Data Strategy — Healthcare interoperability

The European Health Data Space (EHDS) regulation requires each Member State to designate health data access bodies within 12 months of the regulation's entry into force, targeting March 2025. Those bodies will gatekeep secondary-use permits, monitor anonymization safeguards, and coordinate with HealthData@EU infrastructure. This deadline marks a key moment in European health data governance, establishing the institutional framework that will govern how health data can be accessed and used for research, innovation, and public health purposes across the EU.

European Health Data Space Framework

The EHDS represents the EU's most ambitious health data initiative, creating a common framework for primary use of health data by patients and healthcare providers, and secondary use for research, innovation, policy-making, and regulatory purposes. The regulation establishes harmonized rules across Member States while respecting national healthcare system diversity.

Primary use provisions enable patients to access their health records electronically across borders through the MyHealth@EU infrastructure. Healthcare providers can access patient information regardless of where care was originally provided. This interoperability transforms the patient experience and enables coordinated care across European healthcare systems.

Secondary use provisions create a regulated pathway for accessing health data for purposes beyond individual care. Research institutions, pharmaceutical companies, health technology developers, and public authorities can request access to health data through designated access bodies. Strong safeguards ensure data protection while enabling beneficial uses of health information.

Health Data Access Bodies

Each Member State must designate one or more health data access bodies responsible for processing secondary-use applications. These bodies serve as gatekeepers ensuring that data access requests meet legal requirements, protect individual rights, and serve legitimate purposes. Access bodies evaluate applications, grant or deny permits, and monitor compliance with access conditions.

Access body responsibilities extend beyond permit processing to broader governance functions. Bodies must maintain registries of approved data uses, publish transparency reports, and coordinate with other Member State access bodies. They also handle complaints from data subjects and data users, providing accountability mechanisms within the system.

The establishment of access bodies requires significant institutional capacity building. Member States must determine whether to designate existing authorities or create new dedicated bodies. Staffing, training, technology infrastructure, and procedural development all require attention before access bodies can operate effectively.

Secondary-Use Permit Framework

Researchers and other data users must obtain permits from access bodies before accessing health data for secondary purposes. Permit applications must show the legitimacy of the proposed use, adequacy of data protection measures, and proportionality of data requested. Access bodies evaluate applications against criteria specified in the regulation.

Legitimate purposes for secondary use include scientific research, innovation in health products and services, training AI algorithms, policy-making by public authorities, and official statistics. Commercial purposes are permitted where they serve broader health benefits, though access bodies may impose additional conditions. Uses that primarily serve commercial interests without public benefit may be restricted.

Permit conditions specify what data can be accessed, for how long, by whom, and under what security arrangements. Data users typically access data in secure processing environments rather than receiving datasets directly. Anonymisation or pseudonymization requirements protect individual identities while enabling meaningful analysis.

Data Protection and Security Requirements

The EHDS establishes strong data protection requirements building on GDPR foundations. Health data benefits from heightened protection given its sensitive nature. Access bodies must verify that proposed uses meet data protection requirements and that applicants have adequate security measures in place.

Processing environments for secondary-use health data must meet strict security standards. Access bodies may require that data be processed only in approved secure environments with appropriate access controls, audit logging, and output review procedures. These environments prevent unauthorized data extraction while enabling legitimate analysis.

Anonymisation and pseudonymization standards ensure individual patients cannot be identified from accessed data. Technical measures, statistical disclosure controls, and contractual restrictions combine to protect privacy. Access bodies verify that data protection measures are appropriate for the sensitivity of data being accessed and the nature of proposed uses.

Cross-Border Data Access

The HealthData@EU infrastructure enables cross-border secondary-use data access through coordination between national access bodies. Researchers can submit applications requesting data from multiple Member States, with coordination mechanisms ensuring consistent processing. This cross-border capability is essential for pan-European research requiring diverse population data.

Technical interoperability standards ensure that data from different Member States can be combined meaningfully. Common data models, coding systems, and quality standards enable valid cross-country analysis. The infrastructure provides secure channels for data transfer and processing while maintaining Member State authority over their citizens' data.

