Abstract
Secondary use of health records is vital for research, quality improvement, innovation, but it must comply with complex legal, ethical, and security requirements. In Norway and the European Economic Area (EEA), this involves navigating national health legislation alongside the European Union (EU) regulations. For secondary use in Norway, we identified sixteen regulatory documents, notably the European Health Data Space (EHDS) regulation. We synthesized these documents into a nine-step guideline with checklists to operationalize secondary use as a structured workflow, encompassing Secure Processing Environments (SPE), security controls, lawful consent, ethical review, contractual, technical safeguards, and auditability. Additionally, we provide recommendations for applying the guideline in other EEA countries. The guideline reflects on the phased application of the EHDS, SPE requirements, and the Artificial Intelligence (AI) act. As a practice-oriented synthesis, it offers a practical starting point for navigating lawful secondary use of health records.