Blockchain and healthcare privacy laws just don't mix
Attorney Sharon Klein first started thinking seriously about blockchain's implications for healthcare about 18 months ago. And she's hardly the only one.
Blockchain has been attracting a lot of attention in healthcare, with many technology stakeholders excited about the potential the new data storage paradigm could hold for cybersecurity and interoperability.
But while the digital ledger technology has promise, blockchain will struggle to dovetail with the existing realities of privacy law.
"It's the implementation – in this regulatory environment, particularly given everything else that healthcare needs to deal with – that's the question," said Klein, partner in the health sciences department at law firm Pepper Hamilton and chair of its privacy, security and data protection practice. "Is this something people are going to want to devote time, energy, money to? It has a lot of good applications. But we have so much to do."
Klein, who will speak at the HIMSS Health Privacy Forum in San Francisco on May 12, serves on the newly reconstituted HHS task force for cybersecurity. And, according to her, blockchain is on the agenda.
"All kinds of data can be stored with blockchain," said Klein. "But from a privacy perspective, it matters whether the data that is stored can be considered protected health information and therefore regulated. And then all of the regulatory drag then is applicable."
For instance, she said, "HIPAA contains a 'patient bill of rights.' So if I, as the patient, want to go see my healthcare records, I just raise my hand and you've got to give them to me. How's that going to work with blockchain?"
Or consider the potential implications for updating business associate agreements – even medium-sized healthcare providers have hundreds of them on file.
"It would break my brain to think of how many business associate agreements you'd have to actually execute, and who would execute them," said Klein. "The structure is so inflexible, and very different from any industry's structure when it comes to exchange of data. That's the hurdle we have to get through."
Blockchain is an exciting emerging technology, to be sure, but it's one that was barely being talked about back when the privacy and security rules under HIPAA and HITECH were drafted, she said. And as it stands today those laws "probably don't meet with the blockchain technology as it is currently constructed."
So the question, from a regulatory perspective, should be: Are there easier ways to put blockchain to work in healthcare, even around the margins, that don't need to get tangled up in existing privacy law?
"Are there mechanisms, perhaps at the edges, that are not PHI, not as regulated as PHI, that could be utilized in the way that blockchain in healthcare allows?" she said. "You have to start somewhere."
In the near term, Klein said, "the more that private industry self-regulates and has some standard-setting, I think that is going to increase adoption."
Klein's colleague Joe Guagliardo, who chairs the Blockchain Technology Group at Pepper Hamilton, agreed.
"There's an important point for everyone who's talking about blockchain to understand, whether you're a regulator or a healthcare institution or a technologist," he said. "We're hearing that blockchain is going to revolutionize the way we interact with and store data. But it's not going to happen tomorrow. It may never happen that digital ledger technology is going to replace current infrastructure, because of the regulations.”
Ultimately, it boils down to how important that transformation really is.
"What can we do in the healthcare space, what smaller projects can we do, that don't have the regulatory hurdles?,” he said. “And can we take some baby steps that don't require breaking down all the walls? Let's find smaller problems we can solve as a starting point."