– Organizations need to consider HIPAA compliance and the implications of state law in implementing a health blockchain solution, advised Mirick O & # 39; Connell Matt Fisher.
A health care blockchain initiative raises issues under HIPAA privacy and security regulations and state data privacy laws, he said HITInfrastructure.com in an interview
Fisher has recommended healthcare organizations to conduct a HIPAA risk analysis for any blockchain projects they are considering.
The HIPAA security rule defines a risk analysis as an "accurate and complete assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronically protected health information held by" a covered entity or a business partner .
Failure to perform an adequate risk analysis continues to be one of the most commonly reported HIPAA violations.
"You have to run [a blockchain project] through a risk analysis to understand where vulnerabilities might be, and then use them to work out a plan to determine how vulnerabilities will be addressed, "said Fisher.
"Whenever you're introducing a new tool, be it blockchain or any software, you really need to understand how this will impact your overall compliance," he said.
"This is one aspect of HIPAA, the other piece is: who is actually managing the blockchain, where are all the data residing and who could access it?"
Fisher has recommended that health organizations negotiate HIPAA business agreements with suppliers involved in the blockchain project if this is appropriate.
"So you'll have to figure out what the different potential contractual relationships might be like, for example if the blockchain is hosted somewhere else – even if the data is encrypted or otherwise inaccessible, you'll want to figure out if it's going to create a relationship where an associated business agreement is required. "
Do not forget the state laws
Furthermore, state laws must be taken into account when designing a blockchain project.
Some states require healthcare facilities to keep copies of complete medical records.
The hospital or doctor may decide to use the blockchain as a record archive, but they do not have control over the blockchain. This may be contrary to the obligation to keep the complete patient documentation. "You need duplicate copies of the information, one in the blockchain and one elsewhere, to make sure you can keep access," Fisher said.
"In some blockchain solutions, the patient would have the ability to activate or deactivate access to various registers within the blockchain.What happens if a patient goes to hospital A, allows access to his records, but then for some reason he decides to interrupt the access.A hospital A now has a deficiency in its archives and may not be at the height of its legal obligations in terms of health information that they are supposed to be kept ".
Fisher advises healthcare organizations to proceed with caution. "Go through all the details and then make an informed decision in terms of what Blockchain will actually do for you … You should carefully check any solution or tool you want to use and implement." This way, you will be able to identify all the risks. , together with the potential benefits: When you enter into relationships with different entities, make sure that they are properly documented and that you have reviewed the contracts, in this way you know all the rights and obligations of all the parties to the contract. "