Does innovation breed regulation or does regulation spark innovation?
In the case of the drafted Trusted Exchange Framework and Common Agreement (TEFCA) and the forthcoming frameworks, the hope is that regulation may serve as an impetus for developing innovative approaches to exchange. Since blockchain is an emerging technology that can support healthcare data exchange, it should be explored as an innovative option for addressing regulatory exchange requirements for interoperability.
Previously, we introduced a number of components of TEFCA that will need to be addressed to develop a successful framework for trusted exchange, suggesting that blockchain technology could be leveraged to support this. Now, let’s unpack further how blockchain can facilitate these components of TEFCA.
The exchange of electronic health information (EHI) between disparate health systems, providers, and patients requires trust, and therefore, the Trusted Exchange Framework (TEF) principles need to ensure trustworthiness within networks.
The TEF outlines six general principles around:
These principles provide the rules of the road to facilitate trust between Qualified Health Information Networks (QHINs), or consortia, and enable nationwide information exchange, allowing EHI to securely follow the patient when and where it is needed. To achieve this trust, one needs a committed relationship where confidence levels, timing, source and destination are critical to success.
Blockchain can bring trust and transparency to healthcare with real-time confirmation, real-time assurance, and possibly deliver value as a trust currency. It can also greatly aid in the development of trusted exchange by establishing a framework to improve data privacy and security which in turn, delivers greater efficiency, higher reliability and higher quality data.
At its core, blockchain supports a network where nodes can operate in a trustless system. This means that nodes do not have to trust each other or establish a way to ensure trust, as long as they trust the blockchain, the associated consensus algorithm, cryptography and the data on the blockchain. In a private network, each node agrees to and leverages standardized datasets, common agreements and consents based on cooperation and nondiscrimination. The network therefore becomes a secure system of exchange with well-defined access controls, an architecture that can align well with the TEF principles.
To promote trust within the exchange framework there needs to be:
Blockchain technology can facilitate all of these components.
The TEF aims to support scalable interoperability and enable participating networks to collaborate to build the on-ramp for the seamless exchange of and access to EHI, regardless of the technology used or geographic location of provider or patient.
To achieve these goals, the TEF plans to establish trusted collaborative platforms encompassing multiple technologies and geographies, thereby eliminating many of the barriers in today’s current health information exchange environment. These QHINs could be set up to assist organizations with consent management and record aggregation to meet an individual’s right to access requirements.
Establishing collaborative relationships and creating buy-in with key stakeholders, including federal agencies, public health, payers (health plans), individuals, health information networks and technology developers, is critical for program success. In considering this governance model to enable exchange and define common policies across disparate partners, blockchain technology is well positioned to develop consortia models in support of those goals as this technology focuses on aligning disparate partners and interests around common goals.
If such a model is pursued, QHIN participants should understand and agree that legal compliance with respect to the maintenance, storage, transmission, transfer, use, dissemination and treatment of any data, including but not limited to protected healthcare information (PHI), or other personally identifiable information (PII) on or accessed via the blockchain network. This compliance would be the QHIN’s responsibility as it relates to HIPAA and other privacy guidelines.
Whether governance is outlined via a smart contract or general governance policy, blockchain technologies could provide the backbone of identity for participants, entities and patients. It can also outline the governance rules through smart contracts to enforce standards of exchange supported on the network.
With the premise that information included on chain would be minimal for security, exposure and accessibility, the relationship between blockchain solutions and health IT standards will need to be tightly coupled. The exact tie will be dependent on the type of consortia participating and how they plan to interact. With a core principle of blockchain being its capabilities around managing identity, this could be a key component of any blockchain strategy supporting the C-CDA and FHIRⓇ exchange standards currently in place or being implemented. A consortia partnership to establish governance rules and enforce technical standards for members relating to the ability to retrieve critical clinical data, will be needed.
The clinical requests and responses would be accomplished leveraging C-CDA or whatever standards chosen in the QHIN Technical Framework. This model minimizes exposure of HIPAA-protected PHI on chain and allows participants to leverage their investment in existing exchange standards, such as FHIR application programming interfaces (APIs) and IHE profiles, in partnership with a blockchain backbone to provide capabilities for identity, track and trace, and health data exchange amongst consortia members.
