When will the EHDS come into effect?

Posted on 10 augustus 202523 april 2026 by admin

What is the EHDS timeline?

Primary use in 2027, secondary use in 2029

The EHDS requires considerable preparation. A Health Data Access Body must be established, various software and hardware components must be built or connected, and supplementary legislation must be drafted. Therefore, the EHDS will enter into force in several phases. The provisions regarding primary use will already take effect on March 26, 2027. Chapter IV, on the reuse of health data, will not apply until March 26, 2029. These are the broad outlines, but some parts of Chapter IV will also enter into force on March 26, 2027, while others will come into effect later.

A number of steps still need to be taken, by March 2027. The Member States must inform the European Commission who will be its Health Data Access Body. It must also inform the European Commission who will be the the digital gateway that links the Dutch Health Data Catalogue to the other European catalogues (the Netherlands has already decided that this will simply be the HDAB itself). The European Commission, in turn, must:

1. Establish models for requesting access to health data (a permit or a statistical request);
2. Establish the requirements that Secure Processing Environments must meet;
3. Establish further requirements for the HealthData@EU system;
4. Establish which metadata dataset holders must provide for the health data catalogue;
5. Establish quality and usage labels for datasets.

Subsequently, the bulk of Chapter IV will enter into force on March 26, 2029, meaning that users of health data can then apply for permits or submit statistical queries, while data holders are required to provide data. The Health Data Access Body (plus the national contact point) must then be fully operational. Furthermore, the European Commission’s 2027 determinations will then come into effect (see above).

However, the EHDS does not yet apply to the beneficial reuse of all types of EHDS data. Only on March 26, 2031, will the EHDS also apply to these more sensitive data:

1. Data on factors that influence health, including socio-economic, environmental, and behavioral determinants of health;

2. human genetic, epigenomic, and genomic data;

3. other human molecular data, such as proteomic, transcriptomic, metabolomic, lipidomic, and other “-omic” data;

4. data from clinical trials, clinical studies, clinical trials, and performance studies;

5. data from research cohorts, questionnaires, and health-related surveys, once the related results have been published.

Later again (26 March 2035), Article 75 paragraph 5 will also come into force, which provides that third countries or international organisations can join as participants in the European Health Data Space.

The initial obligations must therefore be fulfilled by the first quarter of 2027. The legislative process to make this possible will therefore begin in Q2 2025. It is therefore important that every stakeholder in the EHDS immediately considers their priorities regarding the correct interpretation and, above all, the optimal implementation legislation. It would be beneficial to use this law to resolve as many problems as possible simultaneously and constructively, for the benefit of public health.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

The Ministry of Health, Welfare and Sport (VWS) recently opened a consultation for the Global Technical Design of the Generic Function Addressing: a kind of address book for healthcare providers. This is an important step for Dutch healthcare, but if you view this document through the lens of European law, I do see some tension.

The EHDS leads to greater health (data) safety

Posted on 10 augustus 202523 april 2026 by admin

The EHDS leads to more health data privacy

The introduction of the EHDS is causing public unrest. Will our health data still be safe? The regulation will indeed make more data available for beneficial reuse, such as scientific research. But the idea behind the regulation is to make more data available precisely by improving its security. To this end, the permit is being introduced and an HDAB must be established as a health data police. Moreover, the EHDS includes a list of prohibited uses, which could have far-reaching consequences for the tobacco industry, among others.

Permit required

First of all, the EHDS stipulates that working with health data requires a permit. There’s debate about whether one can choose whether to apply for one, as the Ministry of Health, Welfare and Sport (VWS) states. I find this a strange position: you can’t choose whether to apply for a tree-felling permit, a building permit, or a catering permit. The whole point of the permit is to allow the government to monitor the process, ensuring compliance with all (safety) regulations. As I read the regulation, a permit will almost always be required. The EHDS then stipulates that health data may only be used in accordance with the conditions stipulated in the permit. These conditions must include, among other things, the exact names of the researchers authorized to access the data. If a person isn’t listed in the permit, they can’t access the data. Moreover, it’s strictly forbidden to determine who the (anonymous or pseudonymous) data relates to.

