- Organizations need to consider the HIPAA compliance and state law implications of implementing a healthcare blockchain solution, advised Mirick O’Connell Partner Matt Fisher.
A healthcare blockchain initiative raises issues under HIPAA Privacy and Security Rules and state data privacy laws, he told HITInfrastructure.com in an interview.
Fisher recommended that healthcare organizations do a HIPAA risk analysis for any blockchain project they are considering.
The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by” a covered entity or business associate.
Failure to perform an adequate risk analysis continues to be one of the most commonly alleged HIPAA violations.
“You have to run [a blockchain project] through a risk analysis to figure out where the vulnerabilities might be, and then use that to come up with a plan to determine how you're going to address the vulnerabilities,” Fisher said.
“Any time you're bringing a new tool in, whether it's blockchain or any piece of software, you really need to figure out how that's going to impact your overall compliance,” he said.
“That's one aspect of HIPAA, the other piece is: Who is actually operating the blockchain, where is all the data residing, and who might have access to it?”
Fisher recommended that healthcare organizations make sure to negotiate HIPAA business associate agreements with vendors involved in the blockchain project if that is appropriate.
“So you'll have to figure out what the different potential contractual relationships might be, for example, if the blockchain is being hosted somewhere else. Even if the data is encrypted or otherwise rendered inaccessible, you'll want to figure out if it is going to create a relationship where a business associate agreement is required.”
Don't forget about state laws
In addition, state laws need to be considered when designing a blockchain project.
Some states require healthcare facilities to maintain copies of completel medical records.
The hospital or the physician might decide to use the blockchain as a record repository, but not have control over the blockchain. This could run contrary to the obligation to keep complete patient records. “You need to have duplicative copies of the information, one in the blockchain and one elsewhere, to make sure you can maintain access,” Fisher said.
“In some blockchain solutions, the patient would have the ability to turn on or off access to various ledgers within the blockchain. What happens if a patient goes to hospital A, enables access to his or her records, but then for some reason decides to cut off access. Hospital A now has a deficiency in its records and may not be living up to its legal obligations in terms of what healthcare information it's supposed to be maintaining.”
Fisher advised healthcare organizations to proceed cautiously. “Go through all the details and then make an informed decision in terms of what blockchain will actually do for you ... You should carefully vet any solution or any tool that you want to utilize and implement. That way, you will be able to identify all the risks, along with the potential benefits. As you enter into relationships with different entities, make sure that they're appropriately documented and that you've reviewed the contracts, that way you know all the rights and obligations of all parties to the contract.”