European Health Data Space

Secondary Use of Health Data in the European Health Data Space

The European Health Data Space introduces a harmonised framework for the secondary use of health data across the EU. Chapter IV of Regulation (EU) 2025/327 defines who must share health data, which data categories are included, and how Member States can strengthen safeguards—laying the foundation for data-driven research, innovation, and public health policy in Europe.

Table of Contents

    Secondary Use of Health Data in the European Health Data Space

    Legal framework, data categories, and responsibilities of data holders

    The creation of the European Health Data Space (EHDS) represents one of the most significant structural transformations in the management of health data within the European Union. Beyond the primary use of data—directly linked to patient care—Regulation (EU) 2025/327 establishes a robust and harmonised framework for the secondary use of electronic health data, regulated in detail under Chapter IV.

    Secondary use enables the reuse of health data for purposes such as scientific research, innovation, public policymaking, health system evaluation, and preparedness for health crises. This reuse must always take place under strict legal, technical, and ethical safeguards. This article explores the general conditions, the obligations of health data holders, and the minimum categories of data that must be made available for secondary use.

    What is meant by secondary use of health data?

    Secondary use refers to any processing of electronic health data that is not directly related to the individual healthcare of a patient, but which generates value for society as a whole. This approach unlocks the vast potential of health data to:

    • Improve biomedical and clinical research

    • Optimise healthcare planning and financing

    • Enable the development of new therapies and medical devices

    • Analyse social, environmental, and economic determinants of health

    • Strengthen epidemiological surveillance and crisis response

    The Regulation ensures that this reuse is carried out in a secure, controlled, and harmonised manner, avoiding legal fragmentation across Member States.

    Applicability of secondary use rules to health data holders (Article 50)

    A central element of Chapter IV is the definition of which actors are subject to secondary use obligations.

    Who are the health data holders?

    The exact definition is found in Article 2, paragraph 2, letter t) (page 33 of the document). "Health data holder" means:

    • Any natural or legal person, public authority, agency or other body in the healthcare or care sector (including reimbursement services where necessary).

    • Any natural or legal person who:

      • Develops products or services intended for the health, healthcare or care sector.

      • Develops or creates wellness applications (for example, fitness apps or health monitoring apps that process health data).

      • Carries out scientific research related to the healthcare or care sector.

      • Acts as a mortality registry.

    • As well as the institutions, bodies or agencies of the Union that have:

      • The right or obligation (in accordance with applicable Union or national law, and in their capacity as controller or joint controller) to process personal electronic health data for the purposes of providing healthcare or care, or for public health purposes, reimbursement, research, innovation, policy-making, official statistics, patient safety or regulation.

      • Or the ability to make non-personal electronic health data available through control of the technical design of a product and related services (including through registration, delivery, restriction of access or exchange of such data).

    Specific examples mentioned in the recitals (pages 15-17):

    • Healthcare providers, such as hospitals, pharmacies, doctors, primary or specialized care centers, clinics, care services (including orthopedic or care companies).

    • Entities that collect data for research, statistics, health threat assessment, policy-making or regulation (for example, cancer registries, rare diseases or mortality).

    • Developers of wellness applications that process health data.

    • Public or private institutions that receive public funding to collect and process health data.

    These holders must make the data available through health data access bodies designated by the Member States (one per country, or several if justified), which act as intermediaries for secondary use. Judicial entities or private insurance companies not related to health reimbursements are not included.

    Exempted categories

    Article 50 establishes explicit exemptions for:

    1. Natural persons, including individual researchers

    2. Microenterprises, as defined in Recommendation 2003/361/EC

    These exemptions aim to prevent disproportionate regulatory burdens on actors with limited resources, while still fostering innovation and research.

    National flexibility for Member States

    At the same time, the Regulation grants Member States significant flexibility. They may, through national law:

    • Extend secondary use obligations to exempted categories under their jurisdiction

    • Assign obligations of certain health data holders to health data intermediaries, without removing the status of the original data holders

    This approach respects national specificities while preserving a coherent European framework.

    Notification obligations

    Member States must notify the European Commission of any such national measures by 26 March 2029, and without delay of any subsequent amendments, ensuring transparency and EU-wide coordination.

    Minimum categories of electronic health data for secondary use (Article 51)

    Article 51 defines the core dataset that health data holders must make available for secondary use. This provision is key to understanding the true scope of the EHDS.

    Clinical and healthcare system data

    The Regulation includes essential categories such as:

    • Electronic health record (EHR) data

    • Healthcare administrative data, including dispensing, reimbursement claims, and payments

    • Medical and mortality registries

    • Aggregated data on healthcare needs, resources, access, and expenditure

    These datasets enable evidence-based evaluation and improvement of healthcare systems.

    Health determinants and population-level data

    Recognising that health extends beyond clinical care, the EHDS also covers:

    • Socioeconomic, environmental, and behavioural determinants of health

    • Population-based public health registries

    • Research data from surveys and questionnaires, after first publication of results

    This supports comprehensive analyses of prevention, equity, and public health outcomes.

    Highly sensitive and high-value scientific data

    The Regulation explicitly includes data critical for advanced research and personalised medicine, such as:

    • Human genetic, genomic, and epigenomic data

    • Other molecular and omics data (proteomics, transcriptomics, metabolomics, lipidomics, etc.)

    • Data from biobanks and associated databases

    • Data on pathogens affecting human health

    Given their sensitivity, Member States may introduce stricter national safeguards and additional protective measures for these data categories.

    Data generated by medical technology and digital health

    The EHDS framework also encompasses:

    • Automatically generated data from medical devices

    • Data from wellness and health apps

    • Data from clinical trials and clinical investigations covered by EU medical and pharmaceutical legislation

    This reflects the growing role of digital health technologies and real-world data in healthcare innovation.

    Expanding data categories and strengthening safeguards

    The Regulation is deliberately flexible. Member States may:

    • Add additional categories of health data for secondary use

    • Establish specific rules for processing enhanced datasets—such as corrected, annotated, or enriched data—based on a data permit

    • Introduce additional national safeguards for particularly sensitive data

    This ensures that the EHDS can evolve alongside scientific, technological, and societal developments.

    Strategic implications for health data spaces

    Chapter IV provides the legal foundation for a federated, secure, and regulated model of health data reuse in Europe. For operators of health data spaces, healthcare providers, public authorities, and technology companies, this implies:

    • Designing architectures that support regulated secondary use

    • Implementing governance, traceability, and access-control mechanisms

    • Preparing for interoperability with health data intermediaries

    • Embedding compliance into system design (“compliance by design”)

    Conclusion

    The secondary use regime of the EHDS transforms health data into a strategic European asset, balancing innovation, public interest, and fundamental rights. Chapter IV does more than impose legal obligations—it establishes a shared legal infrastructure for Europe to lead in health research, personalised medicine, and data-driven policymaking.

    The remaining challenge is no longer regulatory, but operational: turning this legal framework into trustworthy, functional, and interoperable health data spaces aligned with European values.

    placeholder