The European Health Data Space Regulation (EHDS) entered into force on 26 March 2025. This European regulation aims to enable better exchange of health data in order to improve healthcare and stimulate research and innovation. At the same time, the EHDS strengthens the position of individuals by giving them greater control over their health data.
The EHDS builds on the General Data Protection Regulation (GDPR) and provides a sector-specific complement for electronic health data. The GDPR remains the general framework for the processing of personal data, including health data, while the EHDS introduces specific rules on access to, exchange of and re-use of those data within the healthcare sector. In this blog, we discuss the various rights set out in the EHDS and explain what they mean for healthcare providers.
Right of access: from request-based access to permanent availability
Under the GDPR, patients have the right to access and obtain a copy of their personal data, including data from their medical records. The EHDS builds on this but goes a step further. The key difference lies in how access is provided.
Where healthcare providers under the GDPR must in principle respond to an access request within one month (with a possible extension), the EHDS requires that patients be granted immediate access once data are recorded in their file. This access must be provided free of charge and in a readable, accessible, and consolidated format. In addition, it must be possible to download a copy in a uniform European exchange format.
For healthcare providers, this represents a significant shift towards the structural availability of data through an eletronic health data access service. In a previous blog, we discussed the recently published parliamentary letter on the implementation of the EHDS, in which Minister Bruijn indicated that he is currently examining how these access services should be designed. The national infrastructure will largely be established by the government, but healthcare providers must ensure that they are connected to it and adapt their processes accordingly. The eletronic health data access service must also make it easy to designate an authorised representative (for example, a friend or relative).
The EHDS allows Member States to introduce exceptions in national legislation, for example where immediate access must be temporarily postponed for reasons of ethics or patient safety. Consider sensitive test results that a health professional wishes to discuss with the patient first. How this will be implemented in the Netherlands remains to be seen.
Right to rectification and insert: greater control, but within limits
The right to rectification is already established under the GDPR. The EHDS makes it easier to exercise this right by requiring that patients can easily submit a request through the electronic health data access service. The healthcare provider remains responsible for assessing such requests and verifying the accuracy of the data.
The right to rectification by means of a statement under the GDPR continues to apply. In addition, the EHDS introduces the right for patients to add information to their medical record themselves, clearly marked as having been entered by the patient. Patients may not alter data entered by healthcare professionals. This is understandable, as information entered by patients does not carry the same clinical and legal weight as professionally recorded data.
A key question that remains is how healtcare providers should deal with information added by patients, particularly where that information may be inaccurate. It is important to emphasise that the principles of the GDPR continue to apply to data added by the patient, including the principles of accuracy and data minimisation. Personal data must be accurate and limited to what is necessary for the purposes for which they are processed. This is all the more relevant given that, under the EHDS, these data may also be re-used for secondary purposes, such as research and innovation (read more about this in this blog). The healthcare provider remains the controller of the electronic patient record. How this should be implemented in practice will require further clarification.
Data portability: from a limited GDPR-right to standard functionality
The EHDS stipulates that patients must be able to easily have their health data transferred to another healthcare provider or grant access themselves. This transfer must take place immediately, free of charge, and without obstacles, through the uniform European data exchange format of the MyHealth@EU infrastructure. In addition, patients may request that (part of) their data be shared with parties in the social security or reimbursement sector.
This constitutes a clear expansion compared to the GDPR. Under the GDPR, data portability is limited to data provided by the data subject, processed by automated means, and based on consent or the performance of a contract. Under the EHDS, patients are granted a general right to data portability, regardless of the legal basis for processing. Moreover, the right is no longer limited to data provided by the patient, but also covers broader medical information, such as diagnoses or medical advice. As a result, data transfer becomes a standard functionality of healthcare systems, enabling health data to be made available to other healthcare providers more quickly and easily.
Transparency and restriction of access
The EHDS requires that patients are able to see who has accessed their electronic health data. This information must be available free of charge and without undue delay and must remain accessible for at least three years. Access to this information may only be restricted in exceptional cases if Member States provide for this in national legislation, for example to protect vital interests, the rights of the healthcare professional, or patient safety. For healthcare providers, this means that access logs must be made available to patients in an accessible manner and that internal policies must be adjusted accordingly.
In addition, patients may restrict the use of their health data. They can fully or partially block access by healthcare professionals and healthcare providers. An important principle is that such a restriction must not be visible to healthcare professionals. At the same time, this may have significant consequences for the quality and safety of care. Therefore, it is essential that patients are properly informed in advance about the potential impact. Member States have the option to include a so-called “break-the-glass” procedure in national legislation for emergency situations.
Member States may also introduce an opt-out for primary use. The Netherlands intends to grant this right. This means that patients will no longer need to give prior consent for data exchange for the purpose of healthcare provision, but may actively refuse it. Healthcare providers must be able to register such opt-outs, process them technically, and inform patients accordingly. How these restriction rights will be embedded in the Dutch system is still being further developed.
What does this mean for healthcare providers?
The EHDS entails obligations for healthcare providers and requires technical and organisational preparation. This includes:
-
Connecting to an EHDS-compliant access service and coordinating with suppliers accordingly.
-
Establishing clear processes for each patient right and updated policies, explicitly incorporating any limitations introduced through national legislation.
-
Raising internal awareness and training staff on the new processes and policies regarding patient rights.
-
Actively and clearly communicating with patients about their rights and how they can exercise them via the electronic health data access services.
At first glance, this may feel like an additional burden, yet another new regulation with new obligations, but the EHDS also offers opportunities. Greater standardisation in systems and processes is likely, in the long term, to reduce the administrative burden for healthcare providers.
Start preparing in time!
The obligations arising from the EHDS will be introduced in stages over the coming years. The rights described above will apply from 2029 onwards. The Netherlands must be ready for full application of the EHDS by 2031 the latest. That may seem far away, but implementation takes time. Therefore, start now with an internal assessment: what technical and organisational measures will your organisation need in order to comply with the EHDS? Read more about this in our EHDS cheatsheet.
The details will be further elaborated in implementing acts in the coming years. It is therefore important to closely monitor these developments so that new requirements can be incorporated into your preparations in a timely manner. Of course, we will keep you informed.
