Knowledge Burst Blog Series

What you Should Know About Regulations in a Web3 World| BurstIQ

By Dr. Wendy Charles, Chief Scientific Officer, BurstIQ

The third generation of the world wide web, Web3, is now hailed as the next evolution of the internet. As our present quickly becomes our past, how will this transition affect current healthcare and research regulations? Do the changes fit within current regulatory structures, or will it be necessary to update policies and regulations to accommodate new challenges and opportunities?

This blog highlights Web3 features with a discussion of the likely need to modify specific regulatory approaches within healthcare and life sciences and provides recommendations for regulators and administrators to manage potential changes and strategies.

The Evolution of the Internet

When considering the evolution of the internet, it is valuable to review the blog written by Frank Ricotta. The original internet, now known as “Web 1,” offered read-only websites…and the lovely dial up tone. Next the internet became interactive where individuals could view, post, manage, and transmit information. In this second generation of the internet, known as “Web 2”, websites began collecting data about individuals to provide personalized browsing experiences. The increased collection of user data exposed large technology organizations, such as Google and Facebook, as they exploited individuals’ private data and web behaviors in ways that individuals could not anticipate or control. With a new hyper-focus on individual control, the internet is evolving to decentralize storage. With the emergence of blockchain, Gavin Wood, a co-founder of Ethereum, coined the shifting focus as “Web3.” Since then, Web3 has become a term that encompasses all advances within web-based processing, including and with emphasis on Internet of Things (IoT) devices.

Key Features of Web3

The primary feature of Web3 involves the distribution of authority and storage, allowing individuals to manage their data without the need (or interference) of intermediaries. Web3 infrastructure also enables democratization and ownership of projects or data formerly owned by technology companies. For example, data democratization provides individuals a voice in the governance and decision-making regarding using and storing their data. Last, Web3’s decentralization, verifiability, and security goals uphold a vision similar to Barlow’s Social Contract. “The Internet is becoming its own nation,” said Juan Benet at the Web3 Summit.

A Shift in Regulatory Thinking

The progressive evolution towards individually managed and exchanged health information has sparked interest within healthcare organizations yet still yields uncertainty about regulatory compliance. Specifically, federal regulations and state statutes for the protection of health information were written with the expectation that primary data collection and storage would take place in a covered entity (healthcare facility, healthcare provider, clearinghouse, or health plan). To address the challenges of Web 3 regulatory approaches, this section raises regulatory questions with a particular focus on decentralized IoT in the United States.

How Do We Know if Web3 Health Devices Work as Intended?

There is a narrow range of medical devices and software as a medical devices that intend to diagnose, treat, prevent, cure, or mitigate disease. Medical devices and software can have a direct impact on health and are regulated by the U.S. FDA to ensure safety and effectiveness. Unfortunately, many ofthese health-related devices and apps may not have validated their data or demonstrated their claims. Instead, unregulated health-related devices and apps are marketed as wellness products intended for “maintaining or encouraging a healthy lifestyle and are unrelated to the diagnosis, cure, mitigation, prevention or treatment of a disease or condition.” There is generally no review process or oversight to ensure that wellness products operate as intended. The Consumer Product Safety Commission (CPSC) or the Federal Trade Commission’s (FTC) Bureau of Consumer Protection can investigate deceptive and fraudulent business claims. The FTC carefully scrutinizes advertising claims that can affect consumers’ health and regarding the conduct related to high-tech products under the Truth in Advertising Act. The FTC has also created a site for Mobile Health App Developers: Best Practices and Marketing Your Mobile App: Get it Right from the Start to improve app quality and compliance.

To advance Web3 health system integrity and data trust, regulators are encouraged to evaluate the use of blockchain as an efficient and transparent mechanism for instilling patient and consumer trust. We are thrilled that the U.S. FDA’s Technology Modernization Action Plan mentioned the use of blockchain four (4) times as a critical innovation for infrastructure modernization. We are also heartened by U.S. H.R. 3723, the Consumer Safety Technology Act, which requires the Consumer Product Safety Commission to study and report on the use of blockchain technology as a consumer protection “for limiting fraud and other unfair and deceptive acts and practices.” We’re one step closer to data control being back in the hands of the humans that create it.

How Do We Know Web3 Health Data are Secure?

