The EU has this week issued a proposal for the regulation of electronic health data. It’s implications for insurance are stark. As it stands, the proposal will ban the secondary use of electronic health data for insurance purposes. It’s early days, but insurers have a digital mountain to climb.


The proposed regulation is centred around the creation of a European Health Data Space (EDHS). To quote from early on in the proposed regulations:

“(The) EHDS will create a common space where natural persons can easily control their electronic health data. It will also make it possible for researchers, innovators and policy makers to use this electronic health data in a trusted and secure way that preserves privacy.”

An important distinction in the proposed regulation is between primary and secondary use of electronic health data. Primary use of electronic health data happens in the context of healthcare. Secondary use happens in the context of other uses of that data, such as for research, innovation, policymaking, official statistics and regulatory activities.

Article 35 of the proposed regulation sets out ‘prohibited secondary use of electronic health data’. Item b) states that access to and processing of electronic health data shall be prohibited in relation to:

“…taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance contract or to modify their contributions and insurance premiums;”

And this is reinforced in Article 46 (2), dealing with the data permits that can be issued by health data access bodies:

“Health data access bodies shall refuse all applications including one or more purposes listed in Article 35”.

Clear and Stark

Now I have not yet read all of the 122 page document, released only a few days ago. That said, the references to insurance are clear and stark. If the regulation as proposed comes into force, insurers will not have secondary use of electronic health data. That seems pretty significant to me!

As well as not having secondary use of electronic healthcare data, insurers would not of course have access on a primary basis to such data, unless they were actually providing the healthcare itself. I imagine however that that will be closed off before the regulations coming into effect.  

I presume that this will not stop insurers using electronic data about health provided to them directly by the proposer / policyholder, for example through a digital watch of some kind. In essence, the restriction is on secondary use of healthcare data, not on the gathering on a primary basis by insurers of data they use to assess health insurance.

This then turns the focus of how all this is handled round onto the General Data Protection Regulation and its provisions such as on consent. As the EU admit, implementation of the GDPR has been patchy in places and its traction not as significant as was initially hoped for. The proposed electronic health data regulations make the enforcement of GDPR provisions such as on consent and secondary use even more significant.

There will now of course be a period of intense lobbying by the insurance sector. Whether it will be any more successful than in the period of this regulation’s drafting is questionable. The exclusion of insurance from the secondary use of electronic health data is pretty stark. No sub-clauses, exemptions or caveats. Just one plain no.

The Apparent Rationale

The rationale for this prohibition on insurance is very likely to be in relation to consumer attitudes to insurers use of data. As this recent piece of research by the ABI found, consumers view insurers’ use of their data through a “double lens of mistrust”, even when consent is provided.

The sector will of course warn the EU that consumers are likely to pay more for their health insurance as a result. This would be missing the point, by a mile. Such increased premiums will not bear comparison with the opportunities that trust in the primary use of electronic health data will give to European consumers. What the regulation as proposed is in effect saying then is that that trust is paramount to the success of this ‘health data space’.

Here in the UK of course, this regulation will not apply. Yet there is no doubt that UK insurers and trade bodies will watch its development with a close eye, for it could prove to be a bellwether for similar challenges they could well face here too.

Duncan Minty
Duncan Minty
Duncan has been researching and writing about ethics in insurance for over 20 years. As a Chartered Insurance Practitioner, he combines market knowledge with a strong and independent radar on ethics.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ethics and Insurance.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.