- The member states organise the EHR, the EU creates the conditions for its cross-border functioning through uniform standards.
- The platform–independent and open–souce software for creating the EHR has to be published at least six months prior to its use.
- The use of the EHR is voluntary for patients.
- The EHR are stored decentrally, i.e. with physicians and patients. Data from these may only be aggregated for research purposes with the consent of the patients concerned and in specially safeguarded IT-systems.
- To compensate victims of any data breaches a solidarity fund will be established to which all data users will contribute.
- Results of research with patient data are to be published. Profits from their economical exploitation are to be partly transfered to non-profit institutions in the healthcare sector.
 https://patientenrechte-datenschutz.de/datenpannen-und-datenlecks-im-gesundheitswesen-in-deutschland-eine-unvollstaendige-uebersicht/ (list of recent data breaches in the German healthcare system – in German only)
 https://legacy.freiheitsrechte.org/home/wp-content/uploads/2022/05/2022-04-25-Gutachten-Schro%CC%88der-GFF.pdf (Expert opinion on the protection of medical data – in German only)