Blockchain Regulatory & Compliance Considerations
In addition to the privacy considerations discussed, implementation of blockchain technology must consider other regulatory and compliance impacts on the use of the technology depending on its use case. If your blockchain will store protected health information (PHI) or any sensitive healthcare information, and be used by covered entities and business associates under HIPAA or data controllers and data processors under GDPR, then it is recommended to engage your compliance team early in your blockchain initiative to ensure compliance with all applicable regulatory or data protection law requirements. Considerations on what information will be stored on-chain and off-chain will also be important to comply with regulations related to PHI storage.
While regulations and compliance considerations differ by federal, state or local jurisdictions, this section aims to provide some examples of regulatory requirements that may impact healthcare solutions that intend to leverage blockchain technology.
Health Insurance Portability and Accountability Act (HIPAA)
For U.S.-based organizations, considerations should be made when the blockchain use case either relates to or is parallel to transactions adopted under HIPAA. In instances where the data exchange is determined to meet the definition of specific data exchange (i.e. a transaction as defined in 45 CFR §160.103) under HIPAA, implementers will need to pursue the exception process identified (45 CFR §162.940 ) to mitigate any risk of non-compliance to the implementers.
Another consideration from a compliance perspective is that of third party vendor management with blockchain initiatives (e.g. Covered Entity (CE) and Business Associate (BA) Agreements). Having a solid understanding of what each party has agreed to do and the impact of data sharing/storage responsibilities is essential.
As of January 2019, the Office of Civil Rights (OCR) is reexamining HIPAA’s language to eliminate barriers to access and exchange of health information for value-based care. Considerations for your organization’s compliance with these regulations may shift pending the updates to these regulations.
42 CFR Part 2
Information sharing under 42 CFR Part 2 is much stricter than under HIPAA, which may create additional instances where data cannot be pointed to or shared, regardless of the technology.
General Data Protection Regulation (GDPR)
If your solution will include any data that belong to a citizen of the European Union, GDPR regulations must be considered when implementing a blockchain solution. Specifically, considerations must be made on the inclusion of data as it relates to Article 17 Right to Erasure (‘right to be forgotten’) of GDPR. Given these boundaries, it is important to address where data is being stored in regard to blockchain implementation.
Additional International Examples
- Chinese Privacy Laws: New Chinese Privacy law covers ‘any citizen’s personally identifiable information (PII)’, meaning that any company, regardless of location, with Chinese citizens as customers is bound by these new regulations. This law goes even further than GDPR’s citizenship coverage, and covers any ‘natural persons.’ [1, 2]
- EU Medical Device Regulations: A global investigation by the International Consortium of Investigative Journalists into the medical device sector has brought an increased focus on the safety of medical devices. As a result, the European Council, the European Parliament and the European Commission approved a new European Union Regulation, 2017/745 on Medical Devices (MDR), in May 2017. For entities either manufacturing or contracting with medical devices in or out of a blockchain ecosystem, MDR has a transition timeline into 2025 that should be considered. One of several potential impacts is that devices already being marketed in Europe may be subject to re-classification under MDR. Devices that are ‘up-classified’ are likely to need additional scrutiny regarding available clinical data to ensure compliance. This means that devices that are subject to re-classification may require additional resources in order to continue to be marketed post-MDR. Bottom line, the adoption of MDR may result in the removal of a number of legacy devices from the EU market if commercial considerations around the cost of MDR compliance becomes prohibitive. Vendors should consider readiness plans for compliance with this regulation. 
For further questions or content suggestions, please email firstname.lastname@example.org.