The progressive evolution towards individually managed and exchanged health information has sparked interest within healthcare organizations yet still yields uncertainty about regulatory compliance. Specifically, federal regulations and state statutes for the protection of health information were written with the expectation that primary data collection and storage would take place in a covered entity (healthcare facility, healthcare provider, clearinghouse, or health plan). To address the challenges of Web 3 regulatory approaches, this section raises regulatory questions with a particular focus on decentralized IoT in the United States.

There is a narrow range of medical devices and software as a medical devices that intend to diagnose, treat, prevent, cure, or mitigate disease. Medical devices and software can have a direct impact on health and are regulated by the U.S. FDA to ensure safety and effectiveness. Unfortunately, many ofthese health-related devices and apps may not have validated their data or demonstrated their claims. Instead, unregulated health-related devices and apps are marketed as wellness products intended for “maintaining or encouraging a healthy lifestyle and are unrelated to the diagnosis, cure, mitigation, prevention or treatment of a disease or condition.” There is generally no review process or oversight to ensure that wellness products operate as intended. The Consumer Product Safety Commission (CPSC) or the Federal Trade Commission’s (FTC) Bureau of Consumer Protection can investigate deceptive and fraudulent business claims. The FTC carefully scrutinizes advertising claims that can affect consumers’ health and regarding the conduct related to high-tech products under the Truth in Advertising Act. The FTC has also created a site for Mobile Health App Developers: Best Practices and Marketing Your Mobile App: Get it Right from the Start to improve app quality and compliance.

To advance Web3 health system integrity and data trust, regulators are encouraged to evaluate the use of blockchain as an efficient and transparent mechanism for instilling patient and consumer trust. We are thrilled that the U.S. FDA’s Technology Modernization Action Plan mentioned the use of blockchain four (4) times as a critical innovation for infrastructure modernization. We are also heartened by U.S. H.R. 3723, the Consumer Safety Technology Act, which requires the Consumer Product Safety Commission to study and report on the use of blockchain technology as a consumer protection “for limiting fraud and other unfair and deceptive acts and practices.” We’re one step closer to data control being back in the hands of the humans that create it.

The U.S. healthcare regulations focus on centralized accountability for data protection, management, and technical problem-solving. For example, in the U.S., the HIPAA Security Rule (2003), HITECH Act (2009), and Omnibus Rule (2013) expanded the nature of information security for electronic technologies maintained by covered entities. Further, the 21st Century Cures Act required enhanced security for application programming interfaces for covered payers and Medicare and Medicaid-participating hospitals.Unfortunately, most Web3 IoT health devices and apps are not subject to any government certification process to ensure appropriate privacy and security. The Electronic Communication Privacy Act (ECPA, 1986) made it illegal to intercept electronic transmissions. However, the ECPA doesn’t apply to tracking devices. Specifically, IoT devices and apps on smartphones are classified as “tracking devices” and fall outside this Act. For healthcare consumers, the FTC generates reports and guidelines about consumer product data security with free resources for consumers and businesses, including details about app security and IoT devices. The FTC’s data security information is primarily guidance, but the FTC does sue organizations on behalf of consumers for failure to implement appropriate security measures.

As a result of these loopholes, independent research analyses have uncovered serious problems with Health security and inconsistent privacy practices that create risks for healthcare consumers. Researchers found that over 80% of healthcare organizations reported facing IoT security incidents, and IoT device cyberattacks are increasing. At least one case of health information compromised by a decentralized peer-to-peer network has been prosecuted by the FTC on behalf of consumers.

To better protect consumers, the FTC issued the Health Breach Notification Rule (2009) to add protections for consumer health information not subject to HIPAA. The Notification Rule requires vendors and developers to notify affected consumers when a health information breach involves 500 or more consumers. However, there had been misunderstandings of the Notification Rule, so the FTC issued a statement on September 15, 2021 specifying that “the Rule applies to most health apps and similar technologies.” Failure to notify the FTC, consumers, or the media could result in enforcement actions. In the FTC’s 2021 statement, the agency noted that it had “never enforced the Rule” up to that point but intends to bring enforcement actions henceforth.

With the proliferation of Web3 apps and decentralized storage intensifying the risk to healthcare consumers, we urge the FTC to implement education and vigorous enforcement to protect the security and consumer notifications of healthcare data. While decentralized technologies, such as blockchain, can be very secure, few health-oriented blockchains have been designed and tested to address HIPAA and GDPR requirements.