The U.S. healthcare regulations focus on centralized accountability for data protection, management, and technical problem-solving. For example, in the U.S., the HIPAA Security Rule (2003), HITECH Act (2009), and Omnibus Rule (2013) expanded the nature of information security for electronic technologies maintained by covered entities. Further, the 21st Century Cures Act required enhanced security for application programming interfaces for covered payers and Medicare and Medicaid-participating hospitals.Unfortunately, most Web3 IoT health devices and apps are not subject to any government certification process to ensure appropriate privacy and security. The Electronic Communication Privacy Act (ECPA, 1986) made it illegal to intercept electronic transmissions. However, the ECPA doesn’t apply to tracking devices. Specifically, IoT devices and apps on smartphones are classified as “tracking devices” and fall outside this Act. For healthcare consumers, the FTC generates reports and guidelines about consumer product data security with free resources for consumers and businesses, including details about app security and IoT devices. The FTC’s data security information is primarily guidance, but the FTC does sue organizations on behalf of consumers for failure to implement appropriate security measures.

As a result of these loopholes, independent research analyses have uncovered serious problems with Health security and inconsistent privacy practices that create risks for healthcare consumers. Researchers found that over 80% of healthcare organizations reported facing IoT security incidents, and IoT device cyberattacks are increasing. At least one case of health information compromised by a decentralized peer-to-peer network has been prosecuted by the FTC on behalf of consumers.

To better protect consumers, the FTC issued the Health Breach Notification Rule (2009) to add protections for consumer health information not subject to HIPAA. The Notification Rule requires vendors and developers to notify affected consumers when a health information breach involves 500 or more consumers. However, there had been misunderstandings of the Notification Rule, so the FTC issued a statement on September 15, 2021 specifying that “the Rule applies to most health apps and similar technologies.” Failure to notify the FTC, consumers, or the media could result in enforcement actions. In the FTC’s 2021 statement, the agency noted that it had “never enforced the Rule” up to that point but intends to bring enforcement actions henceforth.

With the proliferation of Web3 apps and decentralized storage intensifying the risk to healthcare consumers, we urge the FTC to implement education and vigorous enforcement to protect the security and consumer notifications of healthcare data. While decentralized technologies, such as blockchain, can be very secure, few health-oriented blockchains have been designed and tested to address HIPAA and GDPR requirements.

How can Patients Access Web3 Health Information?

There have also been regulatory shifts in approaches to patient access to health information. The Omnibus Rule expanded an individual’s right to obtain electronic copies of protected health information in the manner requested. Further, the 21st Century Cures Act addressed information blocking where healthcare providers or health information technology networks had interfered with health information access, exchange, or use of electronic health information.Further, the Office of the National Coordinator for Health Information Technology published expectations for Nationwide Health Information Interoperability (2022) and the Trusted Exchange Framework: Principles for Trusted Exchange (2022) to create trust policies and practices to facilitate health information exchange.

There is no requirement for life sciences organizations to share research data with individuals who participate in research studies. Specifically, the U.S. Government Accountability Office (2019) noted there are no economic benefits for life sciences organizations in providing research participants with data or test results. Granted, there may be protocol blinding that could damage the protocol integrity if shared with participants. However, with the emerging focus on data access and data ownership, there are fewer legitimate arguments against providing patients with some of their data. A 2017 Clinical Trials Transformation (CTTI) survey of 193 individuals in a research database found that 98% of research participants stated that it is “somewhat important” to “very important” to see the information collected by digital technology they are asked to wear. In this sample, 48% of research participants stated it was “very important” to see their data.

While a common argument against providing health or research data involves the administrative time to review data requests and supply data, decentralized technologies, such as blockchain-based smart contracts, can automate much of the downstream access in a secure and compliant manner. There are also capabilities to provide some data sharing in near-real time, such as sharing other, low-risk information available, such as compliance data, to allow more transparency and engagement. Consistent with the CTTI recommendation that sponsors should include some data-sharing mechanisms into protocols using digital technologies, we encourage regulators to consider the current trends toward patient-centric solutions and allow more transparency of healthcare and research data (that would not compromise data integrity). At the least, research participants could receive aggregate or summary data at the end of the study participation, as well as receiving an opportunity to receive the overall study results.

How Can Patients Own Web3 Health Information?

