EHDS Compliance Checklist

Every requirement of Regulation 2025/327 that applies to healthcare providers, organised into nine operational categories.

Use this checklist to map your current state against EHDS requirements. For each item, answer yes (fully compliant), partial (in progress or only partially implemented), or no (not started). Categories where you score below 60% require priority attention in your 12-month plan.

1. Infrastructure and interoperability foundation

  • Electronic Health Record (EHR) system identified as the authoritative source for structured clinical data
  • HIS/EHR supports export in structured formats (HL7 v2, HL7 FHIR, CDA, or similar)
  • Unique patient identification linked to national patient identifier
  • Medical terminology standardised to SNOMED CT or ICD-10 (minimum)
  • Medication coding standardised to ATC and national medication dictionary
  • Structured clinical documentation (not free-text-only)

2. EHDS interoperability (Priority Category 1)

  • Patient Summary can be generated in European EHR-XF format
  • ePrescription can be generated in European format with standardised medication identification
  • eDispensation recording for medications dispensed
  • Connection to national contact point (Ministry of Health in Spain)
  • HL7 FHIR International Patient Summary profile implementation
  • Cross-border data exchange testing completed

3. Security and access control

  • Strong authentication for all clinical system users (MFA where feasible)
  • Role-based access control mapped to clinical roles
  • Complete audit trail of data access, modification, and export
  • Encryption at rest for patient data stores
  • Encryption in transit for all data exchanges (TLS 1.2+)
  • Breach notification procedures aligned with GDPR and NIS2
  • Business continuity and disaster recovery tested in the last 12 months

4. Patient rights and access

  • Electronic mechanism for patients to access their own records
  • Mechanism for patients to add annotations or corrections
  • Mechanism for patients to restrict access (by provider, by data type, by time period)
  • Transparency notice describing data uses (primary and secondary)
  • Consent recording for uses beyond direct care
  • Data portability: patient can receive their records in a standard format

5. Data governance

  • Data Protection Officer (DPO) appointed and operational
  • Record of Processing Activities (ROPA) up to date with EHDS-specific entries
  • Data Protection Impact Assessments (DPIAs) for secondary-use scenarios
  • Data retention policy with documented retention periods per data category
  • Data minimisation and pseudonymisation practices documented
  • Sub-processor inventory with EU data-transfer safeguards

6. National connection (Spain)

  • Registration with national contact point initiated or completed
  • Autonomous community integration requirements identified
  • Certificate obtained for national contact point connection
  • Ley de Salud Digital gap analysis completed
  • Autonomous community certification (if applicable) in progress

7. Organisational readiness

  • EHDS programme owner identified at executive level
  • Compliance budget approved for 2026-2027
  • Cross-functional steering group (IT, legal, clinical, operations)
  • Clinical staff training plan for new data-access and consent workflows
  • Internal communications plan for EHDS go-live

8. Vendor compliance

  • HIS vendor contacted for EHDS roadmap and commitment
  • Vendor EHDS capability verified in writing
  • Data processing agreements updated for EHDS-specific provisions
  • Integration testing scheduled with HIS vendor
  • Alternative compliance layer evaluated if HIS vendor cannot deliver

9. Secondary use readiness

  • Inventory of health data holdings suitable for secondary use
  • Registration with national Health Data Access Body planned
  • Pseudonymisation capability for secondary-use data provision
  • Secure processing environment or cloud-based equivalent identified
  • Cost-recovery model for data provision requests