HDAB supervises

The permit is being requested from the Health Data Access Body. In the Netherlands, they are currently busy designing all sorts of ICT tools for this HDAB. But anyone who carefully studies the EHDS will see that the newly established government agency will primarily act as the health data police. Failure to comply with the permit conditions or other legislation can result in the HDAB imposing substantial fines (up to €20 million or 4% of annual turnover). Moreover, interested parties can submit enforcement requests to the HDAB, forcing the government to take action if health data is handled too carelessly. You might think the Dutch Data Protection Authority already had this capability, but the EHDS goes much further. It contains a particularly interesting list: prohibited uses.

The following is prohibited under the EHDS:

taking decisions which adversely affect a natural person or a group of natural persons on the basis of their electronic health data; in order to be qualified as ‘decisions’ for the purposes of this point, they must produce legal, social or economic effects or significantly affect those natural persons in a similar manner;
taking decisions with regard to a natural person or a group of natural persons regarding job vacancies, offering less favourable terms for the supply of goods or services, including refusing to grant such persons or groups an insurance or credit agreement, changing their contributions and insurance premiums or loan terms, or taking other decisions with regard to a natural person or a group of natural persons which result in them being discriminated against on the basis of the health data obtained;
Carrying out advertising or marketing activities;
Developing products or services that may be harmful to individuals, public health, or society in general, such as illegal drugs, alcoholic beverages, tobacco and nicotine products, weapons, or products or services designed or modified in such a way that they lead to addiction, are contrary to public order, or pose a risk to human health;
Carrying out activities that violate ethical provisions laid down in national law.

Let what’s written here sink in: you may not use health data to develop addictive products. As mentioned, there’s some confusion about when the EHDS applies. The Ministry of Health, Welfare and Sport’s interpretation is that you can choose whether to apply for a permit and therefore whether you fall under the EHDS. This also allows the tobacco industry to choose whether to adhere to the prohibited list. That seems like an untenable position to me. The EHDS states: users of health data may only access and process health data for secondary use in accordance with a data permit. It seems to me that a permit is always required in that case (unless the EHDS does not apply under Article 1, which contains some exceptions). If my interpretation is correct, the effect of the list of prohibited uses will be significant! Because then it will be prohibited from now on to use health data to develop any addictive product whatsoever. Kudos to the authors of this regulation.

So the EHDS is great!

The introduction of the EHDS is causing social unrest. There are fears, for example, that secondary use could lead to someone losing insurance or a job. This shows that people haven’t read the EHDS, because this is explicitly stated in the list of prohibited uses. Because the EHDS is very beneficial to medical scientific research, it can be useful to emphasize that the EHDS explicitly prohibits all sorts of things. Another advantage of the list of prohibited uses is that the newly established HDAB is designated as the authority that must enforce it, and where enforcement requests can therefore also be submitted. But above all, we must realize that the EU seems to have, in a roundabout way, given us a legal tool against the tobacco industry. So far, it has not succeeded in banning tobacco, but it does seem to have succeeded in prohibiting research into how to make tobacco even more addictive. Time will tell how much pleasure we will get from this prohibited list. Perhaps it can also be used to combat the addictiveness of apps? Will HDAB soon get my child off social media? I’m eagerly anticipating the fantastic benefits EHDS can bring us.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

EHDS Data Collectors

Posted on 4 juni 202514 april 2026 by admin

EHDS Data collectors

The EHDS creates several new roles around the reuse of health data. A well-known example is the Health Data Access Body, a new government agency where licenses are requested to work with data in a secure processing environment. Much less attention is paid to the role of the trusted data holder, and the role of data collector is completely unknown. Yet, the data collector is crucial for unlocking data in a way that is more efficient, better for science, and, above all, can contribute to greater trust in the system.

