Jim Nasr, is the CEO of Acoer, a software development company whose vision, and work is all about building useful, usable, real time technologies that are fundamentally targeted at the healthcare industry. Jim was the former chief software architect at the Centre for Disease Control and Prevention (CDC) in the United States. In this podcast we discuss how NFTs and blockchain can be used to empower individual’s consent.
What is blockchain?
Blockchain is a public infrastructure that should be used within the public context. Blockchain provides transparency, auditability and accountability. Blockchain is a layer of trust that can be used to impute trust between parties who don’t trust each other.
Jim is keen for blockchain to move past the world of cryptocurrencies and proof of concepts. He wants to make blockchain as practical as possible with real practical solutions.
Challenges of consent
Consent is an element of compliance.
In the healthcare industry, when you go see your GP, you fill out paperwork to essentially give them consent to your medical health information for all time. For Jim there are a number of issues with that. It’s wrong that the patient doesn’t always fully comprehend what they’re signing, the process is complicated, it has to be done multiple time and the patient has no rights to say they’ve changed their mind. Jim gives the example that “if you’re my orthopaedic surgeon, you should not have access to my mental health information”.
There is a double challenge with regards consent. On one side individuals who sign consent forms have no idea what they have exactly signed, what data is shared and where that agreement is. On the other side organisations have limited idea on who signed what agreements, what data was covered and where the agreements are stored. This creates repetition of the process where the individual is repeatedly asked to sign new consent forms.
Dynamic consent is the recognition that consent is not a and done concept, it is more dynamic with potential multiple phases for providing consent with the ability to revoke the consent, where the consent may expire after a certain amount of time and where it could be renewed.
Dynamic consent is digital which gives it properties to be tracked and monitored.
Data has creators like individuals on Facebook, Instagram and Twitter to name a few who create data on those platforms. Essentially, we are implicitly giving those platforms the ability to use this data and along the way we become the product for the “free usage” of that platform. Consumer of those platform are creating content for the platform to leverage in a manner that creates a financial windfall for themselves. The issue is that we as consumers have no say in how that data is marketed and no say on whether firms like Cambridge Analytica use our data and create secondary data markets for themselves.
Regulation: GDPR & CCPA
Regulation such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) provide an important opportunity for regulators to help regulate consent. GDPR gives EU citizens the right to grant access to their information to third parties, including consent and gives them the right to be forgotten. Crucially this regulation carries some serious teeth where the financial penalties for firms who breach GDPR regulation is up to 4% of gross revenue.
For example Google has received a fine of €50m, British Airways of €22m and Marriott International of €20m.
CCPA is very similar to GDPR in terms of the protection it provides to consumers, in terms of consent and in terms of being fined if firms don’t comply.
In the healthcare industry there is the Cures Act which gives patients the legal right to get access to their health data from their electronic health record irrespective of the type of app they’re using.
Components of consent
There are multiple components to a consent. First of you have who is consenting? With that you have a signatory piece which can be a wet signature on a piece of paper, a digital signature or even an oral consent on a transcript record.
In 2021 and going forward all this information should be captured digitally and traceable digitally. Metadata of the consent needs to be captured such as the time stamp and other characteristics of the consent file such as file size, who touched the file.
Consent files can also be aggregated for reporting purposes such as for understanding what’s happening in terms of vaccinations for COVID-19. This needs to be done within a context of traceability, accountability and traceability and crucially in a privacy preserving manner.
Blockchain and consent
The future of consent is one where it is dynamic. It recognises that individuals will have different states in their life cycles which won’t be contained within one app or one organisation. So, the questions are:
- How do you transfer the rights of consent?
- How do you maintain the state of consent throughout those different life cycles?
Public blockchain ledger is designed for collaboration amongst parties that don’t know each other. It provides an immutable reference point that can be trusted due to the cryptography and public nature of the network.
Public blockchains can provide the facility to have a public anchor of that consent without the public have access to the file thus keeping the data private. That anchor on a public ledger effectively acts as a chain of custody.
Launch of RightsHash
Jim takes us through an example of where a patient goes to see a doctor and signs a consent document. Using OCR, optical character recognition, this document can be digitised as a PDF making into a digital object with its specific public token ID that can be tracked. Which means any time the file is accessed or any changes to its state for example if it expires or if it is renewed, it can all be tracked using that one token ID.
By building on the Hedera network, RightsHash brings a full range of benefits to the underlying process of managing an individual’s rights. These include the ability to track and monitor discrete rights and protections in real-time, tracking transactions from different data sources and across different apps, demonstrating cryptographic proof of action and providing an automated, continuous, transparent auditing of all related compliance transactions. Additionally, RightsHash uses its own distributed architecture, decentralized processing, and storage nodes, physically located across the globe and on different cloud providers to ensure fault tolerance and high performance.
The first production deployment of RightsHash has been dedicated to the process of consent management, in particular for clinical trials with patient health or medical consent scenarios. Acoer has been working exclusively with the Consent Custody Corporation to develop a fully functional blockchain-enabled consent platform based on RightsHash called ConsentHash. Consent Custody Corporation is a custodial bank for consent agreements and personal data assets, and acts as a data fiduciary. Consent Custody Corporation protects people and organizations by safeguarding consent agreements while making consent information available, transparent, and certified anywhere data is managed.