Across Europe, the way patient health data is collected, stored, and shared is about to change significantly. The European Health Data Space, known as the EHDS, entered into force on 26 March 2025 as Regulation EU 2025/327, and its implementation is now underway across all EU member states. For clinic administrators, this is not an abstract policy development. It introduces concrete obligations around data standards, patient rights, and system interoperability, and the preparation window is already open.

What is the European Health Data Space?

The EHDS is an EU regulatory framework designed to give citizens greater control over their health data while enabling the secure, cross-border sharing of that data for care delivery, medical research, and public health policy. As described by the European Commission, it forms a cornerstone of the European Health Union, a broader effort to build resilience and coordination across member states' health systems.

The EHDS is a regulation, not a voluntary initiative. It applies directly and uniformly across all EU member states without requiring separate national legislation to transpose it. Every healthcare provider operating within the EU falls within its scope.

The regulation is structured around three core strands: the primary use of health data (giving patients access to and control over their own records), the secondary use of health data (enabling anonymised data to be used for research and policy), and the certification of medical record systems. All three have implications for how clinics operate.

Why the EU created the EHDS, and why it matters now

The EHDS was created to address a well-documented structural problem: health data across Europe is fragmented, inconsistently formatted, and largely unable to move between systems or across borders. As noted in research published in the European Journal of Public Health, EU member states face significant challenges in using health data for secondary purposes, constrained by inconsistent digital health systems and limited cross-border sharing capacity.

This fragmentation has real consequences. Patients travelling or relocating within the EU cannot easily share their medical history with a new provider. Researchers cannot access the large, standardised datasets needed to study rare diseases or evaluate treatments at scale. Policymakers lack the data infrastructure to respond effectively to cross-border health threats.

A review published in BMC Medical Ethics examining the practicality of the EHDS proposal found that the regulation represents a significant step toward responsible and standardised health data use. The authors also note that implementation challenges, particularly around AI and ethics, remain unresolved.

The regulation entered into force in March 2025, with phased implementation running through to 2031. Some obligations are already active, and the preparation clinics do now will determine how smoothly they navigate the years ahead.

Who does the EHDS apply to?

The EHDS applies to all healthcare providers established and operating within the EU. This includes:

• General practice and primary care clinics

• Specialist outpatient clinics

• Hospitals and inpatient facilities

• Private care providers and independent practitioners

• Any organisation that handles patients' electronic health data

As Skadden's legal briefing makes clear, the regulation applies regardless of the size of the organisation. A single-GP practice and a large hospital network are both in scope. The determining factor is whether the entity handles patient health data within the EU, and for most clinics, the answer is straightforwardly yes.

As Covington & Burling highlight, the regulation applies to EU-established entities. Organisations based outside the EU that process data about EU patients may face different or additional considerations under the General Data Protection Regulation (GDPR), but the EHDS itself is scoped to those operating within the Union.

The two pillars of the EHDS: primary and secondary use of health data

Understanding the EHDS requires distinguishing between its two principal components, which carry different obligations for clinics.

Primary use refers to the use of health data in the direct delivery of care. Under the EHDS, patients gain strengthened rights to access their own health records, share that data with other providers, and carry it across borders. For clinics, this means ensuring that patient data is held in formats that can be accessed and transferred in compliance with the regulation's standards.

Secondary use refers to the controlled use of health data, in anonymised or pseudonymised form, for purposes beyond individual care: medical research, clinical trials, public health surveillance, and policy development. This is governed through a new EU-wide infrastructure called HealthData@EU, supported by national Health Data Access Bodies in each member state. Clinics that contribute data to registries or research programmes will need to understand how this infrastructure applies to them.

As Stibbe's analysis notes, the EHDS presents both an opportunity and a compliance burden for healthcare institutions. The secondary use framework opens new possibilities for data-driven research, but requires robust governance to ensure data is handled appropriately.

What data does the EHDS cover?

