for secondary use hosted in other Member States through HealthData@EU and cooperate closely with each other and with the Commission.

(p)send to the data holder free of charge, by the expiry of the data permit, a copy of the corrected, annotated or enriched dataset, as applicable, and a description of the operations performed on the original dataset; 

(q)make public, through electronic means:

(i)a national dataset catalogue that shall include details about the source and nature of electronic health data, in accordance with Articles 56 and 58, and the conditions for making electronic health data available. The national dataset catalogue shall also be made available to single information points under Article 8 of Regulation […] [Data Governance Act COM/2020/767 final];

(ii)all data permits, requests and applications on their websites within 30 working days after issuance of the data permit or reply to a data request;

(iii)penalties applied pursuant to Article 43;

(iv)results communicated by data users pursuant to Article 46(11);

(r)fulfil obligations towards natural persons pursuant to Article 38;

(s)request from data users and data holders all the relevant information to verify the implementation of this Chapter; 

(t)fulfil any other tasks related to making available the secondary use of electronic health data in the context of this Regulation.

2. In the exercise of their tasks, health data access bodies shall: 

(a)cooperate with supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 in relation to personal electronic health data and the EHDS Board;

(b)inform the relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 where a health data access body has imposed penalties or other measures pursuant to Article 43 in relation to processing personal electronic health data and where such processing refers to an attempt to re-identify an individual or unlawful processing of personal electronic health data; 

(c)cooperate with stakeholders, including patient organisations, representatives from natural persons, health professionals, researchers, and ethical committees, where applicable in accordance with Union and national law; 

(d)cooperate with other national competent bodies, including the national competent bodies supervising data altruism organisations under Regulation […] [Data Governance Act COM/2020/767 final], the competent authorities under Regulation […] [Data Act COM/2022/68 final] and the national competent authorities for Regulations (EU) 2017/745 and Regulation […] [AI Act COM/2021/206 final] .

3. The health data access bodies may provide assistance to public sector bodies where those public sector bodies access electronic health data on the basis of Article 14 of Regulation […] [Data Act COM/2022/68 final].

4. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of tasks in paragraph 1 of this Article, to reflect the evolution of activities performed by health data access bodies.

Article 38 - Obligations of health data access bodies towards natural persons

1. Health data access bodies shall make publicly available and easily searchable the conditions under which electronic health data is made available for secondary use, with information concerning:

(a)the legal basis under which access is granted;

(b)the technical and organisational measures taken to protect the rights of natural persons;

(c)the applicable rights of natural persons in relation to secondary use of electronic health data;

(d)the arrangements for natural persons to exercise their rights in accordance with Chapter III of Regulation (EU) 2016/679;

(e)the results or outcomes of the projects for which the electronic health data were used. 

2. Health data access bodies shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and shall provide general public information on all the data permits issued pursuant to Article 46. 

3. Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body may inform the natural person and his or her treating health professional about that finding.

4. Member States shall regularly inform the public at large about the role and benefits of health data access bodies.

Article 39 - Reporting by health data access bodies

1. Each health data access body shall publish an annual activity report which shall contain at least the following:

(a)information relating to the data access applications for electronic health data access submitted, such as the types of applicants, number of data permits granted or refused, purposes of access and categories of electronic health data accessed, and a summary of the results of the electronic health data uses, where applicable;

(b)a list of data permits involving access to electronic health data processed by the health data access body based on data altruism and a summary description of the general interests purposes pursued, where applicable, including the outcomes of the data permits granted;

(c)information on the fulfilment of regulatory and contractual commitments by data users and data holders, as well as penalties imposed;

(d)information on audits carried out on data users to ensure compliance of the processing with this Regulation,

(e)information on audits on compliance of secure processing environments with the defined standards, specifications and requirements;

(f)information on the handling of requests from natural persons on the exercise of their data protection rights;

(g)a description of its activities carried out in relation to engagement with and consultation of relevant stakeholders, including representatives of natural persons, patient organisations, health professionals, researchers, and ethical committees;

(h)information on cooperation with other competent bodies in particular in the area of data protection, cybersecurity, data altruism, and artificial intelligence;

(i)revenues from data permits and data requests;

(j)satisfaction from applicants requesting access to data;

(k)average number of days between application and access to data;

(l)number of data quality labels issued, disaggregated per quality category;

(m)number of peer-reviewed research publications, policy documents, regulatory procedures using data accessed via the EHDS;

(n)number of digital health products and services, including AI applications, developed using data accessed via EHDS.

2. The report shall be transmitted to the Commission.

3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to modify the content of the annual activity report.

Article 40 - Data altruism in health

1. When processing personal electronic health data, data altruism organisations shall comply with the rules set out in Chapter IV of Regulation […] [Data Governance Act COM/2020/767 final]. Where data altruism organisations process personal electronic health data using a secure processing environment, such environments shall also comply with the requirements set out in Article 50 of this Regulation.

2. Health data access bodies shall support the competent authorities designated in accordance with Article 23 of Regulation […] [Data Governance Act COM/2020/767 final] in the monitoring of entities carrying out data altruism activities.

Article 41 - Duties of data holders

1. Where a data holder is obliged to make electronic health data available under Article 33 or under other Union law or national legislation implementing Union law, it shall cooperate in good faith with the health data access bodies, where relevant. 

2. The data holder shall communicate to the health data access body a general description of the dataset it holds in accordance with Article 55.

3Where a data quality and utility label accompanies the dataset pursuant to Article 56, the data holder shall provide sufficient documentation to the health data access body for that body to confirm the accuracy of the label.

4. The data holder shall put the electronic health data at the disposal of the health data access body within 2 months from receiving the request from the health data access body. In exceptional cases, that period may be extended by the health data access body for an additional period of 2 months.

5. Where a data holder has received enriched datasets following a processing based on a data permit, it shall make available the new dataset, unless it considers it unsuitable and notifies the health data access body in this respect.

6. Data holders of non-personal electronic health data shall ensure access to data through trusted open databases to ensure unrestricted access for all users and data storage and preservation. Trusted open public databases shall have in place a robust, transparent and sustainable governance and a transparent model of user access.

7. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the duties of the data holders in this Article, to reflect the evolution of activities performed by data holders.

Article 42 - Fees

1. Health data access bodies and single data holders may charge fees for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]

2. Where the data in question are not held by the data access body or a public sector body, the fees may also include compensation for part of the costs for collecting the electronic health data specifically under this Regulation in addition to the fees that may be charged pursuant to paragraph 1. The part of the fees linked to the data holder’s costs shall be paid to the data holder.

3. The electronic health data referred to in Article 33(1), point (o), shall be made available to a new user free of charge or against a fee matching the compensation for the costs of the human and technical resources used to enrich the electronic health data. That fee shall be paid to the entity that enriched the electronic health data. 

4. Any fees charged to data users pursuant to this Article by the health data access bodies or data holders shall be transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition. The support received by the data holder from donations, public national or Union funds, to set up, develop or update tat dataset shall be excluded from this calculation. The specific interests and needs of SMEs, public bodies, Union institutions, bodies, offices and agencies involved in research, health policy or analysis, educational institutions and healthcare providers shall be taken into account when setting the fees, by reducing those fees proportionately to their size or budget.

5. Where data holders and data users do not agree on the level of the fees within 1 month of the data permit being granted, the health data access body may set the fees in proportion to the cost of making available electronic health data for secondary use. Where the data holder or the data user disagree with the fee set out by the health data access body, they shall have access to dispute settlement bodies set out in accordance with Article 10 of the Regulation […] [Data Act COM/2022/68 final].

6. The Commission may, by means of implementing acts, lay down principles and rules for the fee policies and fee structures. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 43 - Penalties by health data access bodies

1. Health data access bodies shall monitor and supervise compliance by data users and data holders with the requirements laid down in this Chapter.

2. When requesting from data users and data holders the information that is necessary to verify compliance with this Chapter, the health data access bodies shall be proportionate to the performance of the compliance verification task.

