Healthcare is rapidly digitizing. Electronic patient records (EPRs), data exchange in regional networks, patient portals, personal health environments (PHEs), and a growing ecosystem of healthcare apps and data services promise better accessibility, efficiency, and personalized care. At the same time, healthcare almost always involves sensitive personal data (health data), making it one of the most high-risk data domains. For healthcare providers, suppliers, and partnerships, this means that innovation is only sustainable if privacy, information security, and data governance are demonstrably in order.

The core of the problem is the constant tension between necessary sharing (good, safe, and continuously available care) and strict protection (confidentiality, purpose limitation, minimal data processing, and professional secrecy). In daily practice, questions arise concerning the principles and exceptions for health data, (implicit) consent versus legal obligations, access by employees and chain partners, logging and authorization, retention periods, secondary use (quality, research, AI training), and patient control. The Dutch Autoriteit Persoonsgegevens that the GDPR and specific healthcare legislation impose additional requirements on the processing and sharing of health data, precisely in order to safeguard trust in healthcare.

The legal and regulatory context is multi-layered. At its core is the GDPR (with national implementation), supplemented by healthcare-specific frameworks such as the WGBO (medical records and confidentiality) and rules on electronic processing and exchange. In addition, practice is shifting due to new obligations for digital exchange: since July 1, 2023, the Electronic Data Exchange in Healthcare Act (Wegiz) has been in force, which requires designated data exchanges to be carried out electronically in a step-by-step manner (with e-prescribing being one of the first obligations).

The contours are also becoming clearer at the European level. The European Health Data Space (EHDS) is laid down in Regulation (EU) 2025/327 and aims to improve both primary use (healthcare) and provide a framework for secondary use (research, innovation, policy), with robust preconditions for access, interoperability, and governance. In addition, pressure on cyber resilience is growing: the Netherlands is working on the Cyber Security Act to implement NIS2, which may mean additional care obligations and incident reporting requirements for (parts of) the healthcare sector.

This dossier helps professionals in the Netherlands get to grips with the convergence of privacy, security, and digitization: from contracting and supplier management to DPIAs, data sharing in networks, cloud and AI applications, and privacy-by-design in healthcare processes.