Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847 (Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Having regard to the opinion of the Committee of the Regions (2),

Acting in accordance with the ordinary legislative procedure (3),

Whereas:

(1) The aim of this Regulation is to establish the European Health Data Space (EHDS) in order to improve natural persons’ access to and control over their personal electronic health data in the context of healthcare, as well as to better achieve other purposes involving the use of electronic health data in the healthcare and care sectors that would benefit society, such as research, innovation, policymaking, health threats preparedness and response, including preventing and addressing future pandemics, patient safety, personalised medicine, official statistics or regulatory activities. In addition, this Regulation’s goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values. The EHDS will be a key element in the creation of a strong and resilient European Health Union.

(2) The COVID-19 pandemic highlighted the imperative of having timely access to quality electronic health data for health threats preparedness and response, as well as for prevention, diagnosis and treatment and for secondary use of such electronic health data. Such timely access could potentially contribute, through efficient public health surveillance and monitoring, to more effective management of future pandemics, to a reduction of costs and to improving the response to health threats, and ultimately could help to save more lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/1269 (4), to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of that pandemic. However, that adaptation was only an emergency solution, showing the need for a structural and consistent approach at Member State and Union level, both in order to improve the availability of electronic health data for healthcare and to facilitate access to electronic health data in order to steer effective policy responses and contribute to high standards of human health.

(3) The COVID-19 crisis strongly cemented the work of the eHealth Network, a voluntary network of authorities responsible for digital health, as the main pillar for the development of contact-tracing and contact-warning applications for mobile devices and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (the ‘FAIR principles’), and ensuring that electronic health data are as open as possible, while respecting the data minimisation principle as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council (5). Synergies between the EHDS, the European Open Science Cloud and the European Research Infrastructures should be ensured, and lessons should be learned from data-sharing solutions developed under the European COVID-19 Data Platform.

(4) Given the sensitivity of personal electronic health data, this Regulation seeks to provide sufficient safeguards at both Union and national level to ensure a high degree of data protection, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of electronic health data of natural persons for primary use and secondary use as defined in this Regulation.

(5) The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 and, for Union institutions, bodies, offices and agencies, of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6). References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions, bodies, offices and agencies, where relevant.

(6) More and more individuals living in the Union cross national borders to work, study, visit relatives, or for other reasons. To facilitate the exchange of health data, and in line with the need to empower citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including related to the provision of healthcare services, and which reveal information about that natural person’s health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental and physical influences, medical care, and social or educational factors. Electronic health data also include data that have been initially collected for research, statistical, health threat assessment, policymaking or regulatory purposes and it should be possible to make them available in accordance with the rules laid down in this Regulation. Electronic health data consist of all categories of those data, irrespective of whether such data are provided by the data subject or other natural or legal persons, such as health professionals, or are processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automated means.

(7) In health systems, personal electronic health data are usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies and vaccinations, as well as radiology images, laboratory results and other medical data, spread between different actors in the health system, such as general practitioners, hospitals, pharmacies or care services. In order to allow electronic health data to be accessed, shared and modified by natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. In addition, some Member States provide support to public and private healthcare providers to set up personal electronic health data spaces to enable interoperability between different healthcare providers. Several Member States also support or provide electronic health data access services for patients and health professionals, for instance through patient or health professional portals. Those Member States have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data to the central EHR system, for instance by providing a system of certification. However, not all Member States have put in place such systems, and those Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal electronic health data across the Union and avoid negative consequences for patients when receiving healthcare in a cross-border context, Union action is needed to improve natural persons’ access to their own personal electronic health data and to empower them to share those data. In this respect, appropriate action at Union and national level should be taken as a means of reducing fragmentation, heterogeneity and division, and to create a system that is user-friendly and intuitive in all Member States. Any digital transformation in the healthcare sector should aim to be inclusive and also benefit natural persons with limited ability to access and use digital services, including people with disabilities.

(8) Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. The EHDS builds upon those rights and complements some of them as applied to personal electronic health data. Those rights apply regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of those data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided them, the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation. The additional rights of access and portability of personal electronic health data provided for in this Regulation should be without prejudice to the rights of access and portability as established under Regulation (EU) 2016/679. Natural persons continue to have those rights under the conditions set out in that Regulation.

(9) While the rights conferred by Regulation (EU) 2016/679 should continue to apply, the right of access to data by a natural person, established in Regulation (EU) 2016/679, should be further complemented in the healthcare sector. Under that Regulation, controllers do not have to provide access immediately. The right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming for the controller, such as a hospital or other healthcare provider that provides access. That situation slows down access to health data by natural persons, and can have a negative impact on them if they need such access immediately due to urgent circumstances pertaining to their health condition. It is therefore necessary to provide for a more efficient way for natural persons to access their own personal electronic health data. They should have the right to have free-of-charge and immediate access, while respecting the need for technological practicability, to specific priority categories of personal electronic health data, such as the patient summary, through an electronic health data access service. That right should apply regardless of the Member State in which the personal electronic health data are processed, the type of healthcare provider, the sources of those data or the Member State of affiliation of the natural person. The scope of that complementary right established under this Regulation and the conditions for exercising it differ in certain ways from the right of access to personal data under Regulation (EU) 2016/679, which covers all personal data held by a controller and is exercised against an individual controller, which has up to one month to reply to a request. The right to access personal electronic health data under this Regulation should be limited to the categories of data falling within its scope, be exercised via an electronic health data access service and entail an immediate answer. The rights under Regulation (EU) 2016/679 should continue to apply, allowing natural persons to benefit from their rights under both legal frameworks, in particular the right to obtain a paper copy of the electronic health data.

