European Health Data Space

Questions? Ideas for Collaboration? Contact [email protected]

European Health Data Space (EHDS) - Frequently Asked Questions

General InformationWhat is the European Health Data Space (EHDS)?
The EHDS is an EU regulatory framework for health data sharing, aimed at enabling individuals to control their electronic health data while facilitating its use for healthcare delivery (primary use) and for research, innovation, and policy-making (secondary use).When will the EHDS enter into force?
The EHDS Regulation is expected to enter into force in March 2025, with different provisions applying gradually over the following years. Key implementation dates include March 2029 for both primary and secondary use of health data.Will the EHDS replace existing national frameworks for health data sharing?
No, the EHDS will not replace existing frameworks. It creates a supplementary framework that will exist alongside national systems. Data users may choose between the EHDS process or a national process, but cannot mix aspects of both systems.

Data Scope and DefinitionsWhich data is in scope for pharmaceutical companies?
The data available for secondary use under the EHDS is the same for all eligible data users, including pharmaceutical companies. The scope is defined in Article 51 of the EHDS Regulation and includes a broad range of electronic health data, such as EHRs, claims data, registries, genomic data, and other datasets relevant to health research and innovation.What is considered a "data holder" under EHDS?
A data holder is defined as a natural or legal person who has the right or obligation, in accordance with applicable Union or national law and in its capacity as a controller or joint controller, to process personal electronic health data. Examples include hospitals, research institutions, pharmaceutical companies with health data, and universities doing health research.Who qualifies as a "data user"?
Data users can include researchers, statisticians, health policy makers, pharmaceutical companies, and other entities that request access to health data for secondary use purposes. Any eligible natural or legal person can submit a data access request, regardless of whether they are also a data holder.Are wellness apps in scope of EHDS?
Wellness apps fall under the scope of EHDS if they claim interoperability with EHR systems, as specified in Article 47. If a wellness app does not claim such interoperability, it is not subject to the requirements of this article.Are data from patients outside the EU included in EHDS?
Data from patients outside the EU are not automatically eligible for secondary use under the EHDS framework. EHDS applies primarily to electronic health data generated within the EU. However, if non-EU patient data is included in an EU-hosted dataset, its eligibility would depend on the legal basis for processing and applicable data transfer agreements.

Primary Use of Data and InteroperabilityWhat technical standards will be used for interoperability?
The EHDS promotes interoperability through the European Electronic Health Record Exchange Format (EEHRxF). FHIR profiles are expected to play a key role, particularly for primary use under MyHealth@EU. The specific technical specifications will be defined in implementing acts, with input from standardization bodies like HL7 Europe and CEN/TC 251.Can existing systems using older standards claim conformance to EHDS?
Systems using older interoperability standards (like HL7 v2 or EDIFACT) or terminology standards (like READ codes) will need to adapt to the EHDS requirements. The EHDS establishes a framework for interoperability and security that all systems must comply with, although it does not prescribe specific technological solutions.Are in-house systems subject to EHDS requirements?
Yes, in-house EHR systems developed and used internally by healthcare providers are subject to EHDS requirements, though they have a later compliance deadline (March 2031) compared to commercial systems (March 2029).Will there be central testing environments for EHR systems?
Testing environments for EHR systems will be provided as open-source solutions, but there will be no central EU-wide testing platform. Member States will be responsible for setting up their own testing environments based on common specifications.Is openEHR aligned with EEHRxF?
The EEHRxF is not fully defined yet, so alignment with openEHR cannot be definitively determined. The Xt-EHR consortium is working on the groundwork for the definition of the format, which will later be defined in the implementing act under Article 15 of the EHDS Regulation.