3. Where health data access bodies find that a data user or data holder does not comply with the requirements of this Chapter, they shall immediately notify the data user or data holder of those findings and shall give it the opportunity to state its views within 2 months. 

4. Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non-compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to revoke the data permit and to exclude the data user from any access to electronic health data for a period of up to 5 years.

5. Where data holders withhold the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or do not respect the deadlines set out in Article 41, the health data access body shall have the power to fine the data holder with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body. In case of repeated breaches by the data holder of the obligation of loyal cooperation with the health data access body, that body can exclude the data holder from participation in the EHDS for a period of up to 5 years. Where a data holder has been excluded from the participation in the EHDS pursuant to this Article, following manifest intention of obstructing the secondary use of electronic health data, it shall not have the right to provide access to health data in accordance with Article 49. 

6. The health data access body shall communicate the measures imposed pursuant to paragraph 4 and the reasons on which they are based to the data user or holder concerned, without delay, and shall lay down a reasonable period for the data user or holder to comply with those measures.

7. Any penalties and measures imposed pursuant to paragraph 4 shall be made available to other health data access bodies.

8. The Commission may, by means of implementing act, set out the architecture of an IT tool aimed to support and make transparent to other health data access bodies the activities referred to in this Article, especially penalties and exclusions. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

9. Any natural or legal person affected by a decision of a health data access body shall have the right to an effective judicial remedy against such decision. 

10. The Commission may issues guidelines on penalties to be applied by the health data access bodies.

Section 3

Data permit for the secondary use of electronic health data

Article 44 - Data minimisation and purpose limitation

1. The health data access body shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.

2. The health data access bodies shall provide the electronic health data in an anonymised format, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.

3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re-identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties. 

Article 45 - Data access applications

1. Any natural or legal person may submit a data access application for the purposes referred to in Article 34.

2. The data access application shall include:

(a)a detailed explanation of the intended use of the electronic health data, including for which of the purposes referred to in Article 34(1) access is sought;

(b)a description of the requested electronic health data, their format and data sources, where possible, including geographical coverage where data is requested from several Member States;

(c)an indication whether electronic health data should be made available in an anonymised format;

(d)where applicable, an explanation of the reasons for seeking access to electronic health data in a pseudonymised format;

(e)a description of the safeguards planned to prevent any other use of the electronic health data;

(f)a description of the safeguards planned to protect the rights and interests of the data holder and of the natural persons concerned;

(g)an estimation of the period during which the electronic health data is needed for processing;

(h)a description of the tools and computing resources needed for a secure environment.

3. Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice which shall be responsible for sharing the request with other health data access bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. For requests to access electronic health data from more than one Member States, the health data access body shall notify the other relevant health data access bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.

4. Where the applicant intends to access the personal electronic health data in a pseudonymised format, the following additional information shall be provided together with the data access application:

(a)a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679;

(b)information on the assessment of ethical aspects of the processing, where applicable and in line with national law.

5. For the implementation of the tasks referred to in Article 37(1), points (b) and (c), the public sector bodies and the Union institutions, bodies, offices and agencies shall provide the same information as requested under Article 45(2), except for point (g), where they shall submit information concerning the period for which the data can be accessed, the frequency of that access or the frequency of the data updates.

Where the public sector bodies and the Union institutions, bodies, offices and agencies intend to access the electronic health data in pseudonymised format, a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679 or Article 5(1) of Regulation (EU) 2018/1725, as applicable, shall also be provided.

6. The Commission may, by means of implementing acts, set out the templates for the data access application referred to in this Article, the data permit referred to in Article 46 and the data request referred to in Article 47. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 68(2). 

7. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of information in paragraphs 2, 4, 5 and 6 of this Article, to ensure the adequacy of the list for processing a data access application at national or cross-border level.

Article 46 - Data permit

1. Health data access bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data access body shall issue a data permit.

2. Health data access bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met.

3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.

4. Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the data holder. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe.