Efficiency - as with the Dutch GGD

The EHDS obligates holders of health data to make them available for beneficial reuse, such as scientific research. To make the system more efficient, the Netherlands can designate certain organizations as intermediary entities. However, note that this is a different role than a data intermediary service as described in the Data Governance Regulation. Because this doesn’t make things any clearer, it’s wise to refer to these parties as data aggregators within the EHDS context; that is precisely what these parties do. They collect data from many similar data holders. The obligation to provide data to the Health Data Access Body is then taken over from the individual data holders by the aggregator. For example, in the Netherlands, there are many Municipal Health Services (GGDs), all of which hold data useful for medical-scientific research. It would be illogical for the HDAB to have to contact all the individual GGDs for every research project requiring GGD data. The Dutch government could therefore designate the GGD GHOR (umbrella organisaton for Municipal Health Services) as a data aggregator, assuming the EHDS responsibilities of all the individual GGDs.

Scientific interest - such as with general practitioners

The second area for which a data collector can be engaged is micro-data holders. The EHDS stipulates that small data holders are not required to provide data to the HDAB: that would be too much of an administrative burden for small organizations. However, some data that are scientifically extremely important are precisely in the hands of small data holders. In the Netherlands, for example, this is the case with general practitioners. If research is to be conducted on the earlier detection of lung cancer, the hospital patient records must be linked to the records of the general practitioners regarding previously reported health complaints. This is important research, but the data in question, due to the small size of the average general practice, will fall outside the scope of the EHDS. National legislation can therefore oblige such micro-data holders to provide data to a data collector, for example, a Nivel or an IPCI, thus making this data available securely and efficiently for important research. The same applies to data from, for example, dentists, physiotherapists, or dietitians.

For trust – such as with diabetes

The third purpose of data collectors is increasing trust in the system. For example, diabetes patients might worry about their privacy if commercial companies had direct access to their data. Because of this (very understandable) concern, they might therefore oppose the availability of their data. But imagine that Dutch legislation stipulates that real-time measurements are made available to the Dutch Diabetes Association, and that association (with the help of, for example, the Dutch Healthcare Institute) manages this data. Far fewer patients would likely object. The Dutch Diabetes Association could then anonymize the data or answer statistical questions. If, with the help of such organizations, trust in the system is increased, this will lead to broader data availability for scientific research and the development of new, useful healthcare products.

In secondary legislation

In short, there are many good reasons to make extensive use of the role of data collector: the system becomes more efficient, more data becomes available (securely) for medical research, and this can also lead to greater patient confidence in the system. The implementing legislation for the EHDS could stipulate that all data collectors will be assisted by the National Health Care Institute (Zorginstituut), which was already designated to oversee quality registrations. The specific data collectors should not, of course, be designated in the law itself, because if one of them proves to be dysfunctional, removing a data collector would have to go through Parliament. That would take too long. Therefore, the Minister of Health should be able to appoint data collectors (under Parliamentary supervision). I think it would be useful if we in the Netherlands thoroughly discussed at conferences how we can optimally design the EHDS system by using the role of data collector.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

Control over health data under the EHDS

Posted on 2 juni 202514 april 2026 by admin

Control over health data under the EHDS

No one owns data

The European Health Data Space will bring major changes regarding patient control over the reuse of health data. To understand this section, we will first explain some terminology. Although health data is about a patient, it does not belong to the patient. Nor does the hospital own the data. Health data are facts, and just as one cannot own “the sun is hot,” one cannot own “the patient has a fever.” Therefore, the patient has no proprietary right to the data. They do, however, have a right to protection of data that concerns them, based on their right to privacy. Patients can exercise these rights themselves in various ways (in addition to the intervention of the Dutch Data Protection Authority). On the one hand, for example, they have the right to inspect what data someone holds about them and to have this data corrected if necessary. On the other hand, there may be a right to prior control over the potential use of patient data.

Three types of control

There are three forms of this. The first is that there is no control. This is the case, for example, with the data collected by Statistics Netherlands (CBS). Such data concerns large numbers of people and, moreover, is essential for the government to do its work. In this case, there is no control, based on the idea that every citizen wants a well-functioning government, and that is only possible through the use of data. The second option is opt-out control (no objection must have been raised) and the third option is opt-in control (prior consent must be obtained). Dutch law currently provides for an opt-in provision, unless this is unreasonable. Consent therefore means an opt-in, and this is a sub-form of control. The EHDS explicitly stipulates that the opt-in will be abolished (although the scope of this is debated and there are exceptions). Regarding reuse, the opt-out will henceforth be the form of control, unless the national government has (lawfully) determined that control cannot be exercised over specific data flows.

