“Blockchain”—a word commonly associated with cryptocurrency and financial markets—is now a buzzword in the health-care industry. Industry insiders have proposed its use for everything from claims processing and administration to supply chain management and record storage. But as with any emerging technology—especially one as potentially transformative as blockchain—it introduces a number of issues and challenges for early adopters and innovators. Here, we provide a brief overview of some of blockchain’s potential uses in the health-care and life sciences industries, before turning to our “top 5” privacy and security issues that adopters of the technology should consider.
Overview—Blockchain and Its Emerging Applications to Health Care
What Is a Blockchain?
A blockchain is a type of distributed, de-centralized ledger comprised of digitally recorded data packages called “blocks” linked together chronologically in a so-called “chain.” Each block contains a “hash” (i.e., a link to the previous block), a timestamp and transaction data, which includes pertinent information about the relevant exchange. As a result, the blocks in the blockchain link together in chronological order in a manner that makes the data within the blockchain difficult to modify. Each “node” (i.e., user) on the blockchain network generally maintains a complete copy of the entire blockchain, from the first block, referred to as the “genesis block,” to the most recent block. A consensus algorithm maintains the blockchain, allowing for replication, sharing and synchronization across multiple users, sites, and countries.
Public vs. Private Blockchains?
There is no single, uniform application for blockchains. This allows for different options but also requires that each early adapter and innovator analyze the specific blockchain technology and its use cases to determine the potential data privacy and security issues. For example, a public blockchain, like Bitcoin, allows any person to access and add information to the blockchain. This type of blockchain could create a number of data privacy and security issues that are not easily understood or controlled by any one node. In contrast, a private or “permissioned” blockchain, like Bankchain, is only accessible to parties that are members of a closed group. Even within the closed group, some users may have access only to certain blocks on the blockchain, with encryption protecting the information on other blocks from being accessed by others. Further, in permissioned blockchains, an even smaller subset of participants may be permitted to add information to the blockchain. Compared to a public blockchain, a private blockchain allows the blockchain initiator to exercise more control over the blockchain structure, data and participants, which may help limit the potential privacy and security vulnerabilities inherent in the blockchain.
Potential Health-Care Use Cases
Historically, blockchain has been commonly associated with cryptocurrency and financial transactions. In recent years, however, there has been increased interest in blockchain technology for health-care use cases. Organizations are exploring, for example, whether blockchain could allow increased patient access to and participation in the maintenance of their health records. In this case, a patient’s medical records across his/her lifespan would be available on a blockchain and the patient could add information to the blockchain, potentially through the use of verifiable, wearable tech devices. Another potential use case is in connection with clinical trials, where blockchain could allow sponsors to more easily identify and recruit potential subjects, and to exchange data with clinical trial sites and other stakeholders. Blockchain technology could also be used to automate payor execution of prior authorizations for members through the use of smart contracts and to streamline management of the health-care supply chain for pharmaceuticals and other products.
Top Five Privacy and Security Issues for Adopters of Blockchain Technology
The expansion of blockchain technology to the health care sector creates an uneasy fit under U.S. federal and state privacy and security laws, particularly the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their regulations, including the privacy and security rule (collectively, HIPAA), as well as under international privacy and security laws, particularly the European Union’s General Data Protection Regulation (GDPR). Given this tension, we identify what we believe are the “top 5” challenges facing blockchain adopters in health care and how adopters should be thinking about these issues.
1. HIPAA Concerns Regarding the Inclusion of Patient Data on the Blockchain
Under HIPAA, health-care providers, payors and clearinghouses (covered entities) may use and disclose patient health information for their own treatment, payment or health-care operations purposes, or for the treatment or payment activities of others, without obtaining patient consent. As permitted by HIPAA, covered entities may also engage “business associates” to assist in the performance of certain activities. Ultimately, HIPAA limits those circumstances under which a covered entity can disclose identifiable patient information to a third party, such as a blockchain provider, for that third party’s use of the information, without first obtaining authorization from the relevant patient(s).
Blockchain proposes to solve administrative inefficiencies created when covered entities under HIPAA undertake to perform treatment, payment and other activities. In doing so, it creates new burdens and potential risk for covered entities; namely, because covered entities are charged with the safekeeping of patient information and are held responsible for violations of these obligations, covered entities must ensure that they are in compliance with HIPAA before allowing any patient information to be included on the blockchain. As a result, before including any information on a blockchain, covered entities must determine how information on the blockchain will be accessed or used; who will be able to access, use and disclose the information; how to use and disclose the “minimum necessary” amount of information; and whether (and if so, how) the patient has authorized the use and disclosure of his/her information. This obligation requires that the covered entities fully understandtop dr the nature of the blockchain (public vs. private) and functionality of the blockchain with regard to specific use cases.
2. GDPR Concerns Regarding the Inclusion of Personal Data on the Blockchain
Up to this point, we have considered potential blockchain issues arising under U.S. Federal and state law. Depending upon the scope and use of the blockchain, other privacy and security issues may arise under international laws, most notably GDPR. GDPR, which replaces the Data Protection Directive 95/46/EC, is designed to provide individuals with more control over the use and disclosure of their “personal data”—defined broadly as any information relating directly or indirectly to a “living natural person.”
Effective as of May 25, 2018, the GDPR regime is likely to present difficulties for those innovators and early adopters seeking to invest in or use blockchain technology. First, although in theory GDPR’s principle of permitting individuals to have greater control over their personal data corresponds with the transparency of blockchain technology, the reality is trickier. For example, under GDPR, individuals are entitled to have their personal data erased from publicly available searches or spaces. Assuming that key information in a block (i.e., the hash, date, and transaction data) could be considered personal data, it may be impossible with current blockchain technology to remove any such information, which could disrupt the secure blockchain’s reflection of chronological events.
In addition, because blockchain is a distributed ledger, it may be difficult to ascertain the roles and responsibilities of each party in the blockchain (also a concern as to who constitutes a “business associate,” as noted above). In particular under GDPR, organizations will need to determine whether for a particular transaction they are the “data controller” (i.e., the entity that determines the purposes and means of processing personal data), the “data processor” (i.e., an entity that processes personal data on behalf of a data controller) or both, as such designations will determine each party’s responsibility with regard to privacy and security issues.
3. Federal and State Law Concerns Regarding the Inclusion of Sensitive Patient Data on the Blockchain
To an even greater extent than HIPAA, certain federal and state laws govern the use and disclosure of sensitive patient information. These laws, to the extent they relate to privacy and are “more stringent” than HIPAA, could further limit the use, disclosure or re-disclosure of certain data (e.g., prohibit a use or disclosure of patient information permitted by HIPAA, providing greater privacy protection for an individual).
In particular, the Substance Abuse Confidentiality Regulations at 42 C.F.R. Part 2 (Part 2), with few exceptions, require individual and entities that provide alcohol or drug abuse diagnosis, treatment or referral for treatment and that are “federally assisted” to obtain written patient consent before disclosing information that may identify a patient as having or having had a substance use disorder. Even if the patient otherwise consents to the disclosure, Part 2 further limits the recipient’s ability to use or re-disclose such information absent receipt of such consent from the patient.
Relatedly, many states have implemented laws designed to protect sensitive types of information, such as HIV/AIDS, mental health, alcohol and substance abuse and genetic information. New York, for example, has enacted Article 27-F, which prohibits persons who receive HIV-related information about an individual while providing a “health or social service” or pursuant to a written patient consent, from re-disclosing any “confidential HIV-related information” about the individual except in accordance with a specific form of written patient consent or as permitted under one of Article 27-F’s limited exceptions.
In addition to HIPAA’s general requirements, health-care providers, payors and others must consider the application of these laws before including any sensitive health information on the blockchain. In particular, early adopters and innovators should consider whether a new patient consent or authorization will be required before including sensitive patient information on the blockchain; how providers, payors and others will implement any re-disclosure requirements or prohibitions for sensitive information; and finally, how the blockchain will accommodate any patients who consent only to the inclusion of their nonsensitive information on the blockchain or who later withdraw such consent.
4. Jurisdictional Concerns and Responsibility for Blockchain Data
As discussed above, there are a number of potential laws and regulatory regimes that apply to blockchain’s potential use for health-care purposes. It may be exceedingly difficult, however, for a party participating in a blockchain to determine which regulatory regimes apply to the blockchain. Further, the applicable regulatory regime(s) may change over time, as each blockchain evolves.
As an example, a U.S. organization may choose to participate in a permissioned blockchain containing data that relates only to persons located in the U.S. Over time, however, other non-U.S. organizations may receive permission to access the blockchain. The blockchain may come to include transactions—reflected in the addition of new blocks—that contain personal data of persons located in Europe whose data are protected by GDPR or the blockchain may store data on European servers, which could also implicate GDPR. Given the cross-border scope of the blockchain and the decentralized manner in which blockchain data is maintained, organizations would likely need to determine, on a transaction-by-transaction basis, which regulatory regime(s) apply to the transaction and what the consequences are for each party participating in the transaction(s). At least initially, it seems likely that those blockchain participants with existing compliance obligations, such as covered entities and data controllers, will bear the primary burden of ensuring that blockchain transaction compliance obligations are met.
5. New Technology and “First Mover” Advantages and Disadvantages
Despite the near-ubiquitous use of the term in the media, blockchain is still a new technology in health care that has neither been used nor studied extensively with regard to general or specific use cases. Many of the potential upsides of blockchain technology are enticing; however, like self-driving cars, we do not yet know all of its upsides and downsides. With experience, we have come to see the first security issues arise, and understand that there are vulnerabilities in both public and private blockchains that make data breaches, if not likely, then at least possible. The “first movers” investing in blockchain for health-care purposes must solve for these issues, as well as for other technological issues. Further, first movers must contend with any future guidance from the U.S. Securities and Exchange Commission, the U.S. Department of Health Human Services Office for Civil Rights, and other agencies regarding the legal treatment of the technology. In each case, a first mover must carefully examine the proposed use case at issue and the current regulatory landscape in order to minimize the technological and legal risks associated with blockchain usage.
Brett Friedman is a partner in the health-care practice at Ropes & Gray LLP in New York. Jennifer Romig is an associate in the health-care practice at Ropes & Gray LLP in Chicago.