When assessing ownership of health records, HIPAA does not specify health record ownership, and there is no legal consensus. A 50-state analysis by George Washington University’s Hirsh Health Law and Policy Program determined that only New Hampshire has created legislation declaring that patients own their medical records and 20 U.S. states specify that healthcare providers own the records. The remaining states do not have legislation about ownership, but it is generally interpreted that the physicians or healthcare organizations holding the information own the health records. (Please note that this assessment applies only to formal healthcare records and not to other forms of health information.)

While patients and regulators are pressing for more patient access to health records, patients are turning to Web3 technologies to claim ownership of other health information. This transformation in healthcare is ascribed to patients taking on the roles of consumers. Patients are using Web3 IoT technologies such as smart health watches and monitoring devices to influence their own care. In this consumer-driven perspective, patients are growing more empowered and wish to become better informed about their own conditions, deciding how and where to receive care, and how their health data can be shared and used. Ira Nash, MD, a Manhattan cardiologist noted that healthcare organizations “have rules that were developed when none of this kind of wide-scale data sharing was possible. And I don’t think the regulatory environment or the general understanding about this has kept pace with the technical capacity to collect huge amounts of data and share it.”

The Path Forward

Role of Regulators in Driving Change

Hester Peirce, U.S. Securities and Exchange Commissioner commented in 2019, “Regulators tend to be skeptical of change because its consequences are difficult to foresee and figuring out how it fits into existing regulatory frameworks is difficult.” Unfortunately, overly cautious officials create confusion and uncertainty that may hinder the powers of innovation. Because Web3 is becoming established in society, regulators are encouraged to develop an affirmative vision for shaping policies and regulations to support this innovation. Attorneys Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe offer the following recommendation: “As technology evolves to enable greater capability to digest health information and make it meaningful while the market responds to greater, more expansive uses of health information for a wider variety of stakeholders, policymakers at the federal and state levels should work to develop a legal framework to govern the many uses for and users of health information” (p. 241).

Cross-Government Cooperation

Because of the decentralized nature of Web3 technologies that span multiple jurisdictions, effective oversight requires multilevel governance and long-term regulatory strategies that extend beyond geographic boundaries. Intergovernmental cooperation and consultations are necessary to advance Web3 health innovations that promote patient engagement and control.

Use of Blockchain

Emerging uses of blockchain technologies in healthcare can not only offer a decentralized data management solution but can actively encode the government’s current thinking into the governance layers of the technology. Current production-level solutions, such as BurstIQ’s LifeGraphs® underpin Web3 technologies by operationalizing each component, harmonizing data, and orchestrating activities and interactions.

Conclusion

Leaders and policymakers have two options: to create a Web3 innovation consistent with the country’s values or allow other countries to move forward with a divergent set of priorities. Rather than push back against Web3 progress, policymakers should lead the conversations and set a vision for future infrastructure. Transitioning to a digital Web3 health ecosystem is a much deeper process of enabling and facilitating new models and regulations to support decentralization.

As we move into a distributed Web3 world, it will become ever more essential that companies take steps to build trusted relationships with people through trustworthy data management.

Data is becoming more distributed and regulations are driving further towards personal data ownership. In response, companies need to start thinking about data not as a company asset, but as a personal asset. Each company has an opportunity to access and use human data – if you build trusted relationships with people and provide them with meaningful value.

Here’s some good news. You can start building your trust equity quickly and cost-effectively with BurstIQ. LifeGraph is the only platform that solves two critical needs: one, the need to unify and share data at scale while ensuring trust, privacy and regulatory compliance, and two, the need to apply distributed AI and gain deep insights across disparate data to create meaningful, hyper-personalized experiences. LifeGraph’s ability to seamlessly solve both means companies can build smarter products that offer greater value to their customers faster.

Let’s talk so you can experience the power of building trust with LifeGraph firsthand.

About BurstIQ

BurstIQ fuels trust-first digital strategies with human data. LifeGraphs® take the complexity out of managing sensitive human data, freeing organizations to build trust through hyper-personalized health, work, and life digital experiences. In an era of data abundance, LifeGraphs promote trust between organizations and the individuals providing data through blockchain-powered governance and consent. The LifeGraph ecosystem provides a single source of truth and an intelligent ecosystem, helping businesses gain a deep understanding of the people they serve. Armed with granular insights, they can deliver more value in digital experiences and make an increasingly digital world more human.