What is the difference between primary and secondary use of health data?

Primary use is for individual patient care (e.g., healthcare professionals accessing patient records). Secondary use is for research, innovation, policy-making, and public health — accessed through health data access bodies with a data permit.

Can researchers re-identify data subjects under EHDS?

No, Article 41 of EHDS explicitly prohibits re-identification of data subjects. Data users must process data only in secure processing environments provided by the access body.

What is a Health Data Access Body?

A Health Data Access Body is a national body designated by each Member State to manage health data access for secondary use. It evaluates applications, issues data permits, provides secure processing environments, and monitors compliance.

EHDS

European Health Data Space

Your health data, your choice — but also science's opportunity

The European Health Data Space (EHDS) creates a framework for sharing and using health data across the EU — both for individual care (primary use) and for research, innovation, and policy-making (secondary use). It gives patients more control over their health data while opening up anonymised datasets for researchers. Think of it as GDPR's health-conscious cousin who also believes in open science.

Scope

Electronic health data in the EU: EHR systems, health data held by public and private entities, and data used for secondary purposes (research, statistics, policy). Covers manufacturers of EHR systems, healthcare providers, and anyone wanting to access health data for secondary use.

Geographic reach

EU-wide regulation. Establishes national health data access bodies in each Member State and a cross-border infrastructure (HealthData@EU) for cross-border data sharing.

In effect since

Expected 2025 (phased implementation over 2–6 years depending on provisions)

Purpose

To empower patients with access and control over their health data, enable healthcare professionals to access patient records across borders, and unlock the potential of health data for research and public health — all while maintaining strong privacy protections. Because your blood test results shouldn't be trapped in one hospital's PDF system.

Jump to your role:

Health Data Holder

You hold electronic health data — as a healthcare provider, public health authority, research institution, or private entity with health-related datasets. If you have health data and someone might want to use it for secondary purposes (research, statistics, policy), you're a data holder under EHDS.

Your obligations

Make required datasets available for secondary use when requested through a health data access body (Art. 33)
Provide data in an interoperable, machine-readable format (Art. 33.2)
Respond to data access requests within the timeframe set by the health data access body (Art. 37)
Ensure data quality and provide metadata descriptions for your datasets (Art. 34)
Do not use your data holder position to extract unfair terms from data users (Art. 33.5)
Cooperate with the health data access body in your Member State (Art. 36)
Implement appropriate security measures to protect the data you hold (Art. 33.4)

Key articles

Art. 33 — Data holder obligationsArt. 34 — Data quality and metadataArt. 36 — Health data access bodiesArt. 37 — Data access procedures

Pro tip

Start cataloguing your datasets now — what data you hold, in what format, covering what time period, and at what quality level. When the access body comes calling, having a clear data catalogue makes everything smoother.

Authorised Data User

You want to access health data for secondary use — research, innovation, policy analysis, or public health purposes. You need a data permit from a health data access body to access the data, and you can only use it in a secure processing environment. No downloading datasets to your laptop.

Your obligations

Apply for a data permit through the relevant health data access body (Art. 46)
Clearly state the purpose of your data use — it must fall within permitted secondary use categories (Art. 34)
Process data only in the secure processing environment provided by the access body (Art. 50)
Do not attempt to re-identify data subjects — this is explicitly prohibited (Art. 41)
Publish your findings and acknowledge the data source (Art. 46.10)
Delete or return data when the permit expires (Art. 46.8)
Pay applicable fees as set by the access body (Art. 42)

Key articles

Art. 34 — Permitted secondary use categoriesArt. 41 — Prohibition of re-identificationArt. 42 — FeesArt. 46 — Data permitArt. 50 — Secure processing environment

Pro tip

Write your data access application as if a privacy expert will review it — because they will. Be specific about what data you need, why you need it, and how you'll use it. Vague applications get rejected.

Health Data Access Body

You're a national body designated by your Member State to manage health data access for secondary use. You receive applications from data users, evaluate them, issue data permits, and provide secure processing environments. You're the gatekeeper between data holders and data users — ensuring access is lawful, purposeful, and secure.

Your obligations

Evaluate data access applications and issue data permits (Art. 46)
Ensure data is provided in a secure processing environment (Art. 50)
Monitor compliance with data permit conditions (Art. 47)
Set and publish fees for data access (Art. 42)
Maintain a public catalogue of available datasets (Art. 38)
Cooperate with other Member State access bodies via HealthData@EU (Art. 52)
Handle cross-border data access requests (Art. 45)
Report on your activities annually (Art. 36.7)

Key articles

Art. 36 — Health data access bodiesArt. 38 — Dataset catalogueArt. 42 — FeesArt. 45 — Cross-border accessArt. 46 — Data permitsArt. 50 — Secure processing environmentArt. 52 — HealthData@EU

Pro tip

Invest in your dataset catalogue early. A well-maintained, searchable catalogue with clear metadata reduces the back-and-forth with applicants and makes your own evaluation process faster.

How Euregas can help

Available tools

Data holder management — register and manage your organisation's health datasets
Patient rights — handle data access, portability, and restriction requests
Dataset management — catalogue datasets with metadata, format, and quality indicators
Data permit tracking — manage permit applications, approvals, and expiry dates
Data Sharing Agreement (DSA) management — template and track agreements
Deviation tracking — log and follow up on compliance deviations
Correspondence — manage communication with access bodies, data users, and authorities
Country comparison — compare fees, SLA, and regulations across EU Member States

AI-assisted features

AI EHDS compliance assessment — comprehensive analysis of your organisation's EHDS readiness
AI EHR interoperability analysis — evaluate your electronic health record systems against EHDS requirements
AI Art. 46 secondary purpose validation — check if your intended secondary use is permitted under EHDS
Semantic search across EHDS articles and recitals

Note

EHDS is Euregas's most AI-intensive regulation module. The compliance assessment, interoperability analysis, and purpose validation all use AI to provide detailed, actionable insights.

All examples are fictional and for illustrative purposes only.