The National Control Register

For some sensitive data, national legislation may allow for an opt-in option. This applies, for example, to genetic data, data from wellness apps, and bodily tissue. Dutch legislation must also clarify how this control can be exercised. Discussions are currently underway in the Netherlands about a National Control Register, in which one can object to certain forms of reuse (and in which, if necessary, consent for sensitive data can be granted). This exercise of control will then apply to all subsequent data permits, until the objection is withdrawn. Therefore, the objection is not retroactive; once a permit has been issued, the data may be used until the end of the research. The exact details of this process are irrelevant for individual scientists. However, it is relevant to determine whether the register will be structured in such a way that the opt-out is frequently exercised for certain data, or not, as this could complicate data availability for a particular discipline within medical science.

The AP, the free flow of data and ethics

Finally, three comments: the EHDS is intended to strike the right balance between privacy protection and the benefits of data availability. The GDPR remains in effect, and the Dutch Data Protection Authority retains all its privacy enforcement duties. The HDAB is therefore the newly established government body tasked with serving the opposing interest: data availability. Given this division of tasks, it is logical that it is not the HDAB, but the Dutch Data Protection Authority, that will take enforcement action if the exercise of control in the National Control Register is not properly observed. Furthermore, some people believe that you should be able to indicate in the National Control Register that your data cannot cross borders, but that seems to me to be contrary to European law on the free flow of data. Finally, some parties believe that the opt-out is unethical and that consent must always be requested. To them, I would like to point out that the EHDS is a European law, enacted by the democratically elected European Parliament. The current Dutch government has also stated in its coalition agreement that an opt-out is sufficient. This suggests that the majority of society does not consider the opt-out unethical.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

The EHDS request and the post-COVID rule of law

Posted on 1 juni 202521 november 2025 by admin

The EHDS-request and the post-Covid rule of law

The EHDS is perceived by those who distrust the government as a manipulative tactic: the coronavirus pandemic would be used to learn everything about us citizens. The striking thing is that even these suspicious people will be enormously helped by the EHDS, even in times of a pandemic, and even if they don’t understand much about statistics. Besides a data permit, the EHDS also includes a request: a request for an answer to a statistical question. Anyone can request such a request, which is therefore excellent for our constitutional state, because it allows citizens to independently verify whether certain policy choices were a good idea.

No data to researcher, but answer to requestor

In addition to the health data permit, the EHDS also includes a request. This is translated as “vraag” (request) in the Dutch version. It might have been clearer if this had been translated as “EHDS vraag” (question). The result is simply receiving an answer. The EHDS stipulates that for a permit application that may not be granted, it must always be checked whether it can be treated as a question. You can also decide not to apply for a permit, but to submit a question instead. This option is related to privacy, which must be protected as much as possible. The idea is to—where reasonably possible—not make data available to researchers, but only to provide the answer to their question. Currently, there is no legal way to enforce such an answer to a question. Under the Open Government Act or the Reuse of Government Information Act, you can request electronic data, but not an analysis of it. Under the EHDS, however, you can request that someone perform a specific calculation for you. This makes potential knowledge much more widely available. The EHDS question should therefore be seen as a major step forward (although it will obviously not be for free).

Who will take this on? Free market against distrust

Surprisingly, there’s no consideration at all of who will carry out this process in the Netherlands. The decision on such an EHDS request is an administrative decision that the Health Data Access Body itself must make. However, generating the substantive answer (performing the analysis) is a practical task that can also be outsourced. The HDAB could, therefore, outsource this to a single government agency with experience analyzing health data, such as Statistics Netherlands (CBS) or the RIVM (National Institute for Public Health and the Environment). Alternatively, it could choose to allow some market forces to operate. Under the EHDS, the questions must be answered in a secure processing environment. All reliable data holders (which likely includes academic hospitals) also have such an SPE. Some market forces generally benefit price and quality, so it would be beneficial if the HDAB gave everyone with (access to) an SPE the opportunity to submit a bid for answering EHDS questions. Ideally, the applicant would also be given the opportunity to choose who would generate the answer to their question. That would be beneficial in countering suspicion in society. The EHDS, which is often seen as a trick of the evil government, could actually help reduce this distrust.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