5. When the health data access body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant.

6. The data permit shall set out the general conditions applicable to the data user, in particular:

(a)types and format of electronic health data accessed, covered by the data permit, including their sources;

(b)purpose for which data are made available;

(c)duration of the data permit;

(d)information about the technical characteristics and tools available to the data user within the secure processing environment;

(e)fees to be paid by the data user;

(f)any additional specific conditions in the data permit granted.

7. Data users shall have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of this Regulation.

8. The Commission is empowered to adopt delegated acts to amend the list of aspects to be covered by a data permit in paragraph 7 of this Article, in accordance with the procedure set out in Article 67.

9. A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.

10. If the data permit needs to be updated, the data user shall submit a request for an amendment of the data permit.

11. Data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47. Those results or output shall only contain anonymised data. The data user shall inform the health data access bodies from which a data permit was obtained and support them to make the information public on health data access bodies’ websites. Whenever the data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS. 

12. Data users shall inform the health data access body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset.

13. The Commission may, by means of implementing act, develop a logo for acknowledging the contribution of the EHDS. That implementing act shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

14. The liability of health data access bodies as joint controller is limited to the scope of the issued data permit until the completion of the processing activity.

Article 47 - Data request

1. Any natural or legal person may submit a data request for the purposes referred to in Article 34. A health data access body shall only provide an answer to a data request in an anonymised statistical format and the data user shall have no access to the electronic health data used to provide this answer.

2. A data request shall include the elements mentioned in paragraphs 2 (a) and (b) of Article 45 and if needed may also include:

(a)a description of the result expected from the health data access body;

(b)a description of the statistic’s content.

3. Where an applicant has requested a result in an anonymised form, including statistical format, based on a data request, the health data access body shall assess, within 2 months and, where possible, provide the result to the data user within 2 months.

Article 48 - Making data available for public sector bodies and Union institutions, bodies, offices and agencies without a data permit

By derogation from Article 46 of this Regulation, a data permit shall not be required to access the electronic health data under this Article. When carrying out those tasks under Article 37 (1), points (b) and (c), the health data access body shall inform public sector bodies and the Union institutions, offices, agencies and bodies, about the availability of data within 2 months of the data access application, in accordance with Article 9 of Regulation […] [Data Governance Act COM/2020/767 final]. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final ], the health data access body may extend the period by 2 additional months where necessary, taking into account the complexity of the request. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless it specifies that it will provide the data within a longer specified timeframe.

Article 49 - Access to electronic health data from a single data holder

1. Where an applicant requests access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be adressed to health data access bodies.

2. In such case, the data holder may issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42.

3. By way of derogation from Article 51, the single data provider and the data user shall be deemed joint controllers.

4. Within 3 months the data holder shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.

Article 50 - Secure processing environment

1. The health data access bodies shall provide access to electronic health data only through a secure processing environment, with technical and organisational measures and security and interoperability requirements. In particular, they shall take the following security measures:

(a)restrict access to the secure processing environment to authorised persons listed in the respective data permit;

(b)minimise the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technological means;

(c)limit the input of electronic health data and the inspection, modification or deletion of electronic health data hosted in the secure processing environment to a limited number of authorised identifiable individuals;

(d)ensure that data users have access only to the electronic health data covered by their data permit, by means of individual and unique user identities and confidential access modes only;

(e)keep identifiable logs of access to the secure processing environment for the period of time necessary to verify and audit all processing operations in that environment;

(f)ensure compliance and monitor the security measures referred to in this Article to mitigate potential security threats.

2. The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non-personal electronic health data from the secure processing environment.

3. The health data access bodies shall ensure regular audits of the secure processing environments.

4. The Commission shall, by means of implementing acts, provide for the technical, information security and interoperability requirements for the secure processing environments. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 51 - Joint controllers

1. The health data access bodies and the data users, including Union institutions, bodies, offices and agencies, shall be deemed joint controllers of electronic health data processed in accordance with data permit.

