The European Health Data Space (EHDS) entered into force on 26 March 2025 and marks an important step towards a so called European health data space. The EHDS aims to improve data availability, which should in turn lead to better healthcare. Although the associated obligations will be introduced in phases over the next six years, we recommend that healthcare providers start looking ahead now. Timely preparation will support the smoothest possible implementation.
What is the purpose of the EHDS?
In short, the EHDS creates a European framework for access to and use of health data within the European Union (EU), with the aim of improving the quality of care and stimulating innovation. The EHDS distinguishes three pillars:
- primary use (see also our blog on primary use);
- secondary use; and
- market regulation of electronic patient record (EPR) systems and interoperable wellness apps.
In this blog, we focus on secondary use from the perspective of the healthcare provider. For additional context, we also refer to our earlier blog.
What is secondary data use?
Before turning to the rights and obligations of healthcare providers, it is helpful to clarify the concept of “secondary use”. What does this term actually mean? Secondary use is introduced by the EHDS and is not a concept we know from national law. Secondary data use concerns the reuse of data for purposes other than the direct provision of care to the patient. This reuse is limited to a specific and exhaustive list of purposes, namely:
- the public interest in the field of public health;
- policy making and regulation;
- statistics;
- education in the health or care sector; or
- scientific research.
This last purpose explicitly includes development and innovation activities, such as testing and evaluating algorithms and improving healthcare delivery.
In practice, this means, for example, that a medical technology company wishing to develop software to better monitor patients with cystic fibrosis can request access to health data via the route created by the EHDS: the Health Data Access Body (HDAB) route. Provided that the company meets all EHDS requirements, it can gain access to a much larger volume of health data, not only nationally but also across Europe. Given that this is a rare condition, combining data from multiple Member States is of great value, as individual countries usually do not have sufficient data to conduct robust research.
Prohibited purposes
The EHDS also sets out a list of secondary purposes for which health data may not be used. For example, data may not be requested to further develop harmful products, such as tobacco or alcohol. This is logical, as the EHDS is intended to lead to higher quality healthcare. Developing products that are harmful to health runs directly counter to that objective.
The HDAB route
Under the EHDS, health data must become more readily available for secondary purposes via the so called HDAB route. But how does this work in practice?
Access to data starts with an application for a permit. Such an application is submitted to the HDAB. The HDAB is the national body for secondary data use that, among other things, assesses applications and issues permits.[1]
An application for secondary data use is submitted by a data user and includes a clear description of the purpose, the required data and the proposed approach. The HDAB assesses the application and, if approved, grants a permit. The data holder then makes the data available (on an opt out basis, see also our cheatsheet).[2]
The data are made available in a secure processing environment and do not leave that environment. In principle, the data are anonymised. Research results must be published on the HDAB’s website, so that the data use benefits society as a whole.
Another key question is where the data come from. This is where the data holder plays a crucial role. The data holder is the organisation that processes electronic health data and must make these data available upon request. Healthcare providers therefore qualify as data holders. What this means in practice is summarised below by reference to the main obligations:
- Make transparent which data you hold: categorise your datasets and add a clear description for each set, and identify any trade secrets or intellectual property rights (IP). The available data categories must be shared with the HDAB. The HDAB will maintain a catalogue of available data categories.
- Review and update your data: you are required to review and update dataset descriptions annually in the national catalogue.
- Cooperate constructively with the HDAB: once a permit has been granted, you must make the requested health data available on an opt out basis.
- Provide datasets in a timely manner: this must be done within a period of three to six months.
Finally, it is important to note that this route applies in addition to existing possibilities for secondary data use under the General Data Protection Regulation (GDPR) and the Dutch Medical Treatment Contracts Act (WGBO).
Not only obligations, but also new opportunities
The introduction of the EHDS places significant demands on healthcare providers. It is understandable that this may initially feel like an additional set of obligations. While the EHDS does indeed introduce new obligations, it is equally important to recognise the opportunities it offers you as a healthcare provider, particularly in the context of secondary use. As a healthcare provider, you can also request data yourself via the HDAB route, for example for scientific research.
How can you prepare as a healthcare provider today?
If you want to be well prepared for the EHDS, you can already take the following concrete steps:
- Map your data categories
Identify which health data you hold and in what form they are available. The specific categories are listed in Article 33 EHDS. - Invest in data quality
Ensure that datasets are up to date, reliable and well described, so that they can be made available easily at a later stage. - Allocate responsibilities within the organisation
Determine who within the organisation is responsible for decision making, implementation and oversight of secondary data use under the EHDS. Ensure that all relevant staff are involved and informed in good time, such as the privacy officer, the data protection officer, the security officer and ICT. - Explore the opportunities offered by the EHDS
Look beyond obligations and consider the possibilities the EHDS may create for research, innovation and collaboration. Discuss these opportunities with the scientific arm of your organisation. - Stay engaged and follow developments
Contribute to discussions, stay involved and keep up to date via www.datavoorgezondheid.nl. We are also closely monitoring developments for you. Visit our website or subscribe to our healthcare newsletter.
Would you also like insight into the impact on healthcare professionals, patients and ICT service providers? Download our EHDS cheatsheet.