Secondary Use of DataHow does the secondary use of health data work under EHDS?
Secondary use of health data under EHDS involves accessing and processing health data for purposes such as research, innovation, policy-making, and education. Data access is managed through Health Data Access Bodies (HDABs), which issue data permits specifying the conditions of use.Is secondary use of health data still possible outside of EHDS?
Yes, there is no obligation to use solely the EHDS framework to request access to electronic health data for secondary use. The EHDS exists alongside other mechanisms for accessing data for research and innovation purposes and does not replace traditional data sharing mechanisms or existing agreements.Will data be harmonized for secondary use?
Secondary use in EHDS does not require standardization at the source. The data will remain in the format provided by data holders. However, metadata and interoperability requirements will be defined to facilitate discoverability and analysis. Some harmonization efforts are taking place in the primary use of data for specific categories.Can I bring in external data for combination with EHDS data?
Yes, it is possible to bring in external data (such as environmental data) for combination within the Secure Processing Environment (SPE). However, this must be clearly specified in the data access application submitted to the HDAB and approved in the permit granted.How will data analysis across different datasets be possible?
Data analysis for secondary use under EHDS will be possible through Secure Processing Environments (SPEs), allowing researchers to work with data from different datasets. While data sets will not be fully harmonized at the source, metadata and interoperability requirements will facilitate discovery and analysis.

Health Data Access Bodies (HDABs)What is the role of Health Data Access Bodies (HDABs)?
HDABs are responsible for:
- Processing data access applications
- Issuing data permits
- Ensuring secure access to data through Secure Processing Environments
- Supervising data quality labeling
- Ensuring compliance with data protection requirements
- Coordinating with other HDABs for cross-border data accessHow will HDABs assess applications?
HDABs will assess applications based on criteria specified in the EHDS Regulation and detailed in implementing acts. The Joint Action TEHDAS2 is currently developing guidelines for HDABs on application assessment procedures. These will include evaluation of purpose, legal basis, data minimization, and ethical considerations.How will HDABs assess IP rights and trade secrets of data holders?
The horizontal legal framework for intellectual property (IP) rights and trade secrets continues to apply under the EHDS. HDABs will ensure compliance with these existing rules when handling data access requests. A dedicated workshop on this topic will be organized by the TEHDAS2 Joint Action to further discuss how IP and trade secret protections will be managed.Will patient representatives have a role in HDABs' decision-making?
The implementation of stakeholder cooperation, including the role of patient representatives, will be decided at the national level. Each Member State will determine how patient representatives and other stakeholders contribute, whether through consultative mechanisms, advisory boards, or direct involvement in governance processes.

Secure Processing Environments (SPEs)What is a Secure Processing Environment (SPE)?
A Secure Processing Environment is a controlled system where data users can access and analyze health data securely, without being able to download or extract raw data. SPEs ensure data protection, security, and compliance with EHDS rules.Do data holders need to implement their own SPE?
No, data holders do not need to implement their own SPE. The provision of SPEs is the responsibility of the Health Data Access Bodies (HDABs), which ensure that data is accessed in a controlled, secure, and privacy-compliant manner.Can pharmaceutical companies use their own infrastructure or must they use the regulator's?
Pharmaceutical companies do not need to have their own Secure Processing Environment. The provision of SPEs is the responsibility of the HDABs, which ensure that data is accessed in a controlled, secure, and privacy-compliant manner.As a data holder, can I maintain control over my data and process it in an SPE exclusively managed by me?
Under the EHDS framework, data holders do not maintain exclusive control over data processing. All secondary use access applications must go through the HDAB, and data must be processed in an SPE managed or supervised by the HDAB.Can researchers bring their analytic tools into the SPE?
Yes, researchers and data users must bring their analytic tools, AI/machine learning models, and processing algorithms into the SPE to analyze the data. The computation happens within the SPE, ensuring that no raw data leaves the environment.When will technical specifications for SPEs be defined?
The technical specifications for SPEs will be defined in upcoming implementing acts. The Joint Action TEHDAS2 is currently working on these specifications, with further details expected to be published in the coming years.

