avatarChris Sawyer

Summary

The web content discusses the significant compliance challenges blockchain technology faces in the healthcare sector, particularly concerning patient data management and legal regulations like GDPR, HIPAA, and HITECH Acts.

Abstract

The article delves into the complexities of implementing blockchain technology for managing patient health information (PHI) within the healthcare industry. It outlines the primary compliance challenges, such as the 'right to be forgotten' under GDPR, which conflicts with blockchain's immutable nature. It also addresses privacy and secure data transmission concerns, highlighting the struggle of both traditional and blockchain-based health applications to comply with patient data protection laws. The need for compliance with US federal laws like HIPAA and HITECH Acts is emphasized, including the requirement for Business Associate Agreements (BAAs) when third-party blockchain solutions are involved. Additionally, the article underscores the importance of compliant development practices, suggesting that developers, often from diverse international backgrounds, must be knowledgeable about US and non-US regulations to ensure patient data privacy and security in blockchain applications.

Opinions

  • The author assumes that blockchain technology could be used to store and manage PHI, which is a common goal for many healthcare blockchain projects.
  • Success metrics for blockchain projects should include compliance performance, not just transaction volume or token value.
  • There is skepticism about whether blockchain applications can truly comply with the 'right to be forgotten' as mandated by GDPR due to the immutable nature of blockchain.
  • Concerns are raised about the privacy policies of open blockchain projects and their compliance with state and federal laws, including GDPR, HIPAA, and HITECH.
  • The article suggests that healthcare professionals may overlook GDPR due to a focus on state and federal law compliance, despite the global reach of blockchain applications.
  • There is a call for careful consideration of HIPAA and HITECH Act compliance in the context of blockchain, especially when third-party applications are involved, necessitating BAAs.
  • The author points out that the assumption that digital health applications are compliant with federal rules and regulations is dangerous, especially with the added complexities of blockchain.
  • The article advocates for the involvement of healthcare professionals in the development process to ensure compliance requirements are met and smart contracts are properly vetted.
  • It is noted that developers of blockchain applications may not be familiar with the intricacies of US and non-US patient data privacy and security laws, which could lead to compliance issues.

The Most Significant Compliance Challenges for Blockchain in Healthcare

Photo by Photo Boards on Unsplash

Let's assume for the next few minutes that we want to use blockchain technology to store and manage patient data (PHI).

This shouldn’t be too far-fetched. The majority of blockchain projects within healthcare today attempt to do just that.

Discussions about these projects often quickly lead to how successful they are based on the number of transactions they see or the value of their underlying token or cryptocurrency. But, how do these applications perform in terms of compliance?

If there is data transfer via a front-end web-based application, is that data transferred in a secure fashion?

If these projects are open to anyone to use, how are privacy policies explained to users (patients)?

Are they compliant with State and Federal laws (ie., HIPPA, HITECH)?

Below are the most significant compliance challenges facing blockchain projects in the healthcare industry today.

1. THE RIGHT TO BE FORGOTTEN

The General Data Protection Regulation (GDPR) is a relatively new compliance regulation proposed by the European Union (EU) in 2018 that is focused on giving the control of data back to its owner.

The most widely acknowledged GDPR compliance issue for blockchain remains to be the ‘right to be forgotten’.

The right to be forgotten requires that user (in this case ‘patient’) data be removed from a system at the request of the user.

This presents the most significant problem for blockchain in healthcare today as blockchain is an ‘append-only’ application and information captured on-chain is (as they say) immutable.

According to Varghese, et al (2018), this means organizations should delete the user data if the user requests it. Since information inside the blockchain cannot be removed, it directly contradicts Article 17. Technically, the same goes for Article 16 (right to rectification).

To make matters worse, this law is agnostic to public and private blockchain structures — it applies in either case.

As healthcare professionals, we tend to default to state and federal law compliance as we develop healthcare interventions in the United States.

Given the global reach of blockchain applications (worldwide network), we should understand GDPR and how it can impact that design.

2. PRIVACY AND SECURE DATA TRANSMISSION

Photo by NordWood Themes on Unsplash

Recent studies have found that traditional non-blockchain-based applications struggle greatly with patient privacy compliance within these rules and regulations. For example, one such study from 2021 found that out of 15,838 applications (8074 medical and 12,917 health and fitness) available on the Google Play store, 88% had code that collected some sort of user data with 23% of these applications transmitting information by way of unsecured channels and 28% providing no privacy policies to users.

