Guest article by Jan Penfrat, Senior Policy Advisor, European Digital Rights (EDRi)
The European Health Data Space (EHDS) is a new EU law proposed to improve how people’s medical data can be used. That includes the ability for hospitals and physicians to share information about their patients with expert colleagues abroad. For example, it’s supposed to make it easier for a general physician in Sweden to receive a digital copy of their Romanian patient’s CT scan results from a radiologist in Romania in order to continue treatment.
But the EHDS also proposes to legally compel hospitals and physicians to hand out medical records to a newly created government agency which, in turn, can allow access to anyone who claims a research interest. That includes not only academics but also pharmaceutical companies, wellness app startups and even data-harvesting Big Tech corporations like Google and Facebook.
Your medical records include details of physical, mental and sexual health, drug and alcohol history, and any family and work-related problems that you thought you’d disclosed in confidence to your physician only. What’s worse is that the information in medical records is almost impossible to effectively anonymise, meaning it’s relatively easily identifiable as yours.
Unsurprisingly, 75% of Europeans said in a recent Ipsos poll that they are only willing to grant researchers access to their medical records if they have been asked for their explicit consent, but the EHDS as proposed by the EU Commission does not foresee patients to be asked for permission; it does not even include a right to object to this kind of data sharing.
That is why over a dozen organisations representing patients, medical professionals, persons with disabilities, consumer and digital rights organisations, as well as workers and trade unions have written to members of the EU Parliament, urging them to introduce a consent requirement in the EHDS. This is crucial for protecting patients and ensuring they have control over the use of their private medical records.
What’s more, forcing the medical data of millions of people into a centralised government database creates an incredibly attractive target for cyberattacks: Just last year, a criminal ransomware gang has broken into the medical database of a healthcare systems provider in the US and started publishing nude pictures of female breast cancer patients on the internet after the provider refused to pay the ransom.
Medical research is incredibly important and often relies on access to such data to develop new medication and advance our understanding of the human body. But whoever wants to do that research must always ask for our permission to use our data first. Ideally, researchers should also be obliged to release their results back to the public, so that it can be of maximum common value to us all.
Without a consent requirement for secondary use, the EHDS would make medical professionals complicit in the forced commercialisation and monetisation of our health. It would destroy the Hippocratic oath of confidentiality by which every medical professional is supposed to be bound.
Several EU lawmakers have proposed to add such a consent requirement to the EHDS. It’s now up to medical professionals and their representatives to convince legislators to vote in their favour so that we can continue to entrust our physicians with the most intimate details of our physical, mental and sexual health.
Disclaimer: the opinions – including possible policy recommendations – expressed in the article are those of the author and do not necessarily represent the views or opinions of EPHA. The mere appearance of the articles on the EPHA website does not mean an endorsement by EPHA.