Data Permits and ApplicationsWill there be direct agreements between data holders and data users?
The EHDS does not foresee direct agreements between data holders and data users. Instead, access to data will be regulated through data permits issued by HDABs, which will specify the conditions of use. The framework for these data permits will be detailed in an implementing act.At what point does the applicant pay for the application fee?
The exact timing of fee payment will be defined in a future implementing act. However, it is reasonable to expect that payment will be required at the time of submitting the application rather than after the decision.Will there be a one-stop-shop for cross-border data applications?
The EHDS foresees a one-stop-shop for the application process, meaning data users will be able to submit a single access application. However, there is no single permit for cross-border data access—each HDAB will still assess each application and issue its own permit. Mutual recognition mechanisms may be possible on a case-by-case basis.How will the Common Application Form work?
An implementing act will define the Common Application Form for requesting data access under EHDS. A first draft was developed in the HealthData@EU Pilot and further refined by TEHDAS2. The form will standardize the information required for data access requests across all Member States.How does EHDS align with ethical review processes?
The EHDS does not replace or override existing ethical review requirements at the national level. Researchers requesting health data for secondary use must still comply with the ethical review and approval procedures of each relevant Member State. Future implementing acts may provide further harmonization or mutual recognition mechanisms.

Data Quality and StandardsHow will data quality be ensured in the EHDS?
The quality of data in the EHDS will be described through a data quality and utility label. This label will provide transparency on key aspects such as completeness, accuracy, and relevance of datasets. Additionally, datasets must follow metadata requirements to be described in an implementing act.Who is responsible for data quality labeling?
The data holder is responsible for filling in and completing the data quality and utility label for their datasets. The Health Data Access Body (HDAB) supervises the process to ensure compliance and consistency. The CSA Quantum project under Horizon Europe is currently working on developing the specifications and guidelines for the label.Will all datasets require a quality label?
Not all datasets require a quality label, but those funded by public money do. For complex datasets with mixed data types under Article 51, each dataset should be assessed according to the applicable quality and utility label criteria.What de-identification standards will be used under EHDS?
The specific de-identification standards for EHDS are still being defined. Work is ongoing in the TEHDAS2 Joint Action to develop recommendations for these processes. HDABs will be responsible for ensuring that data is properly de-identified before granting access.How will data be standardized across different organizations and health systems?
Secondary use in EHDS does not require standardization at the source. The data will remain in the format provided by data holders. However, metadata and interoperability requirements will facilitate discovery and analysis. The EHDS also promotes alignment with FAIR principles (Findability, Accessibility, Interoperability, and Reusability).

Data Protection and SecurityHow will personal data be protected in the EHDS?
In the EHDS, personal data is always provided via Secure Processing Environments (SPEs). This ensures data protection, security, and compliance with EHDS rules. Direct downloads or external transfers of personal health data are not allowed.Who is responsible for ensuring no personal data leaves the SPE?
The Health Data Access Bodies (HDABs) are responsible for ensuring that only non-personal data can be extracted from the SPEs. They implement controls and review processes to prevent re-identification risks.What about the opt-out right for data subjects?
Data subjects have the right to opt out of having their data used for secondary purposes, except in cases where Member States establish exceptions for public interest purposes (e.g., public health research, rare diseases). The legal basis for the opt-out right is provided within the EHDS Regulation itself.How will re-identification risks be managed?
In their application, health data users must describe the safeguards to prevent re-identification. The Health Data Access Body will also control re-identification risk issues. Technical and organizational measures will be implemented to minimize these risks.Who will perform de-identification or anonymization of data?
The HDAB is responsible for ensuring that anonymization or pseudonymization is properly implemented before providing access to the data. However, this does not prevent the data holder from performing these processes. The specific responsibilities will be defined in implementing acts.

