So, here we are in 2025, and wow, the world of healthcare data sharing is really transforming! Hey, guess what? TEFCA is officially up and running in the U.S. now! So, with the EU rolling out its EHDS regulation, the NIH getting stricter on how genomic data is handled, and a few important enforcement milestones hitting for the DSCSA, there’s definitely a lot going on in the healthcare and data landscape right now. In this post, we're diving into the latest buzz around using blockchain technology alongside FHIR, Verifiable Credentials, GA4GH standards, and some nifty privacy-preserving computation techniques. The goal? To enhance data sharing and research collaborations across different organizations--all while ensuring that personal health information (PHI) stays safely off the blockchain. Let’s unpack it together!

Blockchain Development for Healthcare Data Sharing and Research Consortia

Healthcare leaders are really at a fascinating crossroads right now. With regulations, standards, and market infrastructure all aligning, it’s finally becoming possible to share data across different organizations. This is a big deal! So, what's the big opportunity? It's all about using blockchain as a trustworthy way to coordinate and get consent for things like FHIR APIs, research data hubs, and supply chain tracking--not just as a big storage container for data.

So, what do you get out of this? Well, imagine being able to onboard new stuff way quicker, having data rights that are easy to understand and keep track of, and enjoying seamless interactions with TEFCA/QHINs right here in the U.S. It’s all about making things easier and more efficient for you! So, just to give you the lowdown: you can get EHDS data in the EU, there's this NIH-compliant access for genomic research, and on top of that, the pharmaceutical supply chains are all set to comply with the DSCSA. Take a look at this for more details: rce.sequoiaproject.org. You'll find all the info you need there!

---

What changed in 2024-2025 (and why it matters)

Guess what? TEFCA is officially live! Since December 2023, we’ve had a whopping 11,419 organizations jump on board, and we’re already seeing more than 205 million documents being exchanged. Isn’t that amazing? As of January 2025, there are eight official QHINs you can connect with: CommonWell, eHealth Exchange, Epic Nexus, Health Gorilla, Kno2, KONZA, MedAllies, and eClinicalWorks. This really lays the groundwork for a national framework you can connect with using FHIR. (rce.sequoiaproject.org).

The ONC's HTI-1 Final Rule has really raised the bar for USCDI v3, making it the new standard that everyone needs to hit by January 1, 2026. On top of that, they’ve rolled out some new rules to make algorithms used in Decision Support Interventions more transparent. These days, it’s all about making sure your data workflows prioritize FHIR and that they’re easy to understand when it comes to AI. (healthit.gov).

Hey, just a heads up--the NIH is clamping down on who can access genomic data now. Hey there! Just a heads-up: starting on January 25, 2025, if you want to access your controlled-access genomic data, you'll have to follow the NIST SP 800‑171 security standards. Plus, there'll be a new Code of Conduct to keep in mind. So, mark your calendars and stay tuned for more details! (cancer.gov).

So, the European Health Data Space (EHDS) is officially a thing now! It became law and is set to take effect on March 26, 2025. They'll be rolling it out in phases, and we can expect the whole process to wrap up around 2029 to 2031. Exciting times ahead for health data management! This is a huge leap forward for using primary and secondary data across borders, and it's really going to need EHR specs that can work together seamlessly. (health.ec.europa.eu).

The rollout of the DSCSA is underway, and we can expect package-level traceability and EPCIS exchange to kick in by 2025. So, here's the scoop: the exemptions are set to gradually disappear from May to November in 2025. But don’t worry if you’re a small dispenser--you’ll have a little extra time, since you won't have to worry about it until 2026! (fda.gov).

Guess what? We’re stepping into the post-quantum era of cryptography! In 2024, NIST wrapped up the final versions of FIPS 203, 204, and 205, which include ML-KEM, ML-DSA, and SLH-DSA. And just to be safe, they also selected HQC to serve as a backup key encapsulation mechanism for 2025. Exciting times ahead! Now's a great time to start thinking about your key migration plan! (nist.gov).

Hey there! So, just a heads up--the W3C has officially nailed down the standard for Verifiable Credentials 2. Cool, right? So, as of May 2025, you're going to see 0, along with the earlier versions of DIDs, like v1. 0 that were active between 2012 and 2022. This really simplifies the process of handling portable, cryptographically secure consent, credentials, and study permits. (w3.org).