Blockchain-based digital health is essentially the automation of current digital health capabilities — so let's make sure we are not automating the bad to still happen.

Current laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are well known to those in the healthcare industry.

Let’s say we are not concerned about GDPR or unsecured data exchange…do we even have a true grasp on HIPAA and HITECH Acts as they relate to blockchain?

With regard to HIPAA, patient health information cannot be used or shared without written permission from the patient. That said, if the information is required as part of normal business operations (for example, providing care to the patient) this may not apply.

Should we then consider a blockchain solution to be HIPAA compliant by just saying all data is required as part of normal business ops? If the blockchain application is provided by a third party I do not think we can. Then we need a Business Associate Agreement (BAA) to be in place.

BAAs are a requirement of both HIPAA and the HITECH Act.

How would we then get a BAA in place with a digital health application that resides on a public blockchain? Does the creator (who can be anyone) know about these laws?

3. COMPLIANT DEVELOPMENT

Photo by charlesdeluvio on Unsplash

We need healthcare professionals who know how to interpret patient data, implement healthcare compliance requirements, and read smart contracts.

Basically, all blockchain-based digital health applications can be categorized as creating patient-generated data.

Patient-generated data are defined as “health-related data — including health history, symptoms, biometric data, treatment history, lifestyle choices, and other information — created, recorded, gathered, or inferred by or from patients or their designees (i.e., care partners or those who assist them) to help address a health concern (Hiller, 2016).

Traditionally, data made available within the public domain by way of digital health applications are assumed to have been vetted for compliance with federal rules and regulations.

While this may be commonly accepted thinking (and still a relatively dangerous assumption to operate under given what we know about current digital health compliance studies) for more traditional applications, this thinking poses new challenges with blockchain-based applications.

This consideration should not trick us into believing an application is compliant simply because of the data source.

In order to identify weaknesses within blockchain applications against privacy and security requirements it is critical to understand how these solutions are built. This will provide valuable insight into which laws apply to data capture and how before properly understanding which data can be used widely in visualizations.

We cannot assume that data has been reviewed by a knowledgeable compliance source.

Blockchain applications are varied in where development has taken place and often developers are based outside of the United States.

Are developers familiar with US and non-US rules and regulations for patient data privacy and security?

Public blockchain applications that operate using smart contracts can easily have their code reviewed by knowledgeable US-based developers to allow for a full understanding of what data is captured and how it is stored on the blockchain (for example, is it queryable by anyone).

This will become a new healthcare industry need over time as anyone around the world can launch a smart contract on the blockchain attached to a web-based application that asks patients for data.

REFERENCES

Hiller, J.S. (2016). Healthy Predictions? Questions for Data Analytics in Healthcare. American Business Law Journal. Vol. 53 Issue 2, p251–314. 64p. DOI: 10.1111/ablj.12078

Varghese, B., Villari, M., Rana, O., James, P., Shah, T., Fazio, M. (2018). Realizing edge marketplaces: Challenges and opportunities. IEEE Cloud Comput., vol. 5, no. 6, pp. 9–20, Nov. 2018.

Blockchain
Healthcare
Healthcare Technology
Smart Contracts
Digital Health
Recommended from ReadMedium
avatarPalanikalyan
Blockchain Technology: A basic Introduction

Blockchain technology has taken the world by storm, often associated with cryptocurrencies like Bitcoin. But what exactly is blockchain…

3 min read
avatarSandeep Chinchali
Bittensor and Decentralized AI

We’re starting to see significant interest in blockchain-based decentralized AI systems. In this post, we analyze the dynamics of a widely…

5 min read
avatarArtturi Jalli
I Built an App in 6 Hours that Makes $1,500/Mo

Copy my strategy!

3 min read
avatarAI Tool Directory
The Future of AI: Top 10 Predictions for the Remainder of 2024

As we approach the midpoint of 2024, AI continues to evolve and reshape various industries. Here are the top 10 trends and predictions for…

3 min read
avatarMarshallalllen
How to Create Your Own Tokenization of Real-World Assets in 2024?

Tokenization of real-world assets is a hot topic in the financial and tech industries. But what exactly does it mean, and why should you…

20 min read
avatarGaurav Learning Solutions
Dunning Procedure in SAP S/4 HANA

What is Dunning ?

7 min read