The EHDS covers a broad range of electronic health data. Based on the official regulation text and supporting legal analyses, the categories in scope include:

• Electronic health records and patient summaries

• ePrescriptions and medication records

• Medical imaging data and associated reports

• Laboratory test results

• Discharge summaries

• Genomic data (in the context of secondary use)

• Data from medical devices and wellness applications (under certain conditions)

Clinic administrators should map their own data holdings against this list. If your practice generates, stores, or transmits any of these data types, which most clinics do, you are holding EHDS-relevant data and will need to assess your obligations accordingly. Understanding your clinical documentation practices is a useful starting point for this mapping exercise.

Key interoperability requirements for clinics

One of the most operationally significant aspects of the EHDS is its requirement for common data standards and technical formats. The regulation mandates the use of standards such as HL7 FHIR (Fast Healthcare Interoperability Resources, a technical standard for exchanging health data between systems) to ensure that health data can move between systems and across borders in a consistent, machine-readable format.

For clinic administrators, this has practical implications:

• Your current medical record system may need to be assessed for FHIR compatibility

• Medical record systems used within the EU will need to meet certification requirements under the EHDS

• Clinics procuring new systems should verify that vendors are building toward EHDS-compliant standards

Research examining EU-funded eHealth interoperability projects preceding the EHDS found that over €200 million in public investment has gone into cross-border interoperability efforts over the past two decades, and that recovering lessons from these projects is essential as member states move toward EHDS compliance. Interoperability is not a new problem, but the EHDS creates a binding framework for solving it.

A case study of Italy's national health data ecosystem illustrates the scale of the challenge: even well-resourced national systems face significant technical and organisational barriers in meeting EHDS requirements. Clinics should not assume that national-level infrastructure will be ready by default. Understanding your own system's capabilities is essential.

Patient rights under the EHDS, and what that means for your practice

The EHDS significantly expands patients' rights in relation to their health data. As research published in Frontiers in Medicine notes, the regulation aims to empower citizens in the primary use of their health data by giving them access to their records and a meaningful role in how that data is governed.

Under the EHDS, patients have the right to:

• Access a digital copy of their health data, including records held by their clinic

• Share their health data with other providers, including across EU borders, through the MyHealth@EU infrastructure

• Restrict certain secondary uses of their data

• Receive clear information about how their data is being used

For clinic administrators, these rights translate into operational requirements. Practices will need processes to respond to patient data access requests in a timely and compliant manner. Staff will need to understand what data can be shared, with whom, and under what conditions. The European Association of Urology has noted that while the framework for cross-border data access is clear in principle, questions about enforcement and practical implementation at the clinic level remain open, a realistic caution for administrators planning their compliance approach.

How the EHDS relates to GDPR

A common question among clinic administrators is whether the EHDS replaces GDPR. It does not. As Kennedys Law explains, the EHDS overlays rather than replaces GDPR, adding health-data-specific obligations on top of the existing data protection framework. The EHDS also intersects with the AI Act, the Medical Device Regulation (MDR), and NIS2 (the EU's network and information security directive).

In practice, this means:

• GDPR compliance remains a baseline requirement. The EHDS does not relax any existing obligations.

• The EHDS introduces additional requirements specific to health data, including around interoperability, patient access, and secondary use governance.

• Clinics that have invested in strong GDPR compliance have a foundation to build on, but further steps are required.

The Healthy Europe policy analysis highlights a genuine tension here: the EHDS's secondary use provisions, which enable broader access to health data for research purposes, must be carefully balanced against GDPR's principles of data minimisation and purpose limitation. This tension is not fully resolved in the regulation and will likely be worked out through national implementation guidance and supervisory authority decisions over time.

Implementation timeline: when do clinics need to be ready?

The EHDS operates on a phased implementation schedule running from 2025 to 2031. Based on the European Commission's official timeline and analysis from EY, the key milestones are:

• 2025: Regulation in force; member states begin establishing Health Data Access Bodies; medical record system certification frameworks begin development

• 2027: Core primary use provisions apply; patients must be able to access their electronic health data through national MyHealth@EU-connected infrastructure; cross-border patient data access begins in participating member states

• 2029: Expanded secondary use provisions come into effect; HealthData@EU infrastructure operational across member states

• 2031: Full implementation expected across all member states and all data categories

Implementation timelines may vary by member state, and national authorities will issue their own guidance. Clinics should monitor both EU-level developments and their own national health ministry communications. Covington & Burling advise that organisations should begin preparing now despite remaining uncertainties, rather than waiting for full regulatory clarity.