These changes are really about building systems that prioritize clear data rights and consent. It's all about ensuring that these aspects are managed through protocols that can be easily verified. You know, it's really crucial to store protected health information (PHI) in systems designed for it, such as Electronic Health Records (EHRs), data enclaves, and object storage. Keeping this sensitive info in the right places helps ensure that it stays safe and secure.

---

The jobs-to-be-done for blockchain in healthcare consortia

1. Let's talk about data rights and where they come from, while keeping things private and not sharing any personal health info.
2. Let’s team up with different organizations to manage the workflows for consent, approvals, and audits. It’s all about collaborating effectively, right?
3. Set up logs that are super secure and show when they were created, and make sure this happens across various institutions.
4. Link up identities and roles with policies that machines can actually enforce, such as FHIR access scopes and the terms of data use.

Let’s forget about using blockchain as your data lake. Instead, just think of it as a solid control and verification layer that directs you to FHIR resources, files, or events that are stored off the chain.

---

Reference architecture 1: Clinical data sharing around TEFCA/QHINs

• Trust fabric: You can set up TEFCA connectivity by using your Participant or Subparticipant links that fall under a QHIN. Just keep an eye on the TEFCA FHIR Roadmap, especially Stages 2-4, to smoothly move from facilitated FHIR API exchanges to that QHIN-to-QHIN FHIR setup. It’s all about making the transition as straightforward as possible! Check it out here.
• Data plane: We're diving into FHIR R4/R5 APIs as our main way to handle clinical data, and we're all about using US Core 6 to make it happen.

1. They're aiming to have USCDI v3 ready by 2026. Find more info here.

• Consent and policy: When it comes to patient consent, it’s best to use HL7 FHIR Consent resources. Just picture it as covering the essentials like privacy and research. Plus, make sure to include some machine-readable rules in there too! Also, don't forget to store the consent hash and state transitions on a permissioned ledger, like Fabric. It's just a smart way to keep everything organized and secure! Get the details here. Oh, and make sure you remember to issue those W3C Verifiable Credentials (VC 2)!

1. This includes details about different people involved, like clinician credentials and their roles within the organization, as well as receipts for patient consent. Don’t forget to link those VC claims with FHIR patient IDs and the TEFCA purpose-of-use codes. It's super important for keeping everything organized and compliant! More on that here.

• Identity and access: It's super important to make sure that how we verify user identities and handle authentication lines up with NIST SP 800-63-4 (coming in August 2025). This helps keep the assurance levels consistent across different organizations. Plus, using Decentralized Identifiers (DIDs) can really boost security by letting holders have more control over their cryptographic keys. Hey! If you're looking for the guidelines, you can find them right here.
• Ledger usage:
• When you're diving into the writing part, just concentrate on jotting down hashes and state transitions. Think about things like when consent is given, changed, or taken back. Also, make sure to include those queries for authorizations and any audit checkpoints you come across. Just a friendly reminder - make sure not to put any PHI on-chain. It’s super important to keep that info safe! So, if you’ve got certain groups within your consortium that need to check out some encrypted metadata, you’ll want to use Fabric Private Data Collections. And don’t forget to use blockToLive to eliminate any sensitive bits you don’t want floating around. If you're looking for more details, you can check it out here. It's definitely worth a look!
• Audit and transparency: Make sure to maintain an append-only audit trail for any cross-organizational data requests, such as when someone queries or retrieves documents or reads FHIR bundles. Don't forget to include timestamps that can be verified! Also, it would be great if you could share a regulator's perspective on the disclosures for 42 CFR Part 2. If you want to dive deeper into that topic, just click here. It’ll give you all the details you need!

So, basically, a hospital can verify that when they pull FHIR data through a QHIN, it aligns with the patient’s latest consent and how the data is meant to be used. On top of that, regulators can take a closer look at every step of the consent process all on their own.

