Healthcare Security and Privacy Policy Compliance: A Blockchain and Smart Contract-Based Assurance Framework

Abstract

Access to electronic health records (EHRs) is heavily regulated by various policies, including federal-level policies, state-level statutes, international data protection laws, and local and organizational-level policies. These policies may include procedures to ensure compliance with other organizational-level regulations. In addition, individual patients can establish agreements, formally known as patient-provider agreements (PPA), with their healthcare providers to express their consent to access or share their protected health information (PHI). When such policies are adequately specified and implemented, they go a long way toward protecting EHR data. However, research has shown that significant policy compliance problems or gaps often go undetected until after a breach or security incident. Further, a recent study shows that subcultures within a healthcare organization influence whether employees violate policies, perhaps unintentionally. These observations motivate us to revisit the compliance and provenance aspects of policies. This dissertation proposes a blockchain-powered, smart contract-based policy-compliance assurance framework to enforce patient-provider agreements and other applicable policies and attributes, ensuring policy compliance and provenance in the healthcare sector. This work proposes a novel compliance review mechanism, Proof of Compliance (PoC), that conducts reviews through a set of independent, distributed, decentralized auditor nodes from various stakeholders, such as healthcare organizations, insurance companies, federal and other government agencies, regulatory agencies, and others mandated by the business requirements. Blockchain smart contracts appear to be a promising new technology for enforcing policies. In addition, blockchains' immutable storage properties and strong integrity guarantees provide hope that an adequate trail of policy compliance (or non-compliance) can be maintained, thereby facilitating provenance.