Regulatory Considerations of Non-Fungible Tokens in Healthcare

Although largely viewed in the context of the financial sector, blockchain has proven to be a general-purpose technology for reliable and secure data transfer. Multiple companies now offer systems using blockchain to protect the movement of patient data, health records, and validation of administrative processes. Such healthcare applications have the potential to reduce the number of data breaches (there were 725 large data breaches in 2023) as well as reduce costs associated with administrative waste which totals about $760-935 billion USD per year in the US alone.¹ 

Despite broad interest in blockchain, skepticism about the widespread application of this technology continues and has slowed widespread adoption. This includes concerns about the lack of legal precedent and whether ledger verifications satisfy regulatory requirements or other industry standards. An additional impediment to adoption of blockchain technology is concerns about cybercrime, caused in part by inadequate governance structures and poorly defined rules of ownership.²  It has been argued that the true societal benefits of blockchain cannot be achieved without collaborative regulatory infrastructure.³ 

Blockchain may have a place in healthcare, with potential applications in patient data ownership, dependable data transfer, and ethical transparency. However, blockchain technology is in its infancy within the regulatory realm and would require even more specialized regulatory considerations within healthcare. With further reliance on health data amidst increasingly fragmented healthcare, the question posed to the medical and regulatory sectors is not only if medicine would benefit from incorporating blockchain, but also if blockchain's ethical and societal implications are enough to invoke new regulation.

Healthcare digitalization is imminent, with the COVID-19 pandemic serving as a catalyst for more widespread use and acceptance of telemedicine and other technological integration and support. This boom in telemedicine along with the greater blending of technology and care delivery have resulted in increasing reliance on the digitalization of health data. The biomedical device sector has turned its interest to mobile health devices. For example, in the field of ophthalmology, fiberoptic digital fundus cameras can be used off-site, and then images transmitted for telehealth visits to accurately identify retinopathy of prematurity.⁴  Patients with age-related macular degeneration (AMD) already utilize at-home testing and imaging devices, including a self-test using preferential hyperacuity perimetry.⁵  Cybersurgery, a surgical technique in which surgeons can operate remotely, is a budding area of research in ophthalmology which could be a solution to accessibility issues and urgent scenarios.⁶  This realization of digitized future for medicine has created exponential growth in the amount of resulting data that the existing systems of data management are poorly equipped to serve.⁷ 

Adoption of reliable management transmission of this healthcare data is a key hurdle for integration of new technology, with concerns about lack of control over health data, data security, unregulated use, and poor oversight in data sharing. Transmission of data has become fragmented as it is delivered to different applications and software. Moreover, strict regulation of data privacy and security is imposed to minimize protected health information breaches. To overcome this, medical devices have begun to participate in a medical Internet of Things (IoT) to deliver results of sensors and devices via the internet.^8,9  This has allowed for an amassing of health data but has raised well-founded concerns about liability and security.^8,9  Notable software breaches include a 2011 incident in which wireless insulin pumps were hacked and completely disabled and a 2017 recall of 500,000 pacemakers vulnerable to hacking.¹⁰  Overall, poor infrastructure around data sharing has resulted in subpar and unreliable temporary solutions, while also hindering progress and the development of successful technology.

Concurrently, increases in medical technology have also led to increased administrative burden and cost, outpacing administrative verification processes. This had led to longer waiting periods and higher expenses for verification while also increasing the risk of patient endangerment. This has been seen in both medical device and pharmaceutical recalls as well as medical provider credentialing and verification. For example, large volumes of medical device and pharmaceutical alerts and recalls require that healthcare providers have an established recall management practice, often a complex process of remediation. Furthermore, the cost of a major medical device recall has been estimated to be between $2.5 and $5 billion USD per year, including the initial cost of recall as well funds for product disposal, communication, logistics, and litigation.¹¹  This is partially due to the current reliance on document-centric processes rather than tracing of product lifecycle (including design, testing, manufacturing, supplying, and servicing), which would require integration of technology.¹¹ 

Similarly, medical licensing and credentialing revolves around verification of documentation and has increasingly accumulated cost from third party organizations, such as Credentials Verification Organizations (CVOs). Medical credentialing, including the assessment of academic qualification and provider practice history, is crucial in establishing patient safety and setting a standard of care. Credentialing is unique for every state, but the National Committee for Quality Assurance (NCQA) has established a guideline of how to credential healthcare providers. This process now requires that providers not only provide documentation such as a degree or diploma, but also that credentials are verified by the source. The Joint Commission requires primary source documents in the process of privileging and credentialing. The cost of credentialing averages between $100 and $200 USD per provider, with recredentialing often required every two years.¹²  Additionally, high volumes of providers may cause this process to take as long as four to five months in large volume states, such as California.¹³  Thus, continued inefficiency of archaic approaches to verification of necessary regulatory credentials have slowed incorporation of blockchain to verify necessary regulatory credentials.