2. The Commission shall, by means of implementing acts, establish a template for the joint controllers’ arrangement. Those implementing acts shall be adopted in accordance with the advisory procedure set out in Article 68(2).

Section 4

Cross-Border access to electronic health data for secondary use

Article 52 - Cross-border infrastructure for secondary use of electronic health data (HealthData@EU)

1. Each Member State shall designate a national contact point for secondary use of electronic health data, responsible for making electronic health data available for secondary use in a cross-border context and shall communicate their names and contact details to the Commission. The national contact point may be the coordinator health data access body pursuant to Article 36. The Commission and the Member States shall make this information publicly available.

2. The national contact points referred to in paragraph 1 shall be authorised participants in the cross-border infrastructure for secondary use of electronic health data (HealthData@EU). The national contact points shall facilitate the cross-border access to electronic health data for secondary use for different authorised participants in the infrastructure and shall cooperate closely with each other and with the Commission. 

3. Union institutions, bodies, offices and agencies involved in research, health policy or analysis, shall be authorised participants of HealthData@EU.

4. Health-related research infrastructures or similar structures whose functioning is based on Union law and which support the use of electronic health data for research, policy making, statistical, patient safety or regulatory purposes shall be authorised participants of HealthData@EU.

5. Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation and provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68 (2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.

6. Each authorised participant shall acquire the required technical capability to connect to and participate in HealthData@EU. Each participant shall comply with the requirements and technical specifications needed to operate the cross-border infrastructure and to allow the authorised participants to connect to each other within it.

7. The Commission is empowered to adopt delegated acts in accordance with Article 67 in order to amend this Article to add or remove categories of authorised participants in HealthData@EU, taking into account the opinion of the joint controllership group pursuant to Article 66 of this Regulation.

8. The Member States and the Commission shall set up HealthData@EU to support and facilitate the cross-border access to electronic health data for secondary use, connecting the national contact points for secondary use of electronic health data of all Member States and authorised participants in that infrastructure.

9. The Commission shall develop, deploy and operate a core platform for HealthData@EU by providing information technology services needed to facilitate the connection between health data access bodies as part of the cross-border infrastructure for the secondary use of electronic health data. The Commission shall only process electronic health data on behalf of the joint controllers as a processor.

10. Where requested by two or more health data access bodies, the Commission may provide a secure processing environment for data from more than one Member State compliant with the requirements of Article 50. Where two or more health data access bodies put electronic health data in the secure processing environment managed by the Commission, they shall be joint controllers and the Commission shall be processor.

11. The authorised participants shall act as joint controllers of the processing operations in which they are involved carried out in HealthData@EU and the Commission shall act as a processor.

12. Member States and the Commission shall seek to ensure interoperability of HealthData@EU with other relevant common European data spaces as referred to in Regulations […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final].

13. The Commission may, by means of implementing acts, set out:

(a)requirements, technical specifications, the IT architecture of HealthData@EU, conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU; 

(b)the minimum criteria that need to be met by the authorised participants in the infrastructure;

(c)the responsibilities of the joint controllers and processor(s) participating in the cross-border infrastructures;

(d)the responsibilities of the joint controllers and processor(s) for the secure environment managed by the Commission;

(e)common specifications for the interoperability and architecture concerning HealthData@EU with other common European data spaces.

Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

14. The approval for individual authorised participant to join HealthData@EU or to disconnect a participant from the infrastructure shall be issued by the Joint Controllership group, based on the results of the compliance checks.

Article 53 - Access to cross-border sources of electronic health data for secondary use

1. In the case of cross-border registries and databases, the health data access body in which the data holder is registered shall be competent to decide on data access applications to provide access to electronic health data. Where the registry has joint controllers, the health data access body that shall provide access to electronic health data shall be the body in the Member State where one of the joint controllers is established.

2. Where registries or databases from a number of Member States organise themselves into a single network of registries or databases at Union level, the associated registries may designate one of their members as a coordinator to ensure the provision of data from the registries’ network for secondary use. The health data access body of the Member State in which the coordinator of the network is located shall be competent to decide on the data access applications to provide access to electronic health data for the network of registries or databases. 