Implementation Timeline and SupportWhat are the key implementation dates for EHDS?
- Expected entry into force: March 2025
- Primary use (MyHealth@EU): Full implementation by March 2029
- Secondary use: Implementation by March 2029
- EHR system requirements: Compliance by March 2029 for commercial systems and March 2031 for in-house systemsHow will the European Commission support Member States in EHDS implementation?
The Commission mobilizes EU funding instruments, such as the Digital Europe Programme and EU4Health, to support national efforts. The Commission also assists through webinars, workshops, knowledge-sharing platforms, and pilot projects to help build capacity and adopt best practices.Will there be financial support for implementation?
Yes, EU funding instruments such as the Digital Europe Programme and EU4Health will support EHDS implementation. Horizon Europe may also fund related research projects, including those addressing synthetic data, federated analysis, and interoperability solutions.How will healthcare providers with limited resources be supported?
Strategies and incentives for supporting healthcare providers will be defined at the national level, with Member States responsible for helping organizations meet EHDS requirements. The EU will provide technical assistance and funding opportunities to facilitate implementation.Will support be provided for development of federated analysis tools?
Yes, the Commission supports the development of federated analysis and data-visiting solutions as part of the EHDS framework. EU funding programs, such as Horizon Europe and Digital Europe, may further support tool development in this area.

Cross-Border ConsiderationsHow will language barriers be addressed in cross-border data sharing?
The EU Dataset Catalogue, including dataset descriptions, will be available in all official EU languages, ensuring accessibility across Member States. Similarly, the Common Application Form for requesting data access will also be available in all EU languages. This will help facilitate cross-border data use and improve understanding of datasets.How should multinational groups deal with their data?
Data holders that are in scope of the EHDS Regulation are those established within the EU. For multinational groups, the obligations apply to their EU entities and the data they control. Data held by entities outside the EU is not directly subject to EHDS requirements.Is data merging possible across different Health Data Access Bodies?
Yes, merging data across different HDABs is possible under the EHDS framework. Data will not be physically transferred or merged outside SPEs. There are two options:
- Federated learning – analysis is done where the data is stored, without moving it
- EU Secure Processing Environment (EU SPE) – if established, it would allow data from multiple sources to be processed in a central secure spaceFor EU-wide registries, which HDAB is responsible?
For EU-wide registries not tied to a single Member State:
- If the registry is hosted in a specific Member State, the HDAB of that country will likely be responsible
- If the registry operates across multiple countries, a coordination mechanism among HDABs may be requiredIn case of multi-country requests, which HDAB is responsible?
Each HDAB remains responsible for handling data access applications for its own country's data. The data application is forwarded to each relevant HDAB separately. For processing across multiple Member States, either federated analysis or a potential EU SPE could be used.

Stakeholder EngagementHow will citizens be informed about EHDS and their rights?
Member States are responsible for informing citizens about EHDS and their rights, with support from the European Commission. Awareness campaigns, digital health literacy initiatives, and user-friendly tools will be key to ensuring accessibility for all, including those with lower digital literacy.What is the role of the EHDS Board and stakeholder group?
The EHDS Board will play a key role in coordinating implementation and advising on standards. A stakeholder group will be established to provide input on EHDS implementation, including the development of implementing acts and guidelines. This ensures that perspectives from patients, healthcare professionals, industry, and research are considered.How will the EHDS ensure involvement of patient representatives?
The implementation of stakeholder cooperation, including the role of patient representatives, will be decided at the national level. Each Member State will determine how patient representatives contribute, whether through consultative mechanisms, advisory boards, or direct involvement in governance processes.When will the eHealth stakeholder group be established?
The timing for establishing the eHealth stakeholder group is still being determined. Updates will be provided as they become available.Who will be involved in developing the implementing acts?
The European Commission is responsible for adopting implementing acts, with input from expert groups, standardization bodies (e.g., HL7 Europe, CEN/TC 251), the EHDS Board, and EU-funded projects. Stakeholder consultation will also be part of the process.

Sign up for updates and receive the latest case studies on EHDS to your email.

Informative website by Healthuppers Alliance