Blockchain promises multiple improvements in the current data-sharing landscape through consensus, tokenization, and decentralization. These three elements create an improved foundation for greater efficiency, enhanced transparency, and ultimately, an optimized regulatory system.

Every addition to the blockchain must undergo the process of consensus, in which most parties must agree that the information being added is correct and acceptable to include in the blockchain. If integrated as part of the electronic health record, this aspect of blockchain would afford patients and physicians assurance that health data is dependable. Likewise, reliable data is crucial from a research standpoint. The impact in increased data reliability has already been seen in medical research, such as artificial intelligence (AI). For example, Tan, et al, proposed a blockchain-based platform for validation of machine learning in myopia and found that implementation of blockchain improved data integrity, resulting in AI outperformance of human models.¹⁴ 

This process of validation also results in tamper-resistant data. Because all data must be validated to enter the blockchain, any changes to data must also be reviewed by the parties. Thus, data on the blockchain is secure and immutable. Digitalized data such as images, results, and prescriptions from multiple sources would be reliably transmitted to a central source through blockchain, with the assurance that data cannot be manipulated. Similarly, medical device authenticity could be easily validated through NFTs.

Within the realm of medical credentialing, consensus would easily reduce the administrative redundance of collecting diplomas and verifying source information. For example, NFTs might reduce the burden of notarization as all information stored must already be verified prior to storage. Ledger entries would yield the same effect as primary sourcing, as there would be a record of who added what and when, and this would provide a trusted primary source which may facilitate widespread adoption.¹⁵ 

This process of validation could result in more reliable health data transmission, supporting accessibility to care for patients, especially those who require frequent, routine monitoring due to chronic illnesses. Further, verification of both medical providers as well as medical products through NFTs may result in ready standardization of care.

Tokenization results in a unique identifier for each transaction that can be easily tracked for ownership and transfer throughout the blockchain. The applied use of tokenized NFTs for the passive management of unique patient data may improve the efficiency and accuracy of care while simultaneously lowering healthcare-associated costs as a downstream function of decreased administrative task burden. For example, NFTs for high-fidelity donor-recipient tagging may improve the accuracy of graft matching and mitigate future rejections associated with human error.¹⁶  The ability of NFTs to maintain both the integrity of confidential health data and the security of data transfer may allow for their future use in monitoring the infection status and exposure risk of patients, eliminating the burden of presenting physical documentation during times of widespread infection or pandemic.^17,18 

Not only may blockchain have clinical applications, but it may also have a place in medical ethics. For the first time, patients could have complete control over their health data. Patient consent forms may be minted into NFTs so that subjects can easily track the process of consent and have control over their experimental data at any time.¹⁹  By providing participants with an NFT of their experimental data, subjects have more control in granting access and permission to its use. Not only can this increase transparency for subjects, but it may also facilitate data sharing and increase transparency of monetization. For example, in plastic surgery—an image-heavy specialty—NFTs of patient pre- and post-operative photographs may define ownership of these images in light of more nebulous ownership rights within social media.²⁰ 

Another promising application of NFTs in healthcare is the streamlining of administrative processes, particularly the licensing and credentialing of physicians, which currently adheres to the cumbersome rules and regulations imposed by certifying bodies. Current processes lack comprehensive integration of verifiable credentials, yet the familiarity and whether a digital credential is sufficient to meet the requirements of accrediting bodies as well as the revenue stream associated with these existing methods remain contributory hurdles to the adoption of new technologies. The redundant verification process adds time and expense which could be mitigated using verifiable credentials, such as an NFT, which could significantly enhance the efficiency of process completion. For example, tokenization of licensure requirements, including diplomas and degrees, may no longer require government-issued identification because of the inherently unique traits of tokenization. Additionally, provider clinical history may be more easily verified through ownership tracking of NFT data.

Likewise, NFT tokenization would allow for the ability to track the origin, production, distribution, and use of medical devices and pharmaceuticals. This would become crucial in product recall and may vastly reduce the burden of communication of device failure, possibly increasing patient safety while also reducing administrative cost.

