Blockchain Development Services for Healthcare Startups: From MVP to Compliance

Description

Here’s a straightforward guide made just for healthcare leaders like you. This guide will take you step-by-step through everything you need to know about scoping, designing, and launching products that use blockchain technology. Whether you're launching your very first MVP or gearing up for some serious production-level compliance, we're here to help you every step of the way! All the information is based on the most current data from 2024 to 2026 in the U.S. You've got to keep an eye on regulatory timelines, understand the FHIR and TEFCA requirements, navigate the realities of DSCSA, and don't forget about the significance of building privacy into everything from the ground up.

Who this is for

If you're part of a startup or an innovation team in a bigger company, you might be diving into blockchain technology for a bunch of exciting reasons. Whether it’s improving the way healthcare data gets shared, ensuring that supply chains are transparent and trustworthy, managing clinical research more effectively, or tackling the complexities of patient identities and consent, there's a lot to explore! They're looking for clear, simple next steps and want to make sure everything's up to code, without all the usual fuss and hype.

---

The 2025-2026 reality check: Requirements that shape your architecture

So, TEFCA is launching FHIR API exchanges as part of Common Agreement version 2. 0. They're planning to kick off some QHIN-to-QHIN FHIR pilot projects in 2025, along with CA v2! 0 is all set for QHIN adoption! Hey, just a heads-up: when you're planning for FHIR, make sure to think about TEFCA too. Don’t just rely on IHE/XCA/XDS. Take a look at this link: (healthit.gov). It’s got some interesting info you might find useful!

So, just a heads up: the ONC's HTI-1 Final Rule has officially marked January 1, 2026, as the starting point for USCDI v3 and HL7 FHIR US Core 6.

1. You're looking at version 0 of the SMART App Launch, specifically v2 for certified health IT. They're rolling out some new guidelines that adjust the timelines a bit, but the overall direction stays the same. Hey there! Now’s a great time to make sure your APIs and scopes are all lined up. If you want to dive deeper into the details, check out this link: healthit.gov. Happy reading!

So, the DSCSA "stabilization" phase officially wrapped up on November 27, 2024. The FDA has rolled out a few specific exemptions that will stick around until 2025 and 2026. For example, small dispensers have some leeway and can operate under these exemptions until November 27, 2026. If you’re keeping an eye on products at the package level, now’s a great time to start thinking about interoperable EPCIS. It's also a good chance to strengthen those partner relationships! Check it out: (fda.gov).

Hey, just a heads up! The 42 CFR Part 2 Final Rule is set to be released on February 8, 2024. This update is all about bringing some important privacy rules for substance use disorders in line with HIPAA. And don’t forget, you’ve got until February 16, 2026, to get everything compliant. Mark your calendars! Just a heads up: you need to ensure that your consent, redisclosure, and breach-notification processes are all in line with Part 2. It's really important to get this right! More details here: (hhs.gov).

Hey, just a heads up! The FTC has made some changes to its Health Breach Notification Rule. Now, it includes a bunch of health apps that don’t fall under HIPAA. Pretty interesting stuff, right? Starting July 29, 2024, there are going to be some changes that you should know about. These changes will impact who is covered, how the notice looks, and when you can expect to see it. If you’re in the direct-to-consumer game, you can bet this is relevant to you. Learn more here: (ftc.gov).

---

Where blockchain fits best in healthcare (and what “not to do”)

Use blockchain for:

Blockchain technology is super versatile and has some really exciting uses across all kinds of industries. Here are a few areas where it's really making a difference:

1. Cryptocurrencies
   Alright, let’s talk about one of the most popular uses out there! Cryptocurrencies, like Bitcoin and Ethereum, use blockchain technology to keep transactions safe and to manage a decentralized ledger. Pretty cool, right?
2. Supply Chain Management
   Companies can keep tabs on their products every step of the way, from the very beginning to the final destination. With blockchain technology, everyone involved in the supply chain can tap into the same information. This creates a level of transparency that's hard to beat and really helps cut down on fraud.
3. Smart Contracts
   So, think of these as contracts that run themselves, with all the details of the agreement actually coded right into them. They take care of enforcing and executing agreements all on their own, which means you don’t have to rely on any middlemen.
4. Voting Systems
   Blockchain has the potential to really boost security and transparency when it comes to voting. Using a blockchain to keep track of votes can really help make elections more secure and trustworthy.
5. Digital Identity Verification
   Blockchain is a great tool for helping people keep their identities safe and secure. It gives users the power to manage their personal data and share it only when they really need to.
6. Healthcare Records
   Storing patient records securely on a blockchain can really boost how healthcare providers share information. Plus, it helps keep patients' privacy intact.
7. Real Estate Transactions
   One really cool way to use this is by making real estate processes a lot smoother. Blockchain really makes it easier to transfer property and keeps all the records super accessible. Plus, it helps cut down on fraud, which is a big win!
8. Intellectual Property Protection
   Artists and creators have a cool tool at their fingertips with blockchain. They can register their work and show they own it, which really helps protect their creations from being misused or stolen by others.
9. Energy Trading
   People can actually buy and sell energy straight from one another using blockchain technology. This cool setup encourages the exchange of renewable energy and helps us rely less on traditional utility companies.
10. Charity Transparency
    Blockchain technology can really make a difference when it comes to tracking donations. It makes sure that the money goes where it’s supposed to, which helps build trust in charities. When people see that their contributions are being used as intended, it can really boost their confidence in those organizations.

Whether you’re just curious about cryptocurrencies or trying to level up your business operations, blockchain has so much to bring to the table!

We've set up tamper-evident audit logs and attestation to ensure everything's above board--just like what you'd find in clinical trials with provenance and consent receipts. Plus, we're making sure that any PHI stays off the chain. When we talk about supply chain traceability--think tracking drug pedigrees, managing recalls, and digging into questionable products--being on the same page with everyone involved and having that rock-solid, unchangeable data really makes a difference. Decentralized identity and verifiable credentials (VCs) are seriously shaking things up when it comes to how consent and credentials are handled between providers and patients across various organizations. It's like they’ve opened up a whole new way of doing things!

Looks like you just dropped the word "Avoid:" without any extra info or context for me to work with. Can you give me a bit more to go on? I'd love to help you out! Sure! Just send me the text or content you want me to help with, and I'll take care of it. Looking forward to it!

So, when it comes to handling PHI, our approach is pretty straightforward. We’ll keep the hash pointers on the blockchain while securely storing the actual encrypted PHI somewhere off in the cloud. It's a smart way to balance security and accessibility! Hey there! Just wanted to give you a quick heads up about HIPAA de-identification. It’s all about figuring out when certain data stops being classified as PHI. This can happen through either the Safe Harbor method or Expert Determination. If you're interested in learning more about it, feel free to check it out here.

Hey there! Just a quick reminder - if you’re using “Public IPFS by default” for any PHI (that's Protected Health Information), keep in mind that this network is all about being open and having content that’s easily addressed. So, it’s super important to think about what you're sharing! So, basically, that means you can easily track down some info about what you offer. Hey there! If you’re diving into content addressing, definitely consider using encryption, private pinning, or maybe look into private storage backends. It’s a smart move to keep your stuff secure! If you want to explore this topic further, just click here. Happy reading!

---

An MVP-to-Compliance blueprint

Phase 0: Discovery (2-4 weeks)

Alright, let’s kick things off by clarifying what we’re diving into. Are you focusing on FHIR R4/R4B resources, or are we talking about EPCIS events? And hey, make sure to tie that back to USCDI v3 whenever it fits. It’ll help keep everything connected and clear! If you want to dive deeper into it, you can take a look here.

• Now, let’s dive into your network pattern. If you’re looking to keep things a bit more private and have control over who’s involved, you might want to check out a Permissioned DLT like Hyperledger Fabric or Besu/QBFT. They let you manage membership, keep data private, and really tailor the governance to what you need. If you’re looking for more details, check it out here. It’s got everything you need!
• If you're thinking about a Public L2 solution, it's got some pretty solid privacy features to offer. Just keep in mind that if you're working with regulated workflows, you'll probably need some permissions, private transactions, and a way to connect to an enterprise KMS. A good example of that would be using Besu along with Tessera for those private transactions. Check it out here.
• And hey, don’t forget about privacy threats right off the bat! Make sure to use LINDDUN, which stands for Linking, Identifying, Non-repudiation, Detecting, Data-disclosure, Unawareness, and Non-compliance. It's a handy tool to keep in your back pocket. This approach really aligns well with the practices outlined in NIST's Privacy Framework. If you’re looking for more info, you can check it out here.