What clinic admins should be doing now to prepare

Full EHDS compliance is not required immediately across all provisions, but the groundwork needs to start now. The following steps represent a practical starting point, not an exhaustive compliance programme:

• Audit your current data holdings: Identify what categories of electronic health data your clinic generates, stores, and transmits, and map these against the EHDS data categories in scope.

• Assess your medical record systems: Determine whether your current systems support HL7 FHIR or are on a roadmap toward EHDS-compliant interoperability standards. Ask your vendors directly.

• Review your GDPR compliance baseline: Ensure your existing data protection policies, consent processes, and data subject rights procedures are current and well-documented. These form the foundation for EHDS compliance.

• Engage your IT and legal teams early: The EHDS has both technical and legal dimensions. Both functions need to be involved in planning, and external legal advice may be warranted for complex cases.

• Prepare for patient rights requests: Build or review processes for responding to patient requests for data access and data portability, including cross-border scenarios.

• Monitor national implementation guidance: Your national health ministry and data protection authority will issue specific guidance. Sign up for relevant updates and track developments.

• Evaluate staff training needs: Clinical and administrative staff will need to understand the new patient rights framework and how to handle data requests appropriately.

The European Commission's impact assessment for the EHDS projected that the regulation could generate €11 billion in savings across the EU over the next decade and drive a 20 to 30 per cent expansion in the digital health sector. Realising those benefits requires upfront investment in IT infrastructure and staff training at the clinic level.

How AI and clinical documentation tools fit into the EHDS landscape

Clinical AI tools, including AI medical assistants that generate or process clinical documentation, intersect with the EHDS in several important ways. These tools typically handle sensitive health data in real time, and the EHDS's requirements around data standards, data residency, and security apply directly to how that data is processed and stored.

The European Data Portal's analysis highlights that AI-powered clinical decision support systems trained on EHDS-accessed anonymised datasets could help clinicians identify rare diseases and personalise treatment, pointing to genuine clinical value from the secondary use framework. The systematic review in BMC Medical Ethics cautions that the ethical and practical challenges of integrating AI into the EHDS framework remain incompletely resolved, particularly around accountability, transparency, and the risk of algorithmic bias in clinical settings.

For clinic administrators evaluating current or future clinical technology vendors, the EHDS creates a clear due diligence requirement:

• Data residency: Where is patient data processed and stored? EU data residency is increasingly relevant under both GDPR and EHDS.

• Interoperability: Can the tool output structured data in EHDS-compatible formats, or does it create data silos?

• Security standards: Does the vendor hold recognised certifications such as ISO 27001 (an international standard for information security management), and do their data security and privacy practices meet the encryption and access control requirements outlined under the EHDS?

• Medical device status: If the tool constitutes a medical device under the MDR, separate regulatory obligations apply alongside the EHDS.

As Kennedys Law notes, the EHDS sits alongside the AI Act, MDR, and NIS2 in a layered regulatory environment. Clinics adopting AI-powered documentation tools should ensure their vendors are building with this full regulatory landscape in mind, not just point-in-time GDPR compliance.

The EHDS introduces real obligations for clinic administrators, alongside a structured framework for thinking about data quality, patient rights, and system interoperability. Addressing these systematically can strengthen clinical operations over the long term.

Frequently asked questions

▶ What is the European Health Data Space and when does it apply?

The European Health Data Space (Regulation EU 2025/327) is an EU regulatory framework that entered into force on 26 March 2025. It gives patients greater control over their health data and enables secure, cross-border sharing of that data for care delivery, medical research, and public health policy. It applies directly across all EU member states without requiring separate national legislation, and implementation runs in phases through to 2031.