---

Reference architecture 2: Genomic and multi‑omics research consortia

• Data ethics and access rules: Make sure to tag your datasets with GA4GH Data Use Ontology (DUO) terms, and don't forget to use GA4GH Passports to keep track of researcher attributes. It really helps streamline the whole process! With this setup, it's a breeze to run machine-readable access checks and handle consent verification codes. Check it out here.
• Security baselines: Hey there! Just a heads-up: starting from January 25, 2025, if you’re working with controlled-access genomic data from the NIH, you’ll need to follow the guidelines laid out in NIST SP 800-171. So, make sure you’re ready to roll with that! Basically, this means you need to make sure that your users and environments are all set and approved. Using private enclaves with strict exit controls is definitely a smart move. Oh, and don’t forget to jot down any access grants and DUO evaluations in the consortium ledger. It’s super important to keep track of that stuff! If you're looking for more info, you can check it out here.
• Consent: Make sure to keep the consent form that people can read stored somewhere off the main blockchain. So, you'll need to encode the policy using FHIR Consent along with a verification code that links back to the DUO codes. The ledger needs to keep track of a few important details. This includes the cryptographic commitment of the consent, the issuer, the subject's DID, the validity period, and any instances where the consent might be revoked. If you want to dive deeper into this topic, check it out here. It's a great resource!
• Analysis: If you're diving into some analysis work, you might want to think about using federated or enclave-based computation methods. These include things like secure multi-party computation (MPC), homomorphic encryption (HE), or trusted execution environments (TEEs) when they fit the bill. Just remember to only put together the overall results when you’re sending stuff to the research repositories. So, the ledger's got your back when it comes to tracking data-use approvals and crunching those attestation IDs. Just a heads-up, though--it won't be handling the actual data itself.
• Cross‑jurisdiction: Hey, if you’re teaming up with folks in the EU, it’s super important to create those secondary-use permits in line with the EHDS implementing acts as they come into play. Just a heads-up to keep everything on the up and up! They're anticipating that the main uses will be up and running by 2029. Plus, they’re planning to roll out extra categories for data--like genomics--by 2031. It's exciting to think about all the advancements that could come with that! If you want to dive deeper into this topic, you can check out more details here. It's a handy resource!

Outcome: Faster decisions from the DAC and solid evidence that we're sticking to consent and data use limits. Plus, we have a reliable access log for audits that covers multiple institutions and even countries.

---

Reference architecture 3: DSCSA‑ready pharma/biobank supply collaboration

• Standards: We're really into sharing serialized events using GS1 EPCIS, and we're currently working with Release 1. Let's kick things off with 2 as our starting point. Hey, just a quick heads-up! We’re making the switch to 1. It looks like 3 is just around the corner, gearing up to start between 2026 and 2027, according to what GS1 US has shared. Blockchain is super important in this situation because it keeps everything secure and makes sure that events and partner claims are trustworthy. And when it comes to reliable information, EPCIS really is the best source to turn to. Take a look at this link for more info: gs1us.org. You’ll find all the details you need there!
• Enforcement Context: Hey everyone, don’t forget to save the date for 2025! We’ve got some phased exemptions rolling out with different deadlines. So, here’s the scoop: manufacturers and repackagers need to get their act together by May 27, 2025. Then, wholesalers have until August 27, 2025, to hop on board. And last but not least, dispensers with 26 or more full-time employees have until November 27, 2025, to comply. Mark those dates! Thinking about those smaller dispensers? You've got until November 27, 2026, to make your move! Having a good ledger is key! It’ll help you track when your partners shared interoperable EPCIS data and who signed off on anything out of the ordinary. Check out all the details right here: (fda.gov). You’ll find everything you need to know!
• Practical Tactic: One clever strategy is to take in EPCIS files and compute the hashes for each event. So, just make sure to store the hash and a few key bits of metadata on the blockchain. If any issues come up, you can always recheck the hash to make sure everything's legit. This helps you keep a reliable record of where everything comes from, all without the headache of having to store the same supply data multiple times.