Deliverables:

• Data Flow Diagrams (DFDs) that clearly outline the boundaries for Protected Health Information (PHI) and feature controls to ensure there's absolutely “no-PHI-on-chain.” ”. Here's a Regulatory Matrix that breaks down each feature in relation to HIPAA, Part 2, DSCSA, TEFCA, and HBNR. It's all laid out for easy reference!

Phase 1: Architecture (3-6 weeks)

• Identity and access: We're about to explore OIDC and OAuth2 through the lens of SMART App Launch v2! We’ve got two main areas to focus on when it comes to our identity and access needs. On top of that, we’re working on some backend services and looking into token introspection for how our systems communicate with each other. If you want to dive deeper into this topic, check it out here. It’s a great resource! When it comes to portability, we're diving into W3C DIDs and VC 2. You're keeping track of consents and roles, like when a patient gives the thumbs up for oncology app X to use their info. VC 2. So, W3C officially gave the thumbs up to 0 back in May 2025. Let’s take that as our foundation and skip the whole proprietary path, yeah? Check it out here.
• Interoperability and data sharing:
• We’re working with FHIR US Core 6.

1. We're all set with the data we need, which matches up perfectly with USCDI v3. For cohort exports, we've got everything sorted with Bulk Data Access IG v3. 0. It’s all about zeroing in on payers, research, and public health. If you want to dive deeper into the details, just click here. It’s all laid out for you! We're also getting on the same page with TEFCA and working on some cool stuff, like making brokered or “facilitated” FHIR under CA v2. 0. Hey there! Just wanted to let you know that we're gearing up for some QHIN FHIR pilots that are set to launch in 2025. If you want to dive deeper into the details, you can check it out here. Exciting times ahead!

• Ledger and privacy: We're diving into Fabric channels and Private Data Collections to jot down hashes on a shared ledger, all while making sure that sensitive info stays secured and only accessible to the members of the collection. This setup will let us clear out data using blockToLive, helping us to really keep our data usage down. Get the scoop here.
• Another option we could consider is using Besu, which has QBFT consensus, along with Tessera to handle privacy for those transactions that need to stay under wraps between specific parties. Dive deeper here.
• Cryptography: We're looking to incorporate FIPS 140-validated crypto modules in our runtime and KMS.
  Looking ahead, we’re excited about our plans for NIST PQC--specifically, using ML-KEM for key establishment and both ML-DSA and SLH-DSA for signatures. Given that we've got long-lived PHI to protect, it’s super important to tackle those risks head-on, especially with those "harvest-now, decrypt-later" strategies in play. If you want to dive deeper into this, feel free to check it out here.

Deliverables: Here's the deal: we've got a security design that incorporates FIPS 140‑3 modules, selects the perfect KMS, and sketches out the plan for transitioning to post-quantum cryptography (PQC). (csrc.nist.gov). You’ve got an API contract that covers FHIR, SMART, and Bulk data. Plus, it comes with a ledger data model that includes hash commitments and proofs. Pretty cool stuff!

Phase 2: MVP build (6-10 weeks)