There have also been regulatory shifts in approaches to patient access to health information. The Omnibus Rule expanded an individual’s right to obtain electronic copies of protected health information in the manner requested. Further, the 21st Century Cures Act addressed information blocking where healthcare providers or health information technology networks had interfered with health information access, exchange, or use of electronic health information.Further, the Office of the National Coordinator for Health Information Technology published expectations for Nationwide Health Information Interoperability (2022) and the Trusted Exchange Framework: Principles for Trusted Exchange (2022) to create trust policies and practices to facilitate health information exchange.

There is no requirement for life sciences organizations to share research data with individuals who participate in research studies. Specifically, the U.S. Government Accountability Office (2019) noted there are no economic benefits for life sciences organizations in providing research participants with data or test results. Granted, there may be protocol blinding that could damage the protocol integrity if shared with participants. However, with the emerging focus on data access and data ownership, there are fewer legitimate arguments against providing patients with some of their data. A 2017 Clinical Trials Transformation (CTTI) survey of 193 individuals in a research database found that 98% of research participants stated that it is “somewhat important” to “very important” to see the information collected by digital technology they are asked to wear. In this sample, 48% of research participants stated it was “very important” to see their data.

While a common argument against providing health or research data involves the administrative time to review data requests and supply data, decentralized technologies, such as blockchain-based smart contracts, can automate much of the downstream access in a secure and compliant manner. There are also capabilities to provide some data sharing in near-real time, such as sharing other, low-risk information available, such as compliance data, to allow more transparency and engagement. Consistent with the CTTI recommendation that sponsors should include some data-sharing mechanisms into protocols using digital technologies, we encourage regulators to consider the current trends toward patient-centric solutions and allow more transparency of healthcare and research data (that would not compromise data integrity). At the least, research participants could receive aggregate or summary data at the end of the study participation, as well as receiving an opportunity to receive the overall study results.

When assessing ownership of health records, HIPAA does not specify health record ownership, and there is no legal consensus. A 50-state analysis by George Washington University’s Hirsh Health Law and Policy Program determined that only New Hampshire has created legislation declaring that patients own their medical records and 20 U.S. states specify that healthcare providers own the records. The remaining states do not have legislation about ownership, but it is generally interpreted that the physicians or healthcare organizations holding the information own the health records. (Please note that this assessment applies only to formal healthcare records and not to other forms of health information.)

While patients and regulators are pressing for more patient access to health records, patients are turning to Web3 technologies to claim ownership of other health information. This transformation in healthcare is ascribed to patients taking on the roles of consumers. Patients are using Web3 IoT technologies such as smart health watches and monitoring devices to influence their own care. In this consumer-driven perspective, patients are growing more empowered and wish to become better informed about their own conditions, deciding how and where to receive care, and how their health data can be shared and used. Ira Nash, MD, a Manhattan cardiologist noted that healthcare organizations “have rules that were developed when none of this kind of wide-scale data sharing was possible. And I don’t think the regulatory environment or the general understanding about this has kept pace with the technical capacity to collect huge amounts of data and share it.”

Role of Regulators in Driving Change

Hester Peirce, U.S. Securities and Exchange Commissioner commented in 2019, “Regulators tend to be skeptical of change because its consequences are difficult to foresee and figuring out how it fits into existing regulatory frameworks is difficult.” Unfortunately, overly cautious officials create confusion and uncertainty that may hinder the powers of innovation. Because Web3 is becoming established in society, regulators are encouraged to develop an affirmative vision for shaping policies and regulations to support this innovation. Attorneys Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe offer the following recommendation: “As technology evolves to enable greater capability to digest health information and make it meaningful while the market responds to greater, more expansive uses of health information for a wider variety of stakeholders, policymakers at the federal and state levels should work to develop a legal framework to govern the many uses for and users of health information” (p. 241).

Cross-Government Cooperation

Because of the decentralized nature of Web3 technologies that span multiple jurisdictions, effective oversight requires multilevel governance and long-term regulatory strategies that extend beyond geographic boundaries. Intergovernmental cooperation and consultations are necessary to advance Web3 health innovations that promote patient engagement and control.

Use of Blockchain

Emerging uses of blockchain technologies in healthcare can not only offer a decentralized data management solution but can actively encode the government’s current thinking into the governance layers of the technology. Current production-level solutions, such as BurstIQ’s LifeGraphs® underpin Web3 technologies by operationalizing each component, harmonizing data, and orchestrating activities and interactions.

Conclusion

Leaders and policymakers have two options: to create a Web3 innovation consistent with the country’s values or allow other countries to move forward with a divergent set of priorities. Rather than push back against Web3 progress, policymakers should lead the conversations and set a vision for future infrastructure. Transitioning to a digital Web3 health ecosystem is a much deeper process of enabling and facilitating new models and regulations to support decentralization.