European Health Data Space: Patient sovereignty and solidarity – but done right.
The EU-Commission has put forward a draft regulation on the European Health Data Space (EHDS). All citizen are to receive personal electronical health records (EHR) by default, whether they want them or not. Virtually all patient data generated is to be released for use by anyone who declares a “research interest”.
The first thing emphasized in the EHDS draft proposal is the “entitlement” of all people to digital access to their data – without the possibility to object.
This is followed by many pages on standardisation, market organisation, artificial intelligence, the use of those data by third parties and regulations on who has to pay how much for it.
The people of Europe are practically nowhere to be found again in the text.
The imminent undermining of the physician-patient confidentiality would have a devastating effect on the relationship of trust between patient and physician. It would mean the sell-off of our health data.
Medical data not only enable conclusions on the health status of the persons concerned, but also on the health risks of their relatives and descendants. In the wrong hands these data can lead to discrimination (e.g. on the labour market) even generations later.
The risk of data spills, subsequent expansions of access rights and illegal access to the EHDS databases cannot be ruled out (cf. [1]). Moreover data sets in EHR are often so individualized that even a few additional pieces of information make de-anonymisation possible [2].
Sensitive medical data must remain in the hands of the persons concerned an their physicians, especially in the course of digitalisation. Any data transfer or use of data beyond medical treatment requires the voluntary and informed consent of the patient.
The following measures are imperative for a solidary, transparent, patient–orientated EHDS:
- The member states organise the EHR, the EU creates the conditions for its cross-border functioning through uniform standards.
- The platform–independent and open–souce software for creating the EHR has to be published at least six months prior to its use.
- The use of the EHR is voluntary for patients.
- The EHR are stored decentrally, i.e. with physicians and patients. Data from these may only be aggregated for research purposes with the consent of the patients concerned and in specially safeguarded IT-systems.
- To compensate victims of any data breaches a solidarity fund will be established to which all data users will contribute.
- Results of research with patient data are to be published. Profits from their economical exploitation are to be partly transfered to non-profit institutions in the healthcare sector.
A more detailed critical review of the draft EHDS regulation can be found on the website patientenrechte-datenschutz.de.
—-
[1] https://patientenrechte-datenschutz.de/datenpannen-und-datenlecks-im-gesundheitswesen-in-deutschland-eine-unvollstaendige-uebersicht/ (list of recent data breaches in the German healthcare system – in German only)
[2] https://legacy.freiheitsrechte.org/home/wp-content/uploads/2022/05/2022-04-25-Gutachten-Schro%CC%88der-GFF.pdf (Expert opinion on the protection of medical data – in German only)