3. The Commission may, by means of implementing acts, adopt the necessary rules for facilitating the handling of data access applications for HealthData@EU, including a common application form, a common data permit template, standard forms for common electronic health data access contractual arrangements, and common procedures for handling cross-border requests, pursuant to Articles 45, 46, 47 and 48. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 54 - Mutual recognition

1. When handling an access application for cross-border access to electronic health data for secondary use, health data access bodies and relevant authorised participants shall remain responsible for taking decisions to grant or refuse access to electronic health data within their remit in accordance with the requirements for access laid down in this Chapter.

2. A data permit issued by one concerned health data access body may benefit from mutual recognition by the other concerned health data access bodies. 

Section 5

Health data quality and utility for secondary use

Article 55 - Dataset description

1. The health data access bodies shall inform the data users about the available datasets and their characteristics through a metadata catalogue. Each dataset shall include information concerning the source, the scope, the main characteristics, nature of electronic health data and conditions for making electronic health data available.

2. The Commission shall, by means of implementing acts, set out the minimum information elements data holders are to provide for datasets and their characteristics. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 56 - Data quality and utility label

1. Datasets made available through health data access bodies may have a Union data quality and utility label provided by the data holders.

2. Datasets with electronic health data collected and processed with the support of Union or national public funding shall have a data quality and utility label, in accordance with the principles set out in paragraph 3.

3. The data quality and utility label shall comply with the following elements:

(a)for data documentation: meta-data, support documentation, data model, data dictionary, standards used, provenance;

(b)technical quality, showing the completeness, uniqueness, accuracy, validity, timeliness and consistency of the data;

(c)for data quality management processes: level of maturity of the data quality management processes, including review and audit processes, biases examination;

(d)coverage: representation of multi-disciplinary electronic health data, representativity of population sampled, average timeframe in which a natural person appears in a dataset;

(e)information on access and provision: time between the collection of the electronic health data and their addition to the dataset, time to provide electronic health data following electronic health data access application approval;

(f)information on data enrichments: merging and adding data to an existing dataset, including links with other datasets;

4. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of principles for data quality and utility label. Such delegated acts may also amend the list set out under paragraph 3 by adding, modifying or removing requirements for data quality and utility label.

5. The Commission shall, by means of implementing acts, set out the visual characteristics and technical specifications of the data quality and utility label, based on the elements referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). Those implementing acts shall take into account the requirements in Article 10 of Regulation […] [AI Act COM/2021/206 final] and any adopted common specifications or harmonised standards supporting those requirements.

Article 57 - EU Datasets Catalogue

1. The Commission shall establish an EU Datasets Catalogue connecting the national catalogues of datasets established by the health data access bodies and other authorised participants in HealthData@EU.

2. The EU Datasets Catalogue and the national datasets catalogues shall be made publicly available.

Article 58 - Minimum dataset specifications

The Commission may, by means of implementing acts, determine the minimum specifications for cross-border datasets for secondary use of electronic health data, taking into account existing Union infrastructures, standards, guidelines and recommendations. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Chapter V

Additional actions

Article 59 - Capacity building

The Commission shall support sharing of best practices and expertise, aimed to build the capacity of Member States to strengthen digital health systems for primary and secondary use of electronic health data. To support capacity building, the Commission shall draw up benchmarking guidelines for the primary and secondary use of electronic health data.

Article 60 - Additional requirements for public procurement and Union funding

1. Public procurers, national competent authorities, including digital health authorities and health data access bodies, and the Commission shall make reference to the applicable technical specifications, standards and profiles as referred to in Articles 6, 23, 50, 56, as relevant, as points of orientation for public procurements and when formulating their tender documents or calls for proposals, as well as when defining the conditions for Union funding regarding this Regulation, including enabling conditions for the structural and cohesion funds.

2. The ex-ante conditionality for Union funding shall take into account the requirements developed in the framework of Chapters II, III and IV.