One example of the benefit of decentralization is the integration of NFTs to house patient images. Because blockchain is built to be a shared ledger, patients would have the ability to immediately share their health data with other specialists, possibly improving their care by readily sharing health information that may facilitate diagnoses and treatment plans, ultimately improving outcomes. This could dramatically increase accessibility while maintaining patient ownership over their own data and potentially creating a path forward for telehealth.

This decentralization would be additionally crucial to information about medical professional “red flags” including complaints, malpractice cases, and suspension or revocation of licensure. Like the granting of medical licensure, provider misconduct is managed by a state medical board, rather than a federal entity. As a result, state-to-state communication of provider malpractice is often complex and burdensome. This has resulted in the ability of medical professionals to practice in another state without disclosing previous misconduct. Decentralization of this information may not only reduce the administrative burden of obtaining this information but may also improve patient safety.

From a researcher's perspective, blockchain may be a powerful tool for funding and knowledge-sharing. DeSci, a decentralized scientific movement, may use blockchain data to improve funding, access, and collaboration. By using blockchain, DeSci rewards reviewers directly through smart contracts, incentivizes knowledge-sharing through “smart manuscripts,” and increases access to funding through commodities such as NFTs.²¹  This decentralization of research data would create large, reliable, and ethically sourced datasets.

Although blockchain may be able to overcome data fragmentation, the current regulatory and privacy practices in the US pose a much larger challenge to implementation. Currently, two unique regulatory challenges for blockchain in medicine should be considered: patient privacy and intellectual property.

Because blockchain was created to be a decentralized ledger, additional steps must be taken to assign control over the ledger. When dealing with patient information, regulation must be put in place to preserve patient privacy and allow for audits. However, blockchain lacks a refined method of regulation, and thus as cryptocurrencies grow, more regulatory measures may be developed.

If a motivation to use blockchain technologies is to shift control to individuals, it is imperative to consider each jurisdiction's requirements for data privacy. In some jurisdictions, it is a requirement for covered entities to receive written authorization from individuals for the use or disclosure of their protected health information, and these same individuals can revoke their authorization in writing at any time.²²  For example, in the General Data Protection Regulation (GDPR) applicable across the European Union, individuals may withdraw consent and be forgotten, creating challenges for big data corporations.²³ 

As technology such as generative AI evolves, as more datasets become widely available, and as data breaches become more frequent, it is arguable that the risk for re-identification of masked or deidentified data might increase.²⁴  By extension, the storage of data in an immutable and encrypted ledger, which may not allow for the deletion or masking of retrospective data points, may pose a challenge in compliance with evolving data laws and could hinder blockchain technology's adoption out of caution. Although a process of destroying NFTs, called “burning,” does currently exist, NFTs do not lend themselves well to deleting or altering patient data - for example, changing or deleting data at patient request. However, some strides have been made to privately secure blockchain data. The advent of “private” or “permissioned” blockchains may allow for Health Insurance Portability and Accountability Act (HIPAA)-complaint storage.²⁵ 

To overcome these challenges, blockchain developers may be encouraged to: (i) use permissioned blockchains to support governance, (ii) avoid or limit data being stored on the blockchain, and (iii) use alternate data encryption and destruction approaches, among other creative solutions.

The situation for creating, readapting, and distributing NFTs is further complicated by intellectual property matters. While the creator of an original work of authorship, such as a digital asset, is the owner of the copyright in the asset, the distribution or sale of its NFT does not transfer ownership of the copyright itself without a separate copyright assignment. This can lead to confusion about what the holder of an NFT can do compared to the copyright owner. This is what happened recently when a decentralized autonomous organization DAO mistakenly thought it had purchased the rights to control the future of the Dune franchise and mint NFTs simply from purchasing a rare manuscript at auction.²⁶  Furthermore, not all NFTs may be subject to copyright in the first place. Data (including certain medical images), factual information, and functional things have long been considered not copyrightable except in certain qualifying circumstances. Converting patient data into NFTs might clarify an inherent owner of that data, or it might not. However, if the ownership were to fall to the patient, then for the first time, patients would have true control over transfer of their data. However, even this could be muddied as underlying ownership of health data is poorly delineated in today's regulations. Moreover, default ownership rules vary by state laws.

Healthcare NFTs would revolutionize patient control over their health data and promote more ethical transparency of data ownership while also reducing administrative security costs. Current regulatory infrastructure has no existing precedent for the unique patient privacy and ownership scenarios that blockchain offers. Blockchain may indeed be a revolutionary possibility for health data storage and transfer but would pose completely new ethical considerations for regulatory bodies. Without regulatory collaboration, large-scale implementation of blockchain and its societal implications within healthcare are far out of reach.