---

Patterns that work in 2025

• Keep PHI off‑chain: Instead of saving sensitive information right away, why not use cryptographic commitments like hashes? You can hash FHIR Bundles, consent artifacts, and EPCIS events, and then keep those safe on a permissioned network. It adds an extra layer of security, which is always a good call! If you've got some info you need to share privately, definitely take a look at Fabric's Private Data Collections. And don't forget to tidy up afterward by purging everything (you know, using that blockToLive feature) once you're done! (hyperledger-fabric.readthedocs.io).
• Consent as code:
• You can use FHIR Consent to represent consent, and then go ahead and issue a VC. You’ll need to get a consent receipt and connect it to the DUO terms for your research. A smart contract will take care of the different state changes - like moving from active to amended to revoked - and will also keep a record of which version of the policy was in charge of each data access. (hl7.org).
• TEFCA‑aware interop:
• Rather than just scrapping TEFCA, let’s focus on improving it. Make sure to log the QHIN transaction summaries on the blockchain. This should include details like the purpose of use, the requester's DID, the types of FHIR resources, and the timestamp. This way, you’ll create a tamper-proof audit trail that keeps up with the changes in TEFCA’s FHIR stages. (rce.sequoiaproject.org).
• Here’s a way to confirm your identity:
• Make sure to sync up user and organizational security with NIST SP 800‑63‑4. You’ll want to link identities to Decentralized Identifiers (DIDs) and sign Verifiable Credentials (VCs) using post-quantum cryptography--specifically, look into ML-KEM and ML-DSA for that. It’s a good idea to have a strategy in place for a hybrid keying approach that combines classical and post-quantum methods. This way, you can smoothly navigate any challenges during the transition. (pages.nist.gov).
• Clinical AI transparency: Hey there! Just a quick reminder--whenever you're working with a predictive model that impacts exchanges or cohort selection, don’t forget to stash the HTI‑1 Decision Support Interventions metadata. This includes things like the source, any fairness or validation notes, and the version info. It’s super important to keep all of that stored right next to the audit record for reference later! (healthit.gov).
• Building genomic compliance right from the get-go: Make sure that all access to NIH-controlled data creates a permanent record. This record should clearly show that we’re following NIST 800-171 guidelines, keeping track of the investigator’s status, noting any DUO evaluations, and ensuring that the permits we use are time-limited. (cancer.gov).

---

Concrete examples you can benchmark against

• Synaptic Health Alliance: They’re working on a multi-payer/provider blockchain to help clean up those messy provider directories. They’ve really cleaned up their processes by trimming down on unnecessary admin costs and speeding things up with their updates. As a result, they’ve been able to deliver an incredible 500% annual ROI for a member, MultiPlan. That's impressive! It's definitely a niche topic, but it's super valuable when it comes to shared data. (synaptichealthalliance.com).
• ProCredEx (Professional Credentials Exchange): This marketplace built on Corda is a total game-changer for getting verified clinician credentials. It cuts down the onboarding process from taking months to just a matter of days. This is a perfect case where having solid, verifiable records really matters--way more than just dealing with a huge amount of data. It's all about making sure those records are unchangeable and traceable, you know? (procredex.com).
• Estonia’s National Audit Layer on Health Records (KSI Blockchain): They've been working on this for quite some time, and they're doing a great job at ensuring the integrity of electronic health record (EHR) lifecycle events. The best part? They manage to do all this without moving any personal health information (PHI) onto the blockchain! This is totally what we mean by the “ledger as audit control plane” approach we’re talking about in this post. (guardtime.com).
• TEFCA Scale Data Point: It's exciting to report that national exchange volumes are skyrocketing into the hundreds of millions of documents! Plus, the QHIN community just keeps growing bigger. When you're working on your blockchain layer, try focusing on how to support those existing flows rather than just aiming to replace them. It’s all about making things easier and smoother, right? Just keep that in mind as you design! (rce.sequoiaproject.org).
• PharmaLedger Association: They’re all about transforming ePI/e-labeling and decentralized trials--think eConsent and IoT device integration--into a digital trust ecosystem. Their main goal? To boost transparency and empower patients to take the reins on their own healthcare. It’s actually a pretty great plan for getting everyone involved in governance, plus it comes with some reliable proof to back it up. (pharmaledger.org).

---

Implementation blueprint (90 days to first value)

Weeks 1-2: Governance and Regulatory Mapping

First things first, choose what you want to dive into! You can go with TEFCA audit/consent, focus on accessing genomic research, or tackle DSCSA event attestation. What sounds good to you? Alright, let’s break this down. First off, you’ll need to check out the relevant requirements. Start with HTI-1 and USCDI v3, and if it fits your situation, don’t forget about 42 CFR Part 2. You should also look into NIH GDS and NIST 800-171. And if you're collaborating with partners from the EU, the EHDS is definitely worth a glance. Oh, and keep the DSCSA EPCIS on your radar too! For a deeper dive into this topic, head over to healthit.gov. It's a great resource!