With the growing consumerization of healthcare, individuals are being empowered to grant selected or total access of their data to authorized providers, care teams and institutions, which is a critical consideration with the implementation of TEFCA. A decentralized electronic consent management service using blockchain can be leveraged to support our providers in enabling proper levels of consent management.
Current consent management solutions are limited to the opt-in/opt-out models of dedicated consent, either allowing or denying all of the content within the healthcare application only, and the purpose of the consent record is used locally for the application only. Conversely, patients do not have a mechanism to grant or restrict access to their information at their own discretion, or even be aware of how their information is being accessed, which blockchain technologies have the ability to enable.
A private blockchain network is ideal for consent management of sensitive healthcare data. All participants are part of the recording of consent transactions and validation process. Consents can be managed in the smart contracts of blockchain, consisting of authorized users and related access rights. When a patient defines a new consent, it is recorded in the blockchain and authorized third parties can access only data where access was granted.
While blockchain itself does not provide inherent privacy and security functions, it provides integrity, auditability and availability. A major component of both HIPAA and HITECH, as well as TEFCA, is to provide visibility and traceability with a high degree of assurance with documenting who accesses what information and when. Compliance is required with the HIPAA Privacy and Security Rules, and the HITECH Act, specifically within the Breach Notification Rule component. The focus on compliance with these rules is in affirmatively showing who did what and when it was done. The U.S. Federal Trade Commission also recently increased enforcement actions to protect personal information (both PII and PHI) and how companies handle data protection and its security. Many of the current solutions utilized for security provide confidentiality, but do not provide integrity, auditability, or availability at a low level. With the rise in ransomware attacks on healthcare providers, data integrity is now more critical than ever.
The governance model of blockchain is reliant on ensuring all consortia members have agreed to the same security standards and adhere to them. Logging and auditing should be implemented to support this governance model, however current standards for exchange don’t address system integrity or provable processes. The use of blockchain technologies enforce this through mutually assured security.
One way to encourage privacy and security throughout systems is to use standard APIs and web services that abstract data elements and support blockchain-based technologies that enforce these privacy rules by design—a core tenet of privacy regulations such as the European Union’s (EU) General Data Protection Regulation (GDPR).
Enforcing privacy and security with APIs and web services requires the implementation of effective identity management. Identity management is the organizational process for proofing, authentication and authorization for access to information and systems. Identity management also requires excellent auditable processes on top of system processes, especially to comply with national standards such as the National Institute of Standards and Technology. HIPAA, HITECH, and GDPR all have excellent identity management principles at their core as part of security and privacy.
In the end, identity management, mutually assured security, security by design using APIs, and enforcing availability combine to build a base for more secure systems to support TEFCA and future goals of the initiative.
TEFCA also brings up the fact that we are a global community and need to think of interchanging data in that context. Whether it is to support individuals receiving specialist care in the U.S., students studying internationally, or U.S. citizens working or serving overseas, there will be use cases that require us to consider this as a future state.
The current international regulation that countries look to is GDPR. GDPR requires data processors to understand and document their data flows, and be able to provide logging and auditing as to who looked and processed their data. It also requires privacy and security by design in systems. Most of the focus has been on the right to be forgotten, which requires an EU citizen to be able to have their information, including public health and diagnosis information, removed unless it is specifically designated.
One of the grand challenges of international data transfer is the complexity of data access and retrieval policies on a per-country basis. What data elements can be transferred, and to whom? These are business rules that do not change, however they are amended and applied based on date, time and geography. Utilizing blockchain technology will allow TEFCA to have a metadata repository that can meet that use case and keep an immutable record of rules for data transfer.
While blockchain and GDPR appear to be moving in different directions, prudent usage of it to keep up with the complexity of ever-changing international standards will help in evolving processes to address these concerns. There is a lot of work to be done in this space, however, developing these processes now and continually building on them will allow for better progress.
Interoperability in healthcare evolved from the need to connect multiple stovepiped systems developed to meet individual customer needs. Blockchain technology and TEFCA’s guidance are maturing concurrently, and together they can leverage the power of a decentralized consensus and information sharing model.
This model supports enhanced interconnectedness providing secure identity solutions and the capability to deliver a federated, aggregated longitudinal care record for QHIN participants. Blockchain provides a healthcare provider with the ability to find their data and end the redundant data tsunami where everyone has everything, everywhere.
Blockchain and distributed ledger technology are taking hold in healthcare as the industry learns more about the potential to improve patient care and reduce costs.