Trusted Data Holders and the EHDS

Posted on 1 juni 20254 februari 2026 by admin

Trusted Data Holders and the EHDS

Recommendation to the HDAB

The EHDS creates several new roles regarding the reuse of health data. A well-known example is the Health Data Access Body, a new government agency where a permit can (or must?) be requested to work with data in a secure processing environment. Much less attention is paid to the role of trusted data holders. The HDAB can designate these trusted holders to reduce the administrative burden. Due to their expertise in legislation and the secure processing of health data, these trusted holders may submit applications according to a simplified procedure, with a recommendation regarding the decision to be made. However, the HDAB must remain responsible for the actual issuance of the permit and may not be bound by the recommendation of the trusted data holder.

The administrative law - duty to verificate

I assume that Section 3.3 of the Dutch General Administrative Law Act (Algemene wet bestuursrecht), concerning advice, applies to the advice of the trusted parties. Article 3.9 is important in this regard: “If a decision is based on an investigation into facts and conduct conducted by an advisor, the administrative body must ensure that this investigation was conducted with due care.” This is called the duty of verification. Therefore, if a university hospital has the status of trusted holder and issues a decision on an application concerning its own data, the HDAB may not approve it without reading it. While marginal review is permitted, it is not permitted to omit review.

Academic hospitals as trusted holders

Keep in mind that there’s a difference between a factual application to a data holder and a legal application to the HDAB. With a regular data holder, they can (actually) contact them to inquire whether the data the scientist wants even exist, after which they can legally apply for a permit from the HDAB and go through the entire procedure. If the data holder is a reliable data holder, they have the right to have the scientists’ legal application to the HDAB accompanied by a proposal regarding the decision to be made. For example, academic hospitals seem logical parties to be designated as reliable holders. However, if the recommendations, according to the HDAB, are frequently incorrect (unjustified refusals or, conversely, unjustified grants), the reliable holder status can be revoked.

The trusted holder oversees the data user

Trusted holders of health data must possess, in addition to expertise, their own Secure Processing Environment or at least have access to one. The simplified procedure can be followed for a permit application or a request (the statistical inquiry) that concerns data exclusively from trusted holders. If such a request is submitted not to the trusted holder but to the HDAB, the HDAB will simply forward it. The trusted holder will write its recommendation within two months, after which the HDAB will make a decision within two months. The trusted holder will then perform the operational tasks (such as anonymization). The work is subsequently carried out in the trusted holder’s Secure Processing Environment, where it monitors compliance with all laws and regulations. The HDAB in turn monitors the work of the trusted data holders.

With the right to use the Identity number (BSN)

This allows the trusted holders to perform all sorts of tasks relatively independently, which is why it is explicitly described as a role that eases the burden on the HDAB, thus leading to a more efficient system. Of course, there shouldn’t be any national legislation that would hinder this, but that’s currently the case. Trusted holders must have the right to use the national identification numer (BSN) to link files in a privacy-safe manner. Furthermore, they must be able to independently consult the National Control Register using the BSN. If they aren’t allowed to do so, they still have to do their work through the HDAB, which prevents the role of trusted holder from being fully realized.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

The law is not the same as ethics

Posted on 1 juni 202521 november 2025 by admin

The law is not the same as ethics

Is ethics superior? Or is the law?

To properly understand our legal system and what the EHDS will bring us, it’s important to make a clear distinction between law and ethics. Morality is the question of whether we believe something is right, and the basis for that is ethics (although they are also referred to collectively as ethics). It is therefore a reasoned value judgment. Law, on the other hand, is the set of rules that determine what we may or may not do. Some believe that ethics is superior to law, more important, and more valuable. Others believe that ethics is simply an opinion, while law has been established by the majority of society through the democratic process. It is therefore more valuable than ethics. The question of who is right is irrelevant, as long as the difference is properly understood, and how they relate to each other.