• Get SMART 2. Alright, so we've got two launches coming up where we're working with both patients and clinicians. On top of that, we need to set up the Backend Services to handle those server-to-server bulk exports too. Exciting stuff ahead! Check it out here.
• Make consent into something you can verify with credentials.
• Issue VC 2. So, we've got this thing called a "ConsentReceipt" that lays out all the important details--like why we're collecting your info, what we're actually going to use it for, and how long it's going to be relevant. The cool part? We only keep those credential hashes stored on the blockchain, and we take care of the verification part off the chain.
  If you want to dive deeper into this, check it out here. It's a great resource!
• Don’t forget to include some compliance-grade logging!
• Make sure there's a solid on-chain audit for those important events that can't be changed; and for the detailed PHI logs, keep them off the chain but include some integrity checks to keep everything secure. Hey, just a heads up--if you’re diving into clinical research, definitely keep an eye on the FDA 21 CFR Part 11 guidelines, especially the "Scope and Application" part. It’s super important to follow those rules! So, this part is all about how we handle validation, keep track of audit trails, and manage record retention when it comes to electronic records and signatures. For more details, you can check this out here. It's got all the info you might need!
• DSCSA MVP (just in case we need it):
• Handle EPCIS 1. You'll be working with two files, making sure to validate and ingest them properly. Don’t forget to handle any exceptions that might pop up along the way! Plus, keep an eye on the onboarding process for partners and ensure everything aligns with GS1 standards. Hey, just a quick heads-up: it looks like interoperability testing with wholesalers and dispensers is going to continue being a bit tricky. Dive deeper here.

Deliverables: We've got a working MVP ready to go, and it comes packed with some automated tests. These tests cover everything from consent management to FHIR reads, bulk exports, and even ledger proofs. It’s all set to ensure everything runs smoothly!

• I've put together some initial drafts for the Vendor BAA and the security runbooks.

Phase 3: Pilot and pre‑production hardening (6-12 weeks)

• HHS Cybersecurity Performance Goals (HPH CPGs): To kick things off, make sure you've got those 10 "essential" controls up and running. This includes stuff like multi-factor authentication (MFA), keeping data encrypted while it's on the move, securing your email, managing vendor risks, and having a solid incident response plan in place. Once you’ve got those basics down, it’s time to start adding in the “enhanced” controls. Think of things like asset inventory, centralized logging, and segmentation. These will really help get your organization primed for some solid enterprise-level security. (aha.org).
• TEFCA alignment: If you’re working with a Qualified Health Information Network (QHIN) or any participants, it’s essential to verify the identity proofing, the allowed purposes, and the exchange policies according to CA v2. Just a good habit to get into!

0. (healthcareitnews.com).

• Part 2 programs: It might be a good idea to revisit your consent and redisclosure procedures. Just make sure everything is in sync with the compliance deadline coming up on February 16, 2026. Hey, just a quick reminder to make sure you update your Notices of Privacy Practices (NPPs) and your breach workflows to align with the new rule. It's important to stay on top of this! (hhs.gov).

Hey there! Just a quick heads-up for anyone working with D2C apps: don’t forget to keep an eye on the FTC’s Health Breach Notification Rule (HBNR) when it comes to breach notifications. It’s super important to stay compliant! If you’re notifying folks, make sure to let everyone know at the same time if it involves 500 or more people. You’ll need to get this done within 60 days and include all the necessary details too. (ftc.gov).

Deliverables:

• We've got some fresh updates on the pen test and privacy threat models, and we're using LINDDUN for that. Plus, we'll be covering the necessary steps to tackle any issues that pop up. If you want to learn more about it, feel free to visit linddun.org. It's a great resource!

We're gearing up for the pilot launch and making sure we've got all our bases covered with the Business Associate Agreements (BAAs) for those HIPAA-eligible cloud services. You know, the usual suspects like KMS, data integration, and logging. Gotta keep everything compliant and secure! If you’re looking for more info, just head over to aws.amazon.com. It’s all there!

---

Three concrete patterns you can ship in 2025

1) Patient consent and cross-network access (FHIR + TEFCA-ready + VCs)

• Flow:

1. The patient signs in using SMART 2. 2, while the app requests certain permissions. The app creates a VC 2. You're working with a consent credential that has all the important details in it, like why it's being used, what datasets are involved, and how long it’s valid for. The cool part is that it just stores the VC hash on the blockchain.
2. Whenever the app needs to pull FHIR data from various networks, it displays the VC. The recipient takes a look at the VC and then makes a query using a TEFCA-enabled brokered FHIR, which is growing with CA v2.

0. (hl7.org).

• Why blockchain? Well, it’s pretty cool because it keeps a permanent record of when consent is given or taken back, and it does all of this without exposing any personal health details. Verifiers just need to check the hash on the blockchain against the credential they've got in hand. It's pretty straightforward!