▶ Which healthcare providers does the EHDS apply to?

The EHDS applies to all healthcare providers established and operating within the EU, regardless of size. General practices, specialist outpatient clinics, hospitals, private care providers, and independent practitioners all fall within scope. The determining factor is whether an organisation handles patients' electronic health data within the EU. A single-GP practice and a large hospital network are both covered.

▶ What types of health data does the EHDS cover?

The EHDS covers a broad range of electronic health data, including patient summaries, ePrescriptions, medication records, medical imaging data and associated reports, laboratory test results, discharge summaries, genomic data (in the context of secondary use), and data from medical devices and wellness applications under certain conditions. Most clinics will already hold data across several of these categories.

▶ What is the difference between primary and secondary use of health data under the EHDS?

Primary use refers to health data used in the direct delivery of care. Under the EHDS, patients gain strengthened rights to access their own records and share them with other providers across EU borders. Secondary use refers to the controlled use of anonymised or pseudonymised health data for purposes beyond individual care, such as medical research, clinical trials, public health surveillance, and policy development. Secondary use is governed through a new EU-wide infrastructure called HealthData@EU, supported by national Health Data Access Bodies in each member state.

▶ Does the EHDS replace GDPR?

No. The EHDS overlays rather than replaces the General Data Protection Regulation (GDPR). GDPR compliance remains a baseline requirement, and the EHDS adds health-data-specific obligations on top of it, covering interoperability, patient access rights, and secondary use governance. The EHDS also intersects with the AI Act, the Medical Device Regulation, and NIS2, the EU's network and information security directive. Clinics with strong GDPR compliance have a foundation to build on, but further steps are required.

▶ What are the key interoperability requirements clinics need to know about?

The EHDS mandates the use of common data standards, including HL7 FHIR (Fast Healthcare Interoperability Resources, a technical standard for exchanging health data between systems), so that health data can move between systems and across borders in a consistent, machine-readable format. Clinic administrators should assess whether their current medical record systems support FHIR or are on a roadmap toward EHDS-compliant standards. Medical record systems used within the EU will also need to meet certification requirements under the regulation.

▶ What new rights do patients have under the EHDS?

Under the EHDS, patients have the right to access a digital copy of their health data, share that data with other providers across EU borders through the MyHealth@EU infrastructure, restrict certain secondary uses of their data, and receive clear information about how their data is being used. For clinics, this means building processes to respond to patient data access requests in a timely and compliant manner, and ensuring staff understand what data can be shared, with whom, and under what conditions.

▶ What are the key implementation deadlines for clinics?

The EHDS operates on a phased schedule. In 2025, the regulation came into force and member states began establishing Health Data Access Bodies. By 2027, core primary use provisions apply, and patients must be able to access their electronic health data through national infrastructure connected to MyHealth@EU. Expanded secondary use provisions come into effect in 2029, with full implementation expected across all member states and data categories by 2031. Implementation timelines may vary by member state, so clinics should monitor both EU-level developments and national health ministry communications.

▶ What should clinic administrators be doing now to prepare for the EHDS?

Practical preparation steps include auditing your current data holdings against the EHDS data categories in scope, assessing whether your medical record systems support HL7 FHIR or are moving toward EHDS-compliant standards, reviewing your existing GDPR compliance baseline, and building processes for responding to patient data access and portability requests. Engaging IT and legal teams early is advisable, as is monitoring national implementation guidance from your health ministry and data protection authority. Staff training on the new patient rights framework will also be needed.

▶ How does the EHDS affect clinics using AI clinical documentation tools?

Clinical AI tools that generate or process clinical documentation handle sensitive health data in real time, and the EHDS's requirements around data standards, data residency, and security apply directly. When evaluating vendors, clinic administrators should verify where patient data is processed and stored, whether the tool can output structured data in EHDS-compatible formats, whether the vendor holds recognised security certifications such as ISO 27001 (an international standard for information security management), and whether the tool constitutes a medical device under the Medical Device Regulation, which would trigger separate regulatory obligations alongside the EHDS.