Law is rules plus application

These rules of law are established by the legislature and then applied by courts in a specific case: for example, in the question of whether someone must pay damages. Law is therefore the totality of rules as applied by courts in specific cases. The system is structured in such a way that the highest court is always right; what the highest court declares to be law is, by definition, law. This ensures consistency in the application of law, allowing society to adjust its behavior accordingly. If the law is very clear, the court adds little, but rules are often somewhat vague; judges then elaborate on them. Law is therefore a sum of applied rules.

Ethics complements and forms new law

Ethics can be used by judges to flesh out open-ended norms, as is the case with the terms “good care” or “reasonableness and fairness.” Such vague terms are explained using interpretative methods such as dogmatics (what professors think), legislative history (what has been discussed in parliament), a purely linguistic application, or simply ethics. But when there is no open-ended norm, when it is crystal clear what a rule entails in a specific case, then ethics cannot really play a role; for example, with a statutory term of three years. Ethics is therefore used to give substance to open-ended norms. Moreover, ethics is an important guideline in determining what future law should look like. It then serves as an argument for legislative amendments. In this way, in a democratic society, law and ethics are achieved without significant differences, but that is not necessarily the case. Law is sometimes called “solidified ethics” in healthcare. But that’s only the case if ethics influenced the creation or interpretation of law. The rules on how to establish a private limited company are not solidified ethics, and the law of Nazi Germany was law, but not ethical.

A description of the law is not unethical

In discussions about the law surrounding medical research, which often has ethical implications, ethics and law are often confused. This complicates the discussions, which is why it’s important to clearly distinguish between them. One might feel that you should have a property right to data about yourself, for example, but as long as there’s no legal provision or case law (court rulings) that creates such a right, you don’t have one. One might argue on ethical grounds that an opt-in for secondary use of data would be preferable, but once the EHDS comes into effect, this European law will stipulate that an opt-out is sufficient. Lawyers who explain the law are sometimes accused of being unethical. But they don’t make any pronouncements on ethics; they merely explain how certain rules (probably or certainly) should be interpreted.

This is what the European Parliament thought

Ethics is thus used to define open standards. It also serves as a basis for drafting new laws. This also applies to legislators in Brussels. All Europeans have been patients at some point. They voted collectively on who should sit in the European Parliament. It was recently decided there that an opt-out is sufficient. Apparently, the majority considered this ethical.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

Why is the EHDS revolutionary?

Posted on 2 april 202521 november 2025 by admin

Why is the EHDS revolutionary?

More data, because it's safer

The EHDS aims to make more data available for secondary use by making it more secure. The GDPR will continue to apply alongside the EHDS. This privacy regulation already stipulates that the use of health data (in short) is permitted if there is a good purpose, if the law is followed, and if sufficient technical and organizational measures have been taken. The EHDS stipulates the same, but in more detail: working with health data is permitted if it serves a useful purpose, as described in the EHDS. This will be assessed by a newly established government body, the Health Data Access Body (HDAB), which will assess compliance with the GDPR in addition to the EHDS. Subsequently, users will not receive data, but a permit to work with that data, which will specify the precise conditions, such as the requirement to work in a secure processing environment (SEPA). In other words, users will not receive data, but access to it. The HDAB will periodically verify whether the SEPAs are indeed (still) sufficiently secure.

A right to data

So far, there seems to be little new; there must be a good purpose, the work must be done lawfully, and the work must be carried out safely. Yet, the effects of the EHDS, by creating an HDAB and a data permit, are truly groundbreaking or revolutionary. Firstly, because the data must be shared much more widely: if the HDAB has determined that a scientist is permitted to work with data (as described in the permit), then the data holder is obligated to actually make it available. We already have various laws requiring data holders to make data available to the government itself, such as the Statistics Netherlands Act (CBS Act) and the RIVM Act (RIVM Act). But now, there is an obligation to make data available to permit holders, i.e., non-governmental organizations.

If an academic hospital now wants to use data from a nursing home, that nursing home can refuse, invoking the GDPR. Whether that appeal and refusal are justified can never be submitted to a court, because sharing data by the nursing home is a favor. Now, this becomes an obligation. The downside of this is that the academic hospital effectively acquires a right to (work with) data. This is not explicitly stated in the EHDS. However, a decision on a permit application is an administrative decision. If the permit is denied, an objection can be filed (with the DHAB itself) and then, if necessary, appeal to the administrative court. If the court determines that the academic hospital meets all the conditions for obtaining the permit, it will be granted the permit. Compare this to a permit for a dormer window; if all the conditions are met, it can no longer simply be denied. By creating a data permit, the EHDS indirectly creates a right to data.

