National eHealth Infrastructure (EESZT) Welcomes AI Developers

Curious about accessing personal health data (EHR) stored in Hungary's National eHealth Infrastructure (EESZT)? Discover the eligibility criteria for applicants and guidelines for accessing public databases in our latest summary from AZS Partners Law Firm.

The Health Data Processing Act (Act XLVII of 1997 on the so-called EüAk.) has been amended, which creates the possibility for applicants to access certain data based on a request to the operator of the EESZT (National eHealth Infrastructure) for the purpose of training, testing and evaluation of artificial intelligence algorithms, as well as for the development of medical devices and digital health applications. Moreover, they will be able to do so in a secure processing environment established within the National eHealth Infrastructure system.

As a condition for access, a secure processing environment must be available under the amended legislation in which

  • access is limited to the natural persons listed and authorised in the licence,
  • the risk of unauthorised reading, copying, modification or removal of electronic health record data (so-called EHR data) is minimised by technical and organisational measures,
  • EHR data users have access only to the EHR data included in the authorisation,
  • accesses and activities are logged.

In a secure processing environment, the national operator of the EESZT (currently the National Directorate General for Hospitals) may grant access to data stored in the EESZT upon request for the purposes of MI development. The conditions for access are as follows:

Access to data stored in the EESZT shall be granted only to anonymous data and to persons who

  • the only persons authorised to access EESZT are those who have an ETT (Medical Research Council in Hungarian Egészségügyi Tudományos Tanács) licence to carry out scientific research.
  • ensure that the data obtained during the development of the AI are used exclusively for the purpose of AI development,
  • ensure that the AI development is carried out using only anonymous data,
  • provides safeguards to prevent any use for purposes other than those for which it is authorised,
  • carry out a data protection impact assessment before starting the AI development,

The GDPR's legislative purpose for conducting a data protection impact assessment before the start of the activity is to ensure that potential risks can be excluded or managed before the AI learning process starts, as explained in the legislative justification.

Finally, it is stated that the conditions for the use of the data and the provision of the results must be subject to an agreement between the EESZT operator and the applicant.

The amendment will enter into force on 1 January 2026 and unfortunately many of the details are not yet known, e.g. who the applicant(s) could be, what the binding conditions of the agreement will be, whether the Hungarian State or the EESZT operator will charge any fees for access, etc.

The amendment is, however, forward-looking and could presumably allow access to EHR data in the EESZT system to those who intend to develop their medical devices or health software using artificial intelligence.

The amendment of Act XLVII of 1997 on the processing and protection of health and related personal data is contained in Chapter 12 of Act XXIX of 2024 amending certain facts concerning the functioning of the state, which was published in the Hungarian Gazette on 19 June 2024.

The article is for information purposes only and does not constitute legal advice or an opinion on a specific case.


***


Please feel free to contact us for further advice related to the above or for preparing any risk assessment or corporate governance regulations related hereto. Should you have any questions do not hesitate to rely on our services.