The European Health Data Space (EHDS) is a new law poised to transform healthcare in the EU. EHDS has two primary objectives: empowering individuals to have better control over their health data (primary use of health data), and to leverage health data to promote innovation, policy-making, research, and healthcare improvements (secondary use of health data).
Secondary use of health data enabling breakthroughs
One key aspect of EHDS is the flow of health information across borders for patient care, such as a physician being able to access your medical records while on holiday in another country. Yet beyond its immediate clinical uses, health data can also be applied for broader societal benefits—this is known as the secondary use of health data. Under the EHDS, health data can be used for research, policy-making, innovation, and improving healthcare systems— though essential privacy protections must be put in place to protect the use of this sensitive data.
On May 1, 2019, Finland enacted groundbreaking legislation on the secondary use of health and social data, becoming the first country in the world to implement a law that complies with the European General Data Protection Regulation (GDPR).
Secondary use involves taking data generated during healthcare interactions or clinical trials and applying it for purposes beyond individual treatment. Comparing maternal mortality rates between EU countries or analyzing surgical outcomes in different hospitals, for example, can be used to improve quality of care. It can also lead to breakthroughs in medical research, the development of new treatments, and the formation of better healthcare policies across the EU.
By making health data more accessible while ensuring privacy and security, EHDS will help foster better collaboration across the healthcare industry. Researchers, policymakers, and innovators will have access to the information they need to address Europe’s most pressing health challenges.
EHDS emphasizes security and privacy
EHDS is not a centralized data repository where all health data is aggregated into a single location. Instead, it’s a legal framework and set of rules that ensure data is formatted and stored in a standardized way across all EU countries, enabling cross-border data sharing between national data authorities when necessary. Central to its mission is a strong emphasis on data security, privacy, and anonymization. EHDS establishes safeguards to protect sensitive health information, ensuring that data access and sharing are strictly controlled, compliant with GDPR, and only permitted under secure conditions. By prioritizing anonymization and privacy-preserving technologies, EHDS aims to foster trust while facilitating the responsible use of health data.
By making health data more accessible while ensuring privacy and security, EHDS will help foster better collaboration across the healthcare industry. Researchers, policymakers, and innovators will have access to the information they need to address Europe’s most pressing health challenges.
Yet considering the vast differences in medical records and practices between different European countries, is this even possible? Well, we did it already with telecommunications standards in Europe. The introduction of the GSM standard in the 1990s unified previously fragmented wireless networks and established the EU as a global leader in mobile communications. Similarly, EHDS is expected to replicate this success for health data, enabling seamless, secure, and legally compliant sharing of information across borders.
Barriers to EHDS: Defining sufficient anonymization
Barriers to implementing EHDS can be categorized into legal, infrastructural, and data-related challenges, as outlined by the TEHDAS Joint Action project. One major hurdle is the varying interpretations among member states regarding what qualifies as ‘sufficient anonymization’ to transform personal data into non-personal, GDPR-exempt data.
As part of a project involving the Finnish national data authority Findata, VEIL.AI developed a protocol to evaluate the adequacy of anonymization to allow export of data from the Findata environment, since anonymous data according to GDPR is not personal data. We presented the privacy evaluation reports to Findata, which verified the anonymity and gave consent for the anonymized data to be securely transferred from their Secure Processing Environment to an external company, Bayer.
EHDS establishes safeguards to protect sensitive health information, ensuring that data access and sharing are strictly controlled, compliant with GDPR, and only permitted under secure conditions. By prioritizing anonymization and privacy-preserving technologies, EHDS aims to foster trust while facilitating the responsible use of health data.
The Future of EHDS
As Europe moves toward implementing the EHDS, Finland stands out as a pioneer in the secondary use of health data. On May 1, 2019, Finland enacted groundbreaking legislation on the secondary use of health and social data, becoming the first country in the world to implement a law that complies with the European General Data Protection Regulation (GDPR). Finland’s leadership in this area sets a strong example for other EU member states as they prepare for the EHDS, demonstrating how thoughtful legislation can unlock the potential of health data while ensuring privacy and security.
While the implementation of EHDS will be different in each member state, it will likely involve the establishment or adaptation of an existing national data authority, similar to Finland’s Findata, which manages the secure and compliant access to health data for secondary use. VEIL.AI brings five years of hands-on experience in a successful collaboration with Findata, interpreting Finnish secondary use legislation and GDPR to develop rigorous standards for anonymization that were accepted by Findata. This deep expertise positions VEIL.AI as a valuable resource in helping other EU nations navigate the challenges of building secure and privacy-compliant systems for EHDS implementation.
To learn how VEIL.AI can support your organization in this journey, contact us.