Academic freedom

Moreover, in principle, everyone has the right to work with health data. Anyone can apply for a permit; any natural person or legal entity throughout the European Union. Obtaining such a permit requires pursuing a recognized purpose under the EHDS, but no distinction is made between, for example, citizen scientists and scientists from academic institutions. Of course, applicants will be assessed for their qualifications to achieve the intended objectives and therefore possess appropriate expertise. However, people like Albert Einstein, who work at a patent office, will have more opportunities under the EHDS to demonstrate their capabilities. This isn’t dangerous, because the HDAB will anonymize or pseudonymize the data as much as possible, and will not transfer it but make it available in a secure processing environment from which no data can be extracted, only conclusions.

Transfer of confidentiality decisions in case of secondary use

The next striking fact is that the authority to decide on the secondary use of health data is being taken away from individual healthcare providers and placed with the HDAB, the newly established government agency. The EHDS is therefore seen in the medical sector as a worrying restriction of medical confidentiality. In my opinion, it would be better to view it as a partial relocation of medical confidentiality, which is also not illogical. Remember, medical confidentiality was introduced by doctors themselves, at a time when the rule of law did not yet exist; 2,000 years ago. That was fantastic, of course, but now we do have a well-functioning rule of law and a government agency that oversees the protection of privacy. Previously, there was no choice as to where decisions on secondary data use should be placed, but now there is. And in that case, an independent government agency is a more logical choice than the doctors themselves.

Most doctors are, of course, honest and well-meaning, but unfortunately, there are bad apples in every profession. A bad doctor has a personal interest in medical confidentiality. An independent government agency does not. The EHDS explicitly states that the HDAB must be safeguarded to ensure its independence; there must be no conflicting interests. Individual healthcare providers do, however. Moreover, we cannot expect healthcare providers to all be familiar with the GDPR, while an HDAB is. Ultimately, the importance of the privacy of the individual patient conflicts with the importance of medical progress for society as a whole; the interest of other patients and future generations in being able to research and discover new treatment methods. An independent agency is better positioned to weigh individual versus collective interests, current versus future interests. Therefore, with regard to secondary use of data, medical confidentiality is not so much restricted as displaced by the EHDS. And in our fairly well-functioning constitutional state, that is a logical choice from a legal perspective.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

Which data are covered by the EHDS?

Posted on 1 april 202521 november 2025 by admin

Which data are covered by the EHDS?

This web text is primarily a request for input from medical scientists. The EHDS stands for European Health Data Space, a European Regulation that will apply directly as law in the Netherlands. Chapter 4 of this regulation focuses on making health data more readily and securely available for beneficial reuse, such as scientific research. This means that health data must be made available (securely!) if a new government body (the HDAB) so decides. Article 51 of the EHDS contains a list of data that must (in principle) be made available. However, it also states that Member States may add data to this list. It is therefore important that we carefully examine this list and consider which data are not included, even though they are still important for science and policy evaluations. What data do you, as a scientist, use that are not yet included on the list below? What are we missing? Please share your thoughts via the contact form.

The EHDS includes at least the following data:

electronic health data from EHRs;
data on factors impacting on health, including socioeconomic, environmental and behavioural determinants of health;
aggregated data on healthcare needs, resources allocated to healthcare, the provision of and access to healthcare, healthcare expenditure and financing;
data on pathogens that impact human health;
healthcare-related administrative data, including on dispensations, reimbursement claims and reimbursements;
human genetic, epigenomic and genomic data;
other human molecular data such as proteomic, transcriptomic, metabolomic, lipidomic and other omic data;
personal electronic health data automatically generated through medical devices;
data from wellness applications;
data on professional status, and on the specialisation and institution of health professionals involved in the treatment of a natural person;
data from population-based health data registries such as public health registries;
data from medical registries and mortality registries;
data from clinical trials, clinical studies, clinical investigations and performance studies subject to Regulation (EU) No 536/2014, Regulation (EU) 2024/1938 of the European Parliament and of the Council, Regulation (EU) 2017/745 and Regulation (EU) 2017/746;
other health data from medical devices;
data from registries for medicinal products and medical devices;
data from research cohorts, questionnaires and surveys related to health, after the first publication of the related results;
health data from biobanks and associated databases.

