Is Blockchain HIPAA Compliant?

By: Jon Avidor and Jaclyn Wishnia

The healthcare industry remains one of the largest sectors to potentially benefit from blockchain technology.  By implementing its application, the healthcare industry can eliminate some of the risks plaguing its community, such as inconsistencies with patient medical records, risk of data security breaches, and inefficiencies of patient record retrieval. As with all new technology, however, companies utilizing blockchain for its potential benefits will need to learn how to navigate such a heavily regulated industry, especially when it comes to storing and protecting patient data and medical information in compliance with the Health Insurance Portability and Accountability Act, or HIPAA.

HIPAA regulations were developed to protect the privacy and security of certain health information. The regulations are two-fold: there is the HIPAA Privacy Rule, which establishes national standards for the protection of certain health information, and the HIPAA Security Rule, which establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

Data security risks are a major issue afflicting the healthcare industry, despite HIPAA’s stringent privacy and security regulations. In 2015, the healthcare industry was the target of one of the largest security breaches. Hackers were able to breach Anthem Inc.’s record database containing personal information for nearly 80 million of its current and former customers and employees. Vulnerability to cyberattacks is due in part to the way patient information is stored.

Blockchain could provide a way for healthcare professionals to securely store patient health information.  Blockchain uses cryptographic coding through complex mathematics, allowing only the data’s intended recipients to decrypt the information. This mitigates the risk of a data breach by hackers because the information would be useless in its encrypted form. Mathematical encryption, however, conflicts with the HIPAA Privacy Rule. HIPAA prohibits the use of mathematically-derived encryption of protected health information because the encrypted information can potentially be re-identifiable. This strict regulation would seemingly render the use of blockchain in the healthcare industry non-compliant with HIPAA.

Blockchain technology can potentially be the solution to many of the problems within the healthcare system that HIPAA was designed to address and fix.  There are, however, still issues and questions regarding blockchain technology that would have to be resolved before its implementation in the healthcare industry.  For example, how certain types of medical records stored on the blockchain, such as psychotherapy notes, can remain inaccessible to its subjects, and whether there’s a way to completely anonymize patients’ protected health information, rather than cryptographically store it in a way that complies with HIPAA as it is written.

Companies, such as Timicoin and Patientory are looking to develop blockchain-based platforms to secure health data for patients, healthcare providers and medical institutions, while remaining compliant with HIPAA.  While a quick adoption of blockchain technology is not likely, its enormous benefits can be an opportunity to disrupt and transform the current healthcare industry.


We would like to thank our intern Jaclyn Wishnia for her contribution to this article.