Article 61 - Third country transfer of non-personal electronic data

1. Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 [(a), (e), (f), (i), (j), (k), (m)] shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future.

2. The protective measures for the categories of data mentioned in paragraph 1 shall depend on the nature of the data and anonymization techniques and shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].

Article 62 - International access and transfer of non-personal electronic health data

1. The digital health authorities, health data access bodies, the authorised participants in the cross-border infrastructures provided for in Articles 12 and 52 and data users shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal electronic health data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3 of this Article.

2. Any judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a digital health authority, health data access body or data users to transfer or give access to non-personal electronic health data within the scope of this Regulation held in the Union shall be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State.

3. In the absence of an international agreement as referred to in paragraph 2 of this Article, where a digital health authority, a health data access body, data users is the addressee of a decision or judgment of a third-country court or tribunal or a decision of a third-country administrative authority to transfer or give access to non-personal data within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only where:

(a)the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires such a decision or judgment to be specific in character, for instance by establishing a sufficient link to certain suspected persons or infringements;

(b)the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal; and

(c)the competent third-country court or tribunal issuing the decision or judgment or reviewing the decision of an administrative authority is empowered under the law of that third country to take duly into account the relevant legal interests of the provider of the data protected under Union law or the national law of the relevant Member State

4. If the conditions laid down in paragraph 2 or 3 are met, digital health authority, a health data access body or a data altruism body shall provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.

5. The digital health authorities, health data access bodies, data users shall inform the data holder about the existence of a request of a third-country administrative authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.

Article 63 - International access and transfer of personal electronic health data

In the context of international access and transfer of personal electronic health data, Member States may maintain or introduce further conditions, including limitations, in accordance with and under the conditions of article 9(4) of the Regulation (EU) 2016/679.

Chapter VI

European governance and coordination

Article 64 - European Health Data Space Board (EHDS Board)

1. A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of the high level representatives of digital health authorities and health data access bodies of all the Member States. Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor may be invited to the meetings, where the issues discussed are of relevance for them. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an observer role.

2. Depending on the functions related to the use of electronic health data, the EHDS Board may work in subgroups, where digital health authorities or health data access bodies for a certain area shall be represented. The subgroups may have joint meetings, as required.

3. The composition, organisation, functioning and cooperation of the sub-groups shall be set out in the rules of procedure put forward by the Commission.

4. Stakeholders and relevant third parties, including patients’ representatives, shall be invited to attend meetings of the EHDS Board and to participate in its work, depending on the topics discussed and their degree of sensitivity.

5. The EHDS Board shall cooperate with other relevant bodies, entities and experts, such as the European Data Innovation Board referred to in Article 26 of Regulation […] [Data Governance Act COM/2020/767 final], competent bodies set up under Article 7 of Regulation […] [Data Act COM/2022/68 final], supervisory bodies set up under Article 17 of Regulation […] [eID Regulation], European Data Protection Board referred to in Article 68 of Regulation (EU) 2016/679 and cybersecurity bodies.

6. The Commission shall chair the meetings of the EHDS Board.

7. The EHDS Board shall be assisted by a secretariat provided by the Commission.

8. The Commission shall, by means of implementing acts, adopt the necessary measures for the establishment, management and functioning of the EHDS Board. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).

Article 65 - Tasks of the EHDS Board

1. The EHDS Board shall have the following tasks relating to the primary use of electronic health data in accordance with Chapters II and III:

(a)to assist Member States in coordinating practices of digital health authorities;

(b)to issue written contributions and to exchange best practices on matters related to the coordination of the implementation at Member State level of this Regulation and of the delegated and implementing acts adopted pursuant to it, in particular as regards: 

(i)the provisions set out in Chapters II and III;

(ii)development of online services facilitating secure access, including secure electronic identification, to electronic health data for health professionals and natural persons;

(iii)other aspects of the primary use of electronic health data.