Cross-border access involves coordination between the access body receiving the application, access bodies in countries whose data is requested, and the central coordination function. Timelines and procedures for multi-country applications ensure reasonable processing while allowing adequate review by all relevant authorities.

Preparation for Access Body Designation

Organizations that expect to request secondary-use access should engage with emerging access bodies early. Understanding application requirements, processing timelines, and evaluation criteria helps prepare successful applications. Relationships with access body staff help efficient processing and clarify expectations.

Data holders including hospitals, research institutions, and digital health platforms should prepare for data provision obligations. Understanding what data may be requested, required formats, and quality standards enables advance preparation. Technical infrastructure for secure data provision should be developed before access bodies become operational.

Compliance programs should address both data access and data provision aspects of EHDS obligations. Organizations may simultaneously be data users requesting access and data holders responding to requests. Integrated governance frameworks ensure consistent approaches across roles.

Implementation Timeline and Preparation

The March 2025 access body designation deadline represents the beginning rather than the end of EHDS setup. Designated bodies will require months to develop operational procedures, build technical infrastructure, and train staff before processing applications. Early access applications may face extended timelines as bodies develop capacity.

Member State setup approaches will vary based on existing institutional landscapes and healthcare system structures. Some countries may designate existing health authorities while others create new dedicated bodies. Monitoring national setup choices helps organizations understand where to direct applications and what to expect.

EU-level coordination mechanisms will develop alongside national setup. The EHDS Board, comprising Member State representatives, will coordinate cross-border matters and develop common standards. Monitoring Board activities provides insight into evolving interpretations and expectations.

Strategic Considerations

If you are affected, develop EHDS strategies addressing both opportunities and obligations. Research institutions may find new data access opportunities enabling previously impossible studies. Health technology companies may access data for AI development and product improvement. Pharmaceutical companies may access real-world data for regulatory and commercial purposes.

Compliance investments should be proportionate to anticipated EHDS engagement levels. Organizations expecting frequent secondary-use applications should invest in permit preparation capabilities and secure processing infrastructure. Data holders should assess data quality, documentation, and provision readiness against emerging requirements.

The EHDS creates a new competitive environment for health data access and use. Organizations that develop effective access body relationships and permit preparation capabilities may gain advantages in accessing valuable health data. Early engagement with the evolving framework builds institutional knowledge and relationships.

Similar analysis

Additional analysis covering similar themes.

Data Strategy · Credibility 73/100 · April 24, 2024

Data Strategy — Healthcare interoperability

The European Parliament approved the European Health Data Space, launching final negotiations on secondary-use permits, EHR certification, and cross-border infrastructure build-outs that land in 2025.

Data Strategy · Credibility 73/100 · March 15, 2024

Data Strategy — EU regulation

EU institutions reached a provisional agreement on the European Health Data Space, setting governance for primary and secondary health-data use across Member States.

Data Strategy · Credibility 86/100 · June 30, 2025

Data Strategy — EU regulation

EU Data Altruism organization registration and audit requirements are now enforceable. If you are operating as a recognized data altruism organization, you need independent audits and transparent governance. This is part…

Data Strategy · Credibility 73/100 · October 17, 2024

Nis2 Transposition Deadline

NIS2 transposition deadline was October 17, 2024. Member states varied in their readiness, creating a patchwork of national implementations. Check your specific jurisdictions for applicable requirements and enforcement…

Data Strategy · Credibility 91/100 · August 22, 2025

Data Strategy — Data portability

The EU Data Act goes live September 12, 2025. You have got weeks to finalize data portability for users, set up fair compensation models, and get your B2B contracts in order. The clock is ticking.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

March 20, 2025

Coverage pillar

Data Strategy

Source credibility

86/100 — high confidence

Topics

Healthcare interoperability · EU regulation · Data governance

Sources cited

3 sources (health.ec.europa.eu, europarl.europa.eu, iso.org)

Reading time

6 min

Further reading

1. European Health Data Space — European Commission
2. Parliament gives the go-ahead to the European Health Data Space — European Parliament
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization