Healthcare depends on data. Safe, effective and efficient healthcare cannot be delivered without data that is available, reliable and confidential.
As a result, there is both a regulatory and an operational mandate that healthcare data be protected to ensure its confidentiality, availability and integrity. However, as the headlines demonstrate, current technology is insufficient to fulfill this mandate.
As a result, many are looking to blockchain technology as a possible solution. Through the use of distributed ledger and transparent transactions, some are theorizing that blockchain will provide a technical solution to improve the security of healthcare data. Under this theory, each transaction that impacts the healthcare provided to a patient – whether it be treatment related or payment related – would be uploaded into the blockchain, verified by multiple nodes and transparently recorded and available to each participating entity, rather than recorded in a single location. Since each transaction is recorded in the distributed ledger, the silos of care would be avoided, and all providers would have access to complete records. If an error is made, it will be identified quickly and the transaction rejected. Patients can be members of the blockchain, actively participating and monitoring their records; by validating (approving or denying) the data that is added to the record, patients can help maintain accuracy. As a new healthcare provider is consulted, the new provider can simply be added to the blockchain, immediately gaining access to the accumulated data.
While there are many use cases proposed for blockchain in healthcare, one that is gaining the most attention is use of blockchain for medical record data. Consider, for example, medication data. Many patients receive prescriptions from multiple providers. Currently, each prescription is recorded in the medical record of the prescribing provider and in the record of the pharmacy when dispensed. The prescription may be transmitted electronically, either directly to the pharmacy or through a health information exchange ("HIE"). Each prescribing provider has a record of what he or she prescribed and may have a record of the medications prescribed by other providers, as reported by the patient or disclosed by the HIE. However, often patients don't remember all of their medications or dosages, or the patient may not have picked up a prescription reported through the HIE. The theory is that with blockchain, each prescription will be recorded in the blockchain and visible to all providers of care. This will permit more accurate medication reconciliation with the patient, leading to better care. The same is true of other medical information, such as imaging studies, laboratory results and similar data.
As the United States grapples with the perils of the opioid epidemic, the use of blockchain in state databases that monitor prescriptions of controlled substances could present a tool for better management. By using blockchain, the various state databases could be consolidated into a private blockchain, accessible to state and federal regulators and healthcare providers but inaccessible to others without a valid need to access the data. This would permit the development of a reliable, distributed record of controlled substances prescriptions that avoids the silos created by state boundaries while protecting the information and ensuring it is shared only among those who require access.
However, there are concerns that must be addressed before blockchain can be used for medical data. While the data stored on blockchain is encrypted, compliance with legal and regulatory mandates related to patient privacy must be ensured. The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health ("HITECH") Act (collectively, "HIPAA"), and the implementing regulations were promulgated well before blockchain was identified as a possible approach for use in healthcare, and achieving compliance with the HIPAA Privacy Rule and Security Rule may be challenging. Blockchain identities are pseudonymous, not anonymous, and therefore must be treated as sensitive information under the European Union's General Data Protection Regulation ("GDPR"), which goes into effect May 25, 2018 and may apply to U.S. healthcare providers in certain circumstances. A pseudonym may qualify as de-identification, if it is not derived from other related information about the individual and the means to re-identify is not known to third parties (including other recipients); the use of cryptographic hash functions is permitted and may qualify as de-identification under the "expert determination" method of de-identification under HIPAA.1 While blockchain uses cryptography, identities remain vulnerable to discovery, and the use of a pseudonymous identifier to link transactions creates a larger dataset at risk of breach. Further, the need for accurate identification of individuals across multiple providers increases the concerns about misidentification and the need to deduplicate entries.
An interesting challenge arises due to a fundamental characteristic of blockchain – its immutability. Once a transaction is approved by the requisite number of nodes, it cannot be changed. However, under both HIPAA and the GDPR, an individual has the right to seek corrections in records. If, after a transaction has been approved, the individual seeks a correction, what happens if some of the nodes agree and some disagree? Further, under GDPR, the individual has a right of erasure of incorrect information (the "right to be forgotten"), which also applies if the information is no longer relevant. Given the immutability of blockchain, that is impossible; for those entities that are subject to HIPAA, even if the request to correct is granted, the error is now broadly visible even if it is corrected, rather than located in a medical record that is likely less broadly released. This risk may be mitigated if the blockchain is used to merely store data pointers, rather than the data itself; taking this approach also mitigates another concern related to the volume of data that would be uploaded to the blockchain. In fact, blockchain is better used for write-often, seldom-read activities; it is not intended to be a database but rather is a tool for tracking transactions.
Another potential benefit of blockchain in healthcare is enhanced robustness of the technology. Because the blockchain is distributed, there is no single point of failure. The option of private blockchain permits inclusion of only trusted entities. Blockchain uses peer-to-peer architecture, which permits modularity while accommodating increased power provided by leveraging data available at, and interoperating with, multiple nodes. Finally, immutable audit trails discourage attempts to inappropriately modify data and permit reliable investigation if needed.
It is important to remember that blockchain is a technical concept. Blockchain requires software to be implemented, and as with any other software, much of the security and privacy lies in how carefully the code is written and the implementation is configured. Use of a weak encryption protocol, code that is written without incorporating privacy and security by design and implementation that fails to consider security and privacy as primary goals will cause blockchain to fail to accomplish its privacy and security potential. While it should not be viewed as a panacea, blockchain does provide possibilities to improve privacy and security in healthcare.
This article is educational in nature and is not intended as legal advice. Always consult your legal counsel with specific legal matters. If you have any questions or would like additional information about this topic, please contact:
• Melissa Markey at (248) 740-7505 or mmarkey@hallrender.com;
• Ammon Fillmore at (317) 977-1492 or afillmore@hallrender.com; or
• Your regular Hall Render attorney.
Melissa Markey and Ammon Fillmore are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest healthcare-focused law firm in the country. Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to healthcare law.
1 Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule, 11/26/12, available at https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.