Mar 26, 2025 3 min read

The Huge Health Data Disruption has Arrived

The final wording of the EU’s Health Data Space regulation is out, and the implications for insurers are significant. Not only is there a prohibition on insurers’ use of secondary health data, but as I anticipated, what counts as such data is wide. Insurers need to move with care here.

health data

The EU describes the purpose of the European Health Data Space (EHDS) as follows…

“The EHDS Regulation aims to establish a common framework for the use and exchange of electronic health data across the EU. It enhances individuals’ access to and control over their personal electronic health data, while also enabling certain data to be reused for public interest, policy support, and scientific research purposes. It fosters a health-specific data environment that supports a single market for digital health services and products.”

Why is Insurance Being Singled Out?

Sounds great, but why is insurance being singled out? I understand it’s because the European Commission felt that people would not engage with the EHDS if consumers were worried that their health related data would end up in the hands of insurers.

Are such worries justified? Let’s put it this way. The low levels of trust in relation to insurers’ use of data has created the environment whereby such worries exist. So they are justified in relation to that trust.

Are they justified in relation to what insurers actually do with health data? I think the situation exists whereby, as a natural output of a transforming and largely competitive market, things are done by some firms that have raised eyebrows, perhaps even popped eyes. Not every firm may do that, but enough are doing something and the outcome is a climate of mistrust.

At a recent conference in Denmark, one insurance executive referred to insurance as a black box business, and he wasn’t just meaning this in a digital sense. Black boxes by their very nature are judged to be hiding things rather than explaining things, so the treatment of insurance under the EHDS looks to be a consequence of that opaqueness.

The Prohibition

Article 54 of the EHDS deals with prohibited secondary use of health data, and clause b) includes the reference to insurance…

“taking decisions in relation to a natural person or a group of natural persons in relation to… offering less favourable terms in the provision of goods or services, including exclusion of such persons or groups from the benefit of an insurance or credit contract, the modification of their contributions and insurance premiums or conditions of loans, or taking any other decisions in relation to a natural person or a group of natural persons which result in discriminating against them on the basis of the health data obtained;”

Here are a few things to note from this…

  • it doesn’t specify any particular line of insurance business, so this is not just aimed at life or health insurance. It is any line of business using secondary health data;
  • it references the availability of insurance, and its continuation, modification, and any decision associated with these things;
  • the scope includes both individuals and groups of individuals.

What is Secondary Health Data?

There is one further key question that the regulation addresses: what actually is covered within the term ‘secondary health data’. This is what makes Article 51 so interesting, and in particular, these clauses:

  • (b) data on factors impacting on health, including socioeconomic, environmental and behavioural determinants of health;
  • (f) human genetic, epigenomic and genomic data;
  • (h) personal electronic health data automatically generated through medical devices;
  • (i) data from wellness applications;

That feels to me to be pretty wide. And there's plenty of academic research out there into all of the factors covered under that clause 51 (b). There are in fact few if any surprises here.

Food for Thought

So what does all this add up to?

Firstly, I think it raises some pretty fundamental questions for digital strategists in the insurance sector, and first and foremost, in the life, health and protection lines of business.

Secondly, I think that with that cross over being so wide where the prohibition and the scope of what is meant by secondary health data meet, it points to sector lobbying having largely failed. I’m no public relations specialist, but there doesn’t seem to be any watering down for insurance here. The sector narrative is failing to win minds.

Thirdly, some reinsurers have seen this coming and so put their thinking hats on. We are beginning to see different responses emerging, and, now that the regulation wording is out, there will be more and more evidence of this.

Fourthly, I suspect that the writers of the prohibitions guidance for the EHDS will be raising some very interesting use cases (or should that be non-use cases?) around insurance and secondary health data. Given how life insurance was treated in the prohibitions guidance for the AI Act, insurers could well find that they have some hard mountains to climb.

Let me know if you'd would like me to provide some independent input into a review of what the European Health Data Space will mean for your firm. Get in touch here.
Duncan Minty
Duncan Minty
Duncan has been researching and writing about ethics in insurance for over 20 years. As a Chartered Insurance Practitioner, he combines market knowledge with a strong and independent radar on ethics.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ethics and Insurance.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.