On January 24, 2019, Aetna, Anthem, Inc., Healthcare Service Corp., and financial services company PNC Bank announced that they have partnered with IBM Corp. to create a blockchain network aimed at streamlining insurance claims and payment processing, enabling secure and frictionless healthcare information exchanges, maintaining current and accurate provider directories and, as a result, reducing administrative costs.

​Blockchain technology permits digital information to be transferred but not copied. Transactions on a blockchain need to be verified before they can be recorded on a "block." New blocks are then linked to older blocks creating a chain of blocks that show every transaction in the history of that blockchain.

Regarding the IBM collaboration, Lori Steele, IBM’s General Manager for Healthcare and Life Sciences, stated:

"Blockchain’s unique attributes make it suitable for large networks of members to quickly exchange sensitive data in a permissioned, controlled, and transparent way. The fact that these major healthcare players have come together to collaborate indicates the value they see in working together to explore new models that we think could drive more efficiency in the healthcare system and ultimately improve the patient experience."

Although blockchain, with its use of encryption, is considered an effective way of protecting data from alteration – that is, protecting the integrity of the data – the scope of security and privacy benefits from using blockchain depends on the manner in which it is implemented. Unfortunately, it isn’t entirely clear how compliance with certain requirements of data protection laws  translates to blockchain technologies. Thus, a number of questions regarding implementation and legal interpretation may arise.   For example, the blockchain would have to be used in a way that complies with HIPAA’s Privacy and Security Rule. This could require restricted access to the blockchain, and could raise questions about the mechanisms through which any protected health information is anonymized and what level of risk exists that the patient data could be re-identified.  Further, depending on how the blockchain is constructed, if there were a breach of protected health information contained within a blockchain, it could be unclear which party on the blockchain would be required to issue breach notifications, as it might not be clear which party is considered the covered entity in this context, or how the use of Business Associate Agreements (BAAs) might extend to the use of blockchain to record certain types of information.

Also, compliance with certain erasure laws can be problematic with the use of a blockchain. For example, under the EU’s General Data Protection Regulation, also known as the GDPR,  a collector or processor of personal data may, under certain circumstances, be required to revise or delete patient data permanently upon request.  However, compliance with an erasure request for data on a blockchain is tricky as one of the defining features of blockchain technology is that it creates an immutable record which cannot be erased. One potential solution for compliance is, upon an erasure request, to destroy the encryption key to render the personal data on the blockchain unreadable. However, it is not known whether regulators would find that this method meets the deletion requirements under GDPR. 

The use of blockchain creates potential challenges under other provisions of GDPR as well, such as clear identification of the identities and roles of data collectors and processors, questions about the use of anonymization techniques, and other areas of the regulation.  And while the EU Blockchain Observatory and Forum has issued a report suggesting that use of blockchain need not be incompatible with GDPR,  it is not yet clear  to what extent European Data Protection Authorities will concur with the recommendations of the Blockchain Forum.

Given the infancy of blockchain technologies, it is not known how these and other data protection laws will impact the recent partnership between IBM and certain health insurers. But, what is evident from this dilemma is that regulators and innovators should work together to implement the new healthcare blockchain network in a way that allows technological innovation and yet also affords the stringent data protection that regulations seek to achieve.