Blockchain Privacy Considerations

A key consideration when implementing a blockchain in a healthcare setting is patient privacy. A strategy is needed to address concerns related to how patient protected health information (PHI) will be collected, used, accessed, disclosed, stored, and ultimately disposed of.

With new regulations on the rise, such as the General Data Protection Regulation (GDPR), in conjunction with regulations that have been around for more than a decade, such as Health Insurance Portability and Accountability Act of 1996 (HIPAA), patient privacy is now a standard when considering processing any form of PHI.

Individual Access Rights to Data

Blockchain users will want to consider how to best include the individual as an end-user of the system or application. A major consideration must be the right of an individual to access their record. HIPAA provides statutory guidance on making patient data available to the individual through a “copy” of their record upon request. Today this is typically a paper copy or electronic pdf. To date, no data set has been identified that would be required to be made available, but policy through the federal government is driving an individual to own their health data as a motivation for participation in their personal health care. HIPAA does not require an individual consumer’s permission or consent to share data for permitted purposes, which include the sharing of data for treatment, payment or operations. However, as of January 2019, HIPAA is silent on rules related to third-party health care applications (apps). HIPAA does require that a covered entity (provider or facility) keep an audit log of disclosures. Clearly, distributed ledger technologies would assist with these requirements.

A key component for the GDPR also refers to right of access. Article 15 Right of access by the data subject entitles subjects to be able to transfer their data from one electronic storage entity to another without restriction from the data controller. This entails ownership of the data by the subject.

To learn more about each of these regulations, visit the compliance section of this resource library.

Individual Right to Erasure

Since blockchains encompass immutable properties, it is important that the data cannot be attributed to any one subject. This is addressed in Article 17 Right to Erasure (‘right to be forgotten’) of GDPR. Given these boundaries, it is important to address where data is being stored in regards to a blockchain implementation (See Health Data Storage recommendations). Blockchain implementers will also need to consider other federal and state laws and regulations outside of HIPAA that may impact data use from a privacy perspective, especially when the entities involved are not covered entities under HIPAA.


For further questions or content suggestions, please email