Why Blockchain is a good fit for HIPAA?

Why is Blockchain a good fit for HIPAA?

Every healthcare technology solution dealing with Protected Health Information (PHI) in the US has to comply with the Health Insurance Portability Accountability Act (HIPAA).

HIPAA enforces the patient’s right for privacy and aims at protecting sensitive health information from unauthorized disclosure and access. For a software company handling PHI, complying to HIPAA means implementing a broad set of rules encompassing both technical safeguards to be embedded in the software solution itself and administrative measures to be included in the company’s organization and processes.

So if I build a Blockchain-based software in Healthcare, what should I do with HIPAA?

One strategy is not to deal with the complexity of the HIPAA regulation and develop Blockchain healthcare solutions not dealing with PHI or outside of the US (see better-off-abroad-blockchain-health-firms-are-gaining-ground-outside-the-us/). There are two potential drawbacks to this strategy. The first is that developing Blockchain in healthcare without directly solving patient-related issues is like being hungry staring at a great dinner menu and not eating it! The second is that pretty much every foreign developed country has a similar regulation (e.g. GDPR for European countries, PIPA for Korea…), so it’s like having to choose between two evils.

It’s true that HIPAA compliance is a tall order and represents a huge effort for any healthcare software company, but it should not be a showstopper for Blockchain start-ups to explore healthcare. One extreme point-of-view is shared in this article blockchain-and-healthcare-privacy-laws-just-dont-mix which title tends to imply that Blockchain and HIPAA is a big “no-no”.

I actually think the opposite: Blockchain has an advantage versus other database technologies regarding HIPAA compliance.

The HIPAA Security Rule requires the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (Rule 45 CFR 164.304 definition of encryption) for PHI. How can Blockchain handle this requirement? Imagine the patient ID being his Blockchain address (public key), the patient “locks and unlocks” his medical records in Blockchain transactions with his private key. No one else can derive his private key from his public key (that fits “low probability”) and of course, his private key is “confidential” (in the sense the patient is not supposed to share it with anyone else, same way he’s not supposed to share with password with anyone else).

Blockchain can also be helpful for Section 164.308(a)(1)(ii)(D): “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Blockchain provides a built-in, comprehensive and tamper proof audit-trail of who wrote and accessed every medical record. And implementing into Blockchain the authorization registry (“who can access which patient’s medical records”) offers the possibility to reconcile the authorization registry (“what is supposed to happen”) with the audit-trail (“what happened in reality”), and offer a very solid “proof of alignment” between the two.

Let’s now take a look at Section 164.312(c)(1): “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

Alteration, destruction: this is about data integrity. This is should be a piece of cake for Blockchain! It’s a well known fact that it is practically impossible to alter the data contained in Blockchain: to be successful, a hacked who altered one medical record within a given Block, needs to re-mine all the subsequent Blocks to validate the entire Blockchain, and he needs to distribute his altered Blockchain to more than half of the nodes of the network, which are say in thousands, all of this within a few minutes.

If we were to be futuristic, the Blockchain address can even become the unique patient identifier that doesn’t exist today under HIPAA (what exist as unique identifiers are for Providers (NPI), Employers (EIN) and Health Plans (HPID)). Why not after all? The idea of a private key/public key as a candidate unique patient identifier was mentioned in a Department of Health and Human Services’ white paper discussing the issue (aspe.hhs.gov/white-paper-unique-health-identifier-individuals).

Don’t get me wrong, Blockchain is not going to provide a magic wand to comply with the HIPAA Security Rule and we have not even discussed the other rules (Privacy, Breach Notification) and the myriad of other safeguards that have nothing to do with technology. HIPAA compliance will remain a difficult and expensive task to implement but Blockchain should be a viewed as a technology that can strengthen HIPAA compliance. This is a clear benefit for patients so this is why we should do it!