(c)to facilitate cooperation between digital health authorities through capacity-building, establishing the structure for annual activity reporting, peer-review of annual activity reports and exchange of information;

(d)to share information concerning risks posed by EHR systems and serious incidents as well as their handling;

(e)to facilitate the exchange of views on the primary use of electronic health data with the relevant stakeholders, including representatives of patients, health professionals, researchers, regulators and policy makers in the health sector.

2. The EHDS Board shall have the following tasks related to the secondary use of electronic health data in accordance with Chapter IV:

(a)to assist Member States in coordinating practices of health data access bodies in the implementation of provisions set out in Chapters IV, to ensure a consistent application of this Regulation;

(b)to issue written contributions and to exchange best practices on matters related to the coordination of the implementation at Member State level of this Regulation and of the delegated and implementing acts adopted pursuant to it, in particular as regards:

(xi)implementation of rules for access to electronic health data;

(xii)technical specifications or existing standards regarding the requirements set out in Chapter IV; 

(xiii)incentives policy for promoting data quality and interoperability improvement;

(xiv)policies concerning fees to be charged by the health data access bodies and data holders;

(xv)the establishment and application of penalties;

(xvi)other aspects of the secondary use of electronic health data.

(c)to facilitate cooperation between health data access bodies through capacity-building, establishing the structure for annual activity reporting, peer-review of annual activity reports and exchange of information;

(d)to share information concerning risks and data protection incidents related to secondary use of electronic health data, as well as their handling;

(e)to contribute to the work of the European Data Innovation Board to be established in accordance with Article 29 of the Regulation […] [Data Governance Act COM/2020/767 final];

(f)to facilitate the exchange of views on the secondary use of electronic health data with the relevant stakeholders, including representatives of patients, health professionals, researchers, regulators and policy makers in the health sector.

Article 66 - Joint controllership groups for Union infrastructures

1. The Commission shall establish two groups dealing with joint controllership for the cross-border infrastructures provided for in Articles 12 and 52. The groups shall be composed of the representatives of the national contact points and other authorised participants in those infrastructures. 

2. The composition, organisation, functioning and cooperation of the sub-groups shall be set out in the rules of procedure adopted by those groups.

3. Stakeholders and relevant third parties, including patients’ representatives, may be invited to attend meetings of the groups and to participate in their work.

4. The groups shall elect chairs for their meetings.

5. The groups shall be assisted by a secretariat provided by the Commission.

6. The groups shall take decisions concerning the development and operation of the cross-border infrastructures pursuant to Chapters II and IV, on changes of infrastructure, adding additional infrastructures or services, or ensuring interoperability with other infrastructures, digital systems or data spaces. The group shall also take decisions to accept individual authorised participants to join the infrastructures or to disconnect them.

CHAPTER VII

Delegation and Committee

Article 67 - Exercise of the delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.

3. The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 3 months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.

Article 68 - Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.

Chapter VIII

Miscellaneous

Article 69 - Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them.

Article 70 - Evaluation and review

1. After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapter III, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self-certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies.

2. After 7 years from the entry into force of this Regulation, the Commission shall carry out an overall evaluation of this Regulation, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment.

3. Member States shall provide the Commission with the information necessary for the preparation of that report.

Article 71 - Amendment to Directive 2011/24/EU

Article 14 of Directive 2011/24/EU is deleted.

Chapter IX

Deferred application and final provisions

Article 72 - Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 12 months after its entry into force.

However, Articles 3, 4, 5, 6, 7, 12, 14, 23 and 31 shall apply as follows:

(a)from 1 year after date of entry into application to categories of personal electronic health data referred to in Article 5(1), points (a), (b) and (c), and to EHR systems intended by the manufacturer to process such categories of data.;

(b)from 3 years after date of entry into application to categories of personal electronic health data referred to in Article 5(1), points (d), (e) and (f), and to EHR systems intended by the manufacturer to process such categories of data;

(c)from the date established in delegated acts pursuant to Article 5(2) for other categories of personal electronic health data.

Chapter III shall apply to EHR systems put into service in the Union pursuant to Article 15(2) from 3 years after date of entry into application.

This Regulation shall be binding in its entirety and directly applicable in all Member States.