Zum Hauptmenü Zum Inhalt
Stetoskop

The EHDS – new rules for health data: overview and outlook

Authors: Gisela Ernst and Dominique Korbel

On March 25th, 2025, Regulation (EU) 2025/327 on the European Health Data Space (EHDS Regulation) entered into force – marking a significant milestone in the digitalization of healthcare in Europe.

The European Health Data Space (EHDS) aims to enable the secure and efficient exchange of health data across national borders and represents the first common EU data space as part of the European Data Strategy. The regulation builds on the GDPR, the Data Governance Act, and the Data Act, while introducing additional specific provisions for the healthcare sector. The EHDS Regulation addresses EU-wide access to electronic health data both for the provision of healthcare services (primary use) and for reuse in areas such as research or innovation (secondary use). Furthermore, it establishes a harmonized legal framework for electronic health record systems (EHR systems).. 

In the following, we take a closer look at selected aspects of the EHDS Regulation and explore potential challenges posed by this new legal framework.

Primary use of health data

The EHDS Regulation governs the primary use of health data with the aim of enabling and facilitating individuals to access, control, and share their electronic health data across borders for the provision of healthcare services.

Patients have the right to restrict access – either fully or partially – to their personal electronic health data exchanged via EHDS infrastructures (Art. 8 EHDS Regulation). Furthermore, member states may offer an opt-out option under national law for the cross-border exchange of electronic health data within the EHDS framework (Art. 10 EHDS Regulation); national storage remains unaffected by this.

The EHDS Regulation defines priority categories that must be made electronically accessible across the EU via EHR systems in a standardized and nationally registered format. According to Art. 14 EHDS Regulation, these categories include various types of data. Austria’s status regarding the availability of these data (in ELGA – Electronic Health Record) is as follows:

  • The Patient Summary – a standardized overview of essential patient data – is currently not yet integrated into Austria’s ELGA system. However, conceptual development is already well underway, paving the way for future implementation. All necessary technical prerequisites are already in place, positioning Austria as a pioneer and role model within the EU.
  • Electronic prescribing (ePrescription and eDispensation) is already established in Austria in a national form through the e-prescription system. However, existing systems still need to be aligned with EHDS standards to ensure EU-wide interoperability.
  • In the area of imaging diagnostics (e.g., X-rays or MRI scans), the technical foundation is already in place. However, full-scale implementation is still in the rollout phase, meaning that not all healthcare providers in Austria are yet fully connected or able to submit corresponding imaging results.

However, all the technical prerequisites are already in place, so that Austria is also taking on a pioneering and exemplary role across the EU.

  • An expansion is currently underway for various types of medical reports, particularly laboratory results. From July 1st, 2025, office-based physicians will be required to store laboratory and radiology reports – including related images – in ELGA. Starting January 1st, 2026, all relevant health data must be stored in ELGA, and from January 1st, 2028, this requirement will also apply to pathology reports.
  • Discharge summaries (referred to in Austria as “Entlassungsbriefe”) are already routinely made available in ELGA upon discharge from the hospital.

In summary, Austria is already very well positioned compared to other European countries. Many health data types are already structured and recorded in ELGA, which provides a solid starting point for adapting to the EHDS requirements.

Secondary use of health data

The EHDS Regulation governs the secondary use of health data with the aim of promoting research, innovation, and evidence-based policymaking within the EU. Currently, due to numerous opening clauses in the GDPR, there is no harmonized legal framework for the secondary use of health data across the EU, which leads to limited cross-border availability of electronic health data and, among other things, to challenges in cross-border research projects. Such a framework is also lacking at the national level, as most datasets have not been made available via the Austrian Micro Data Center (AMDC) for political or legal reasons.

With the EHDS Regulation, a uniform legal framework has now been established for access to electronic health data for secondary use within the EU, granting a legal right to the provision of electronic health data if the requirements set out in Chapter IV of the EHDS Regulation are met. Other Union legal acts that also address the secondary use of electronic health data are not affected by the EHDS Regulation.

  • What is meant by the secondary use of electronic health data?

What is meant by the secondary use of electronic health data?

The EHDS Regulation defines secondary use as the processing of electronic health data for the purposes listed in Chapter IV of the EHDS Regulation, provided these are not the purposes for which the data were originally collected or generated. Therefore, for classification purposes, the primary purpose of use specified by the health data holder and the secondary purpose of use pursued by the health data user must be compared.

  • Permitted purposes of secondary use 

The secondary use of health data is limited to specific purposes (Art. 53 (1) EHDS Regulation). The EHDS Regulation distinguishes the following six categories of purposes:

  1. Public interest in the areas of public health and occupational health
  2. Policy-making and regulatory activities
  3. Statistics in the area of healthcare or the care sector
  4. Educational and training activities in healthcare or the care sector, at vocational or higher education level
  5. Scientific research, including development and innovation activities for products or services, and the training, testing, and evaluation of algorithms
  6. Improvement of the delivery of care and healthcare, optimization of treatment

The first three categories are reserved for public authorities as well as bodies, institutions, and other entities of the Union that carry out tasks assigned to them under Union or national law. The remaining categories, by contrast, are generally accessible to all data users.

  • Access rules

Access to health data is granted through national access points (Data Access Bodies), which are interconnected via the EU HealthData@EU infrastructure. Although the current government program references the EHDS in several places, it is not yet clear who will be responsible for this at the national level.

Access is granted on the basis of a data permit (Art. 68 EHDS Regulation), an approved health data request (Art. 69 EHDS Regulation), or access permission from an authorized participant of HealthData@EU. Health data holders are required – upon request from the access body based on a data permit or data request – to provide certain categories of data, including electronic health data from EHR systems, clinical trials, and medical registries. These data are generally provided in anonymized form, and pseudonymized if required by the processing purpose.

The EHDS Regulation also explicitly prohibits certain processing purposes, such as making decisions that harm natural persons, conducting advertising or marketing activities or developing harmful products like illicit drugs or alcoholic beverages (Art. 54 EHDS Regulation).

  • Data subject rights

Access bodies are required to make publicly available the conditions under which electronic health data are made accessible for secondary use. This information must be easily searchable online and accessible to individuals. In addition, data subjects have the right to object to the processing of their personal electronic health data for secondary use, thus ultimately implementing the previously discussed opt-out mechanism.

Outlook

The phased entry into force starting in 2027 is already having an impact on a wide range of stakeholders in the healthcare sector and will have a lasting influence on various regulations in the (Austrian) healthcare system. We can therefore expect numerous adjustments at the legislative and regulatory level (particularly in the GTelG and its related ordinances), as well as new responsibilities for certain entities acting as “Health Data Access Bodies.”

Our health law experts are happy to keep you informed about these developments and are available to answer your questions or provide practical support.

Disclaimer

This article is for general information only and does not replace legal advice. Haslinger / Nagele Rechtsanwälte GmbH assumes no liability for the content and correctness of this article.

You can find more information on this area of law here:

Life Sciences & Gesundheitsrecht
Life Sciences & Health Law

Authors

Gisela Ernst

Associate
Korbel Dominique

Dominique Korbel

Associate

 

2. April 2025

 
Go back to News
  • Referenz | Haslinger / Nagele, Logo: JUVE Awards
  • JUVE Top 20 Wirtschaftskanzlei-Oesterreich
  • Chambers Europe Top Ranked 2025 Logo
  • Legal500 EMEA Ranking Logo 2025
  • Promoting the best. Women in Law Award