Weeks 2-4: Reference Design and Test Data

If you're looking for a permissioned ledger, Hyperledger Fabric is definitely a top pick for handling private data collections and setting up endorsement policies. It’s really well-regarded in the tech community! Next, take some time to identify your on-chain objects. This includes things like the consent receipt hash, DUO/permit hash, and EPCIS event hash. It's important to get these sorted out! Let’s dive into your identity setup! Think of it as a mix of Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). It’s a cool way to manage your identity securely and flexibly. Make sure you align your assurance practices with NIST SP 800-63-4, and don't forget to think ahead about incorporating PQC hybrid keys into your plans. If you want to dive deeper into the details, check out w3.org. There’s plenty of info waiting for you there!

Weeks 4-8: Build Thin Slices

For the TEFCA part, we’re planning to grab a FHIR R4 "patient summary" and then we’ll put together an audit commit that includes the purpose of use, the requester’s verification credential, and the consent hash. If you're looking for more info, check out rce.sequoiaproject.org. It's got everything you need to know! Alright, here's the deal: when you're working with the research slice, you'll want to kick things off by issuing a DUO-tagged dataset access verification certificate. Also, don’t forget to provide access to the temporary enclave. Just a heads-up, it’s super important to keep track of revocation and access attestations on the blockchain too. For more info, feel free to check out ga4gh.org! So, for the supply slice, start by grabbing a partner's EPCIS file. You'll want to calculate those event hashes, put them on the blockchain, and then make sure everything checks out with the downstream reconciliation. If you're looking for more info on this, check out gs1us.org. They have some great resources!

Weeks 8-12: Security and Compliance Hardening

Just a heads up: you'll want to ensure that your eConsent and eSign processes are in line with the standards set by 21 CFR Part 11 and the FDA’s eIC guidance. It's super important to stay compliant! Don't forget to take a look at the audit trail to ensure it's immutable. And make sure you know how to export it too! If you want more details, feel free to hop over to fda.gov. It’s a great resource! Hey, just a heads up! We need to show that there's definitely "no PHI on-chain." So, if you could document your DPIAs and TPAs, that’d be super helpful. Also, let’s go ahead and do a red team exercise to check for any metadata leaks. Thanks!

Exit Criteria

You’ll want to focus on a few key things: first, try to save some measurable admin time. Also, make sure you have audit traceability so that the verifier can easily recompute those hashes. Lastly, it’s a good idea to get a signed MOU with your partner; that’ll really help you grow!

---

Best emerging practices we’re applying on active programs

• Keep storage and authorization separate: Go ahead and keep your encrypted FHIR resources in object storage or EHRs that are connected to TEFCA. Just make sure to use the ledger mainly for tracking authorization events and providing proofs.
• Machine-readable consent: Alright, so when you think about FHIR Consent, imagine it as your go-to policy model, and then throw in some VC 2 for good measure. So, we’ve got zero consent receipts right now, along with an on-chain state machine. Just a quick reminder to be super careful with SUD data and make sure you’re following the guidelines laid out in 42 CFR Part 2. Oh, and don’t overlook those detailed re-disclosures--keeping tabs on that stuff is really important! (hhs.gov).
• DUO-first research access: So, when you're working with datasets, be sure to use DUO codes along with Passports for the users. This combo really simplifies the process of matching and logging, which helps speed up DAC processing and makes everything easier to audit! (ga4gh.org).
• TEFCA-compatible, not TEFCA-competitive: Make sure you keep those QHIN flows in check! It’s super important that your blockchain records clearly show the “who, when, and why” in a way that sticks around and works across different organizations. (rce.sequoiaproject.org).
• PQC migration plan:
• Make sure to check out all your cryptographic connections, like your VC signing keys, channel MSPs, TLS, and data-at-rest. It’s important to have a good grip on all these elements! Hey there! Just a heads up that it’s time to start incorporating ML-KEM for key establishment, along with ML-DSA/SLH-DSA for signatures, as these standards start getting included in the toolchains. Exciting stuff ahead! (nist.gov).
• Private Data Patterns in Fabric:

When it comes to private data patterns in Fabric, there's a lot to dive into. Essentially, Fabric helps us identify and manage how sensitive data is handled within the system, ensuring that everything stays secure and compliant. It’s all about keeping our information safe while still being able to analyze and use it effectively. Stay tuned, as we explore some of the key patterns and best practices in this area!