So, as Member States, we can add categories here, but I can’t think of anything missing. Someone suggested that perhaps the data of a fetus, which is not yet (legally) a natural person, falls outside of this. But it seems to me that a fetus doesn’t have its own EHR, but is included in an EHR? Therefore, my question to you: what health data is missing, even though it is indeed important to medical science? I’d like to hear from you via the contact form, and I’ll pass this on to the authors of the EHDS implementing legislation.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

EHDS everywhere or just a layer on top?

EU countries build EHDS access services on top of their current national systems. But there is no discussion whether the EHDS allows this.

The free flow of health-ICT

Why the EHDS?

Posted on 31 maart 202521 november 2025 by admin

Why the EHDS Regulation?

EHDS stands for European Health Data Space. It is a European law that will apply directly in the Netherlands, just like the GDPR. The European Union introduced the free movement of people, goods, capital, and services decades ago. Internal borders within the EU were abolished as much as possible. The goal of this was economic growth, in addition to, among other things, complicating war. Brussels quickly realized that this free movement would not function properly without the free flow of data. Therefore, a European, borderless data space was also needed. The GDPR was the first step in this process; to achieve the free flow of data, data protection had to be standardized in Europe. Countries can protect privacy themselves, but achieving the free flow of data required uniform data protection.

A data legislation matrix

A European data strategy was subsequently developed, best described as a legislative matrix. On the one hand, there are rules governing all data, regardless of content. These can be found in the GDPR, the Re-use of Government Information Act, the Data Regulation, and the Data Governance Regulation. On the other hand, there are (and will be) rules governing certain types of data. Nine Data Spaces have been designated for this purpose, including financial data, transport data, and therefore also healthcare data. Therefore, when reading the EHDS, one must remember that this law can only be properly understood as a cog in a larger system of laws that complement each other: European laws such as the GDPR and other data legislation, but also Dutch legislation such as the General Administrative Law Act.

An economic perspective on healthcare

The EHDS aims to improve healthcare in Europe by realizing the free movement of patients, healthcare providers, and medical scientists. It was expected that the free movement of goods would lead to economic growth and better products, and this proved to be true. Supporting regulations were developed, such as the two-week return policy for online orders throughout the EU. This gives consumers the confidence that they can order directly from anywhere in Europe. A reputable Italian organic farmer can thus serve the wine market in Wassenaar; prices will decrease, and quality will increase. Similar benefits are also expected to be realized in healthcare. The goal is for Dutch radiologists, for example, to be able to assess MRI scans from across the EU. Brussels expects this will make healthcare cheaper and better.

Broader data availability

In addition, the EHDS aims to stimulate innovation by making health data available for beneficial reuse. Universities, businesses, and citizens will soon be able to apply for a permit to work with health data. Whether you receive this permit will be assessed based on whether you are pursuing a useful purpose, such as education, scientific research, statistics, but also developing new products or training AI systems. If necessary, you can submit the decision on your application to a judge, who can assess it against, among other things, the prohibition on discrimination or scientific freedom. For example, it will no longer be permitted for an academic hospital to share data with physicians but not with scientists from the computer science faculty.

Within strict legal frameworks

Carelessness with health data is inconvenient, unethical, and unlawful. According to the GDPR, sharing is only permitted if there are sufficient “technical and organizational safeguards.” The EHDS prescribes what this entails. A permit must be requested (with some exceptions) from the Health Data Access Body, a new government body. The permit specifies the precise conditions, and the EHDS also contains a list of things that may not be done with the data. Violation of these conditions is punishable by fines. In such cases, the data is not given, but access to it in a secure processing environment. This should make more knowledge available securely throughout the Union. After all, in addition to a right to data protection, we also have a right to information.