The General Data Protection Regulation (GDPR) is a new regulatory framework aimed at giving EU citizens more control over the usage, processing, and transfer of their personal data. Although it was enacted as far back as April 14, 2016, two years before it became effective on May 25, 2018, companies, countries and individuals are still struggling to understand the impact of the regulation on their operations. This framework was developed with the vision to streamline data protection rights and implements strict guidelines that organizations must follow while gathering and managing personal data. More significantly, while we normally think of a country’s laws and regulations as applying within the physical boundaries of their country, the striking impact of GDPR is that it applies to all entities controlling or processing data for EU persons residing in the EU, i.e., US companies not located in the EU but that control or process data for EU persons. This extra-territorial extension of GDPR is stunning in its scope and application, in effect setting an international standard for global companies.
For the healthcare sector, this impact can be significant. Collection, processing, and management of health records will now be subject to GDPR, including healthcare data management solutions using blockchain.
How does GDPR apply to Healthcare?
The advent of GDPR is bound to have a significant impact on the healthcare institutions, particularly large hospitals and insurance companies which have hundreds of systems handling patient information. Aside from hosting multiple processes and systems, there will be an increased onus on these companies to adhere to strict data protection rules.
GDPR will be significant in at least three ways.
1. Purpose and consent.
Healthcare institutions will be obligated to ensure that data is collected for a specific and legitimate use and that the data is only used for that purpose. Further, a healthcare organization will be required to obtain exclusive permission from the patient to use their data. (Art. 7)
2. Subject Access Requests.
GDPR offers patients complete autonomy over their data. Healthcare providers will be obligated to furnish patients with complete information when they request it, within specified time limits (Art. 15)
3. Data Breach Notification.
Additionally, GDPR requires organizations to report a data breach within 72 hours of learning of the breach (Art. 33), and notify the affected individual if the breach results in an adverse impact (Art. 34). The onus will, therefore, be on healthcare organizations to ensure that data is highly secured and protected from unauthorized access or face rapid reporting requirements of breaches and possible severe financial penalties (see Art. 83).
The intersection of Blockchain, GDPR and Healthcare
Fundamentally, Blockchain solutions and GDPR regulations are geared towards a common goal, i.e., providing a user-centric ecosystem. The ecosystems envisioned by these two paradigms promote maximum respect to data and transaction privacy. Given the characteristics of blockchain, it is worth considering this technology to ensure GDPR compliance.
GDPR offers an incredible incentive for the application of Blockchain in healthcare. Blockchain combines the application of public blockchains with trusted computing. This means that data can be stored off-chain away from the threats of intrusion, theft, and corruption. Additionally, the application of smart contracts and tokenization ensures that users are provided with full autonomy over their own data. Patients or other blockchain users are provided with the power to choose (i) who can access their data and (ii) who can use their data. Blockchain smart contracts also help in tracking usage and transfer of data to ensure that the data is used only for authorized purposes and resold only to authorized entities. Overall, Blockchain can enhance the monitoring of purpose and consent, subject to requesting access and requiring notification of breaches.
Despite the many benefits of blockchain in ensuring GDPR compliance, this move has generated an avalanche of criticism. One of the primary requirements of GDPR is the ability to fully erase data on request by the data subject. Given the immutability of blockchain ledgers, this is a nightmare for both users and health organizations, and perhaps one of the biggest hindrances for blockchain solutions being GDPR compliant.
To solve this issue we developed cryptographic hashes that allow the storage of encrypted hashes instead of ‘simply’ hashes of the actual data. This process will help solve the challenge of the “right to erasure” by protecting the data. Although the laws have not yet been changed, we can expect that new regulations will be more flexible to allow for technological advancement and innovation.
Pikcio has already built the secure, blockchain-based, GDPR compliant data ecosystem that saves time, reduces costs and increases customer satisfaction with any process that requires the collection, certification and exchange of personal data.
How GDPR will interact with U.S. laws remains to be determined. It is well known that the Health Insurance Portability and Accountability Act (HIPPA), a cornerstone of U.S. healthcare law, deals more with privacy rights and access than ownership of patient data. Ownership of data remains under the control of state law, in this case, 50 states with differing laws, court cases and interpretations of ownership of patient data. Only one state has enacted legislation stating that the patient owns its data, i.e., New Hampshire. This diverse ownership of patient data may be a latent issue that will surface over time as the ramifications of GDPR become better understood.
Current laws and regulations such as HIPAA in the U.S. and the GDPR in the EU provide a significant incentive for the application of blockchain powered solutions in healthcare. The technology offers a practical and credible way to ensure data retention obligations such as consent and access request. Although there often remain questions on issues of privacy and erasure, we at Pikcio strongly believe to have answered these issues and we’ll be moving rapidly to address any new challenges.
This article has been reviewed, corrected and written with the help of Thomas Gross, partner at The Cogent Law Firm.