• Use private data collections to get a better look at those hard-to-see artifacts, like proof metadata that's under investigative hold. Go ahead and set the blockToLive for auto-purge, and just a friendly reminder--avoid putting any PHI in the world state. Keeping it clean and secure is super important! (hyperledger-fabric.readthedocs.io).
• AI transparency alignment: Hey there! When you're diving into algorithmic triage or picking out cohorts, don't forget to keep that HTI-1 DSI metadata coming your way. Make sure you include all the important stuff--like the source, any validations, and updates--in your audit stream. It’ll really help you stay on top of everything! (healthit.gov).

---

Risk checklist (and how to mitigate)

• Metadata leakage: So, even if you're relying on hashes, they can still give away some patterns. Don’t forget to add salt, and try to keep things simple! You might want to think about using blind indices when you have to do lookups over and over again. They're pretty handy for that kind of thing!
• Jurisdictional conflicts: There's definitely some push and pull happening between EHDS secondary-use permits and what's going on in the U.S. consent scopes. A solid approach here would be to get everything in sync using DUO and make sure your consent VC profiles are in order. After that, you can tweak your policies to fit the specific regulations in your area. (health.ec.europa.eu).
• Overhyping scalability: Just a heads up, ledgers and data warehouses aren’t interchangeable things. It’s a good idea to keep your blocks lightweight and save the heavy-duty analytics for off-chain processing.
• Identity sprawl: It's really important to connect everyone back to VC 2. You’ve got zero credentials, right? Well, those should definitely be tied to decentralized identifiers (DIDs). And don’t forget about adding lifecycles and revocation registries to keep everything in check! Just a heads-up: be sure to align everything with the NIST SP 800-63-4 AAL/IAL levels. It’s super important to keep everything in sync with those guidelines! (pages.nist.gov).
• Regulatory drift: Make sure to stay updated on HTI-1 compliance deadlines, NIH announcements, and timelines for any DSCSA exemptions. It's important to keep track of these to stay on top of everything! Staying ahead of the curve is always a good move, and one great way to do that is by implementing versioned policy enforcement. (himss.org).

---

KPIs to measure

We're looking to cut down the time it takes to bring a new data-sharing partner on board. Right now, it takes us quite a while, but we're aiming to slash that by over 50% using some clever tech like VC-based credentialing and automating our policies. Take a look at the ProCredEx benchmarks for credential exchange if you need a good reference. They’re pretty helpful! (procredex.com).

• We're aiming for over 99% of TEFCA/FHIR requests to have verifiable consent ready to go right when we need it.
• We’re looking to speed up the process for getting those DAC approvals for research datasets. Our goal is to cut down the time from days to just a few hours by tapping into DUO-based automation. (ga4gh.org). We're working on speeding up the time it takes to resolve DSCSA disputes using hashed EPCIS proofs, aiming for an impressive 80% faster turnaround! (gs1us.org).
• Audit readiness: Our goal is to have a full and independently verifiable audit trail ready to go in under 24 hours.

---

Where blockchain is already paying off

• Provider directory and admin data: Did you hear about Synaptic Health Alliance? They’re really shaking things up, boasting an incredible 500% annual ROI for one of their members! That’s some impressive growth! This is a great illustration of how cleaning up shared data--especially when there’s a solid, unchangeable record of where it came from--can really boost trust and cut down on expenses. Check it out here.
• Cross-enterprise credentialing: Thanks to ProCredEx, built on Corda, the whole onboarding process just got a major facelift. No more tedious paperwork--it's a game changer! It helps reduce lag time by sharing confirmed attestations according to the rules set by the members. Curious to learn more? Check it out here!
• National Integrity Assurance: Estonia’s KSI audit layer is really setting the standard here. They're showing everyone how to maintain the integrity of health records on a massive scale, and they’re doing it without having to centralize personal health information (PHI). It’s pretty impressive! Want to know more? Check it out here!
• Supply chain traceability: The Drug Supply Chain Security Act (DSCSA) is encouraging everyone to move towards EPCIS 1. 2/1. So, with the integration of blockchain anchoring, we're looking at a super reliable and hassle-free way to ensure contest-proof lineage. It's a pretty smooth process overall! Want to dive deeper into this shift? Check it out here for all the details!