(10) It should be considered that immediate access of natural persons to certain categories of their personal electronic health data could be harmful for the safety of those natural persons or unethical. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis of an incurable disease that is likely to be terminal instead of first providing that information in a consultation with the patient. Therefore, it should be possible to delay the provision of the access to personal electronic health data in such situations for a limited amount of time, for instance until the moment when the health professional can explain the situation to the patient. Member States should be able to establish such an exception where it constitutes a necessary and proportionate measure in a democratic society, in line with restrictions as provided for in Article 23 of Regulation (EU) 2016/679.

(11) This Regulation does not affect Member States’ competences concerning the initial registration of personal electronic health data, such as making the registration of genetic data subject to the natural person’s consent or other safeguards. Member States may require that data be made available in an electronic format prior to the application of this Regulation. This should not affect the obligation to make personal electronic health data, registered after the date of application of this Regulation, available in an electronic format.

(12) In order to complement the information available to them, natural persons should be able to add electronic health data to their EHRs or to store additional information in their separate personal health record which could be accessed by health professionals. However, information inserted by natural persons might not be as reliable as electronic health data entered and verified by health professionals and does not have the same clinical or legal value as information provided by health professionals. Therefore, data added by natural persons in their EHR should be clearly distinguishable from data provided by health professionals. That possibility for natural persons to add and complement personal electronic health data should not entitle them to change personal electronic health data which have been provided by health professionals.

(13) Enabling natural persons to more easily and quickly access their personal electronic health data will enable them to notice possible errors such as incorrect information or incorrectly attributed patient records. In such cases, natural persons should be able to request online the rectification of the incorrect personal electronic health data, immediately and free of charge, through an electronic health data access service. Such rectification requests should then be treated by the relevant controllers in line with Regulation (EU) 2016/679, if necessary involving health professionals with a relevant specialisation and responsible for the natural persons’ treatment.

(14) Under Regulation (EU) 2016/679, the right to data portability is limited to data processed based on consent or contract and provided by the data subject to a controller. Additionally, under that Regulation, natural persons have the right to have the personal data transmitted directly from one controller to another only where technically feasible. Regulation (EU) 2016/679, however, does not impose an obligation to make that direct transmission technically feasible. The right to data portability should be complemented under this Regulation, thereby empowering natural persons to provide access to, at least, priority categories of their personal electronic health data to the health professionals of their choice, to exchange such health data with such health professionals and to download such health data. In addition, natural persons should have the right to request a healthcare provider to transmit a part of their electronic health data to a clearly identified recipient in the social security or reimbursement services sector. Such a transfer should be one-way only.

(15) The framework laid down by this Regulation should build on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their personal electronic health data, including inferred data, in the European electronic health record exchange format, irrespective of the legal basis for processing the electronic health data. Health professionals should refrain from hindering the application of the rights of natural persons, for example by refusing to take into account personal electronic health data originating from another Member State and which are provided through the interoperable and reliable European electronic health record exchange format.

(16) Access to electronic health records by healthcare providers or other individuals should be transparent to the natural persons concerned. Electronic health data access services should provide detailed information on access to data, such as when and which entity or natural person accessed data and which data were accessed. Natural persons should also be able to enable or disable automatic notifications regarding access to personal electronic health data relating to them through the health professional access services.

(17) Natural persons might not want to allow access to some parts of their personal electronic health data while enabling access to other parts. This could especially be relevant in cases of sensitive health issues such as those related to mental or sexual health, sensitive procedures such as abortions, or data on specific medication which could reveal other sensitive issues. Such selective sharing of personal electronic health data should therefore be supported and implemented through restrictions set by the natural person concerned in the same way within the territory of a given Member State and for cross-border data sharing. Those restrictions should allow for sufficient granularity to restrict parts of datasets, such as elements of the patient summaries. Before setting the restrictions, natural persons should be informed of the risks for patient safety associated with limiting access to health data. Given that the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, natural persons making use of such access restrictions should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services. The restrictions on access to personal electronic health data could have life-threatening consequences and, therefore, access to those data should nevertheless be possible where necessary to protect vital interests in emergency situations. More specific legal provisions on the mechanisms of restrictions placed by natural persons on parts of their personal electronic health data could be provided for by Member States in their national law, in particular as regards medical liability in cases where restrictions have been placed by the natural person concerned.