---

How 7Block Labs typically engages

• Strategy and Compliance Design: We're all about getting the lay of the land with TEFCA, EHDS, NIH, and DSCSA. This means we're really digging into consent models like FHIR and VC, plus we’re putting together some sturdy governance charters to keep everything on track.
• Build-operate-transfer: First up, we’ll set up a Fabric network with Private Data Collections to keep everything secure and organized. Then, we’ll take care of issuing and verifying DIDs and VCs--it’s all about making sure the identities are legit! After that, we’ll dive into implementing FHIR gateways and adding in EPCIS hash anchors to maintain that critical data integrity. Lastly, we’ll make sure our cryptographic operations are ready for the future with some PQC-aware practices. Sounds like a plan, right?
• Interop and change management: We're diving into the QHIN integration workstreams, which means we’re working on automating DAC with DUO. Plus, we’re putting together those crucial evidence packs for audits that always seem to pop up!

If you want a pilot that really delivers results in just 90 days, focus on one specific area that you can measure: think about TEFCA consent auditability, DUO-tagged research access, or hashed EPCIS dispute resolution. These are the key flows that can show you real value quickly!

---

Appendix: Regulatory dates you can rely on (Q4 2025 snapshot)

• TEFCA: This has been up and running since December 12, 2023! By January 16, 2025, we’re hoping to see eight QHINs officially on board. And guess what? We’ve already exchanged over 205 million documents! Pretty impressive, right? Take a look at this link: (rce.sequoiaproject.org). You won’t want to miss it!
• HTI‑1: We're getting things started in 2024, and you can expect the USCDI v3 baseline to be launched by January 1, 2026. Make sure you’re staying updated on the phased DSI transparency requirements outlined by the ONC guidance. It’s important to keep tabs on that! More details at (healthit.gov).
• 42 CFR Part 2: So, the final rule dropped on February 8, 2024. We're working on aligning a few things with HIPAA, and just a heads-up, we'll have to be compliant two years after it gets published in the Federal Register. Hey, just a quick reminder to get your consent logs set up! If you want more info on that, you can check it out here: (hhs.gov).
• Heads up on the NIH GDS update: Mark your calendars for January 25, 2025, because that's when it kicks in! If you're working with controlled-access genomic data, just a heads up that you'll need to comply with the NIST 800-171 controls. It’s important to be prepared for that! Here’s the scoop: (cancer.gov).
• EHDS: It was officially released on March 5, 2025, and it goes into effect on March 26, 2025. We're checking out some exciting apps that are set to launch between 2029 and 2031.
  If you’re looking for more details, check this out: health.ec.europa.eu. There’s plenty of info waiting for you there!
• DSCSA: So, we’re looking at some staged exemptions that are set to roll out through 2025 and 2026. Hey there! Just a heads up that enforcement is really picking up pace, so it’s a good idea to start gearing up for EPCIS conformance and partner attestations. Don’t forget to give it a look! You can find all the info you need right here: (fda.gov).
• PQC: So, just to keep you in the loop, the FIPS 203/204/205 standards got wrapped up on August 13, 2024. Then, on March 11, 2025, we officially picked the HQC. Hey there! Just a heads up--there's a draft standard that's on its way, so stay tuned! If you want to learn more about it, check out this link: (nist.gov).

---

Think of blockchain as a reliable foundation for trust and coordination. It lets you handle things like consent, identity, data usage rules, and auditing events, all while keeping Protected Health Information (PHI) stored securely off the chain. This approach will help you stay in sync with both TEFCA and EHDS regulations. Plus, you'll be all set to meet those NIH and DSCSA requirements, which means you'll have a smoother time enhancing research and teaming up on care with a lot more confidence.