Implementation notes:

• We're working with US Core 6.

1. You're all set with the resources and support for Bulk Data IG v3! 0. Zero for those operations that affect the entire population. If you want to dive deeper into the details, just click here. You'll find everything you need!

Hey there! Just a heads-up--if your workflow involves SUD data, don’t forget to include those Part 2 consent details and keep in mind the redisclosure rules. It’s super important to get that right! Hey, just a heads up! Don't forget about that compliance deadline sneaking up on us on February 16, 2026. Mark your calendar! If you’re looking for more details, just click here. It’ll take you to a good resource!

2) DSCSA package-level tracing with privacy

• Flow:

1. The manufacturer, distributor, and dispenser all have access to EPCIS 1. Two events happening at the same time.
2. So, your middleware comes into play here by checking out these events and then recording some cryptographic commitments, like hashes, onto a Fabric ledger. It keeps all that sensitive partner info safe and sound in private data collections. Plus, it makes sure to delete data when it’s time, following the blockToLive retention policies. Whenever it's necessary, investigations can tap into ledger proofs. This helps clear up any disputes or dive into products that might raise some eyebrows. (gs1us.org).

• Why now: The stabilization period wrapped up in 2024, and the exemptions will start rolling out from 2025 to 2026. Alright, so here’s the deal: if you’re a manufacturer or repackager, you’ve got until May 27, 2025, to get everything sorted. Wholesalers need to wrap things up by August 27, 2025. If you’re one of the big dispensers, mark your calendar for November 27, 2025. And if you’re a small dispenser, you’ve got a little more breathing room--you don’t have to worry about it until November 27, 2026. Easy peasy! Just a heads up, it’s super important to keep your roadmap aligned with these key dates. (fda.gov).

Implementation Notes

• It's best to steer clear of placing serial numbers or lot information directly on the blockchain. Why not try using off-chain encrypted storage that connects to commitments instead? It’s a great way to keep things secure while staying organized. Just a heads up: you might hit a few bumps when you're bringing on new partners. But don’t worry! Sticking with GS1 Rx EPCIS conformance can really help smooth things out and make the onboarding a lot easier. Take a look at this link: (gs1us.org). It’s got some pretty useful info!

3) Part 11-aware clinical audit trail

• Flow:

1. The system keeps track of important protocol events by timestamping and signing them. It writes a simple hash attestation onto the ledger.
2. It stores verified, searchable e-records and signatures off the blockchain.
3. Lastly, it creates super easy-to-read certified copies and handy machine-verifiable proofs for monitors and regulators. (fda.gov).

• Ledger choice:
• Fabric: We rely on private collections to handle sensitive site-level metadata. This keeps it visible only to the people who actually need access, helping us maintain strong governance across our channels. (hyperledger-fabric.readthedocs.io).
• Besu/QBFT with Tessera: This setup is great for businesses using Proof of Authority. It lets sponsors, CROs, and sites have private transactions while keeping everything secure with privacy groups. (besu.hyperledger.org).

---

Security-by-default (what to bake in before pilots)

• FIPS 140-validated crypto and HSM/KMS: It's super important to stick with validated modules and a managed KMS, especially if you’re operating under a Business Associate Agreement (BAA). If you've got sensitive info on your hands, like personal health information or consent documents that need to be stored securely for over a decade, it's a smart move to start thinking about transitioning to Post-Quantum Cryptography (PQC). It’s better to be safe than sorry, especially when it comes to protecting that kind of data! (csrc.nist.gov).
• HIPAA Security Rule technical safeguards: So, when it comes to these safeguards, you’ll want to focus on things like unique IDs, keeping track of who did what with audit controls, making sure your data stays intact, and having solid authentication processes in place. And don’t forget about protecting your info while it’s on the move--yep, that’s where encryption in transit comes into play! Don't forget to link up all these safeguards with your API gateway, ledger client, and data lake! It's really important to keep everything connected. (law.cornell.edu).
• HHS HPH Cybersecurity Performance Goals: First things first, you’ll want to kick things off by putting those 10 key practices into action. Think about stuff like multi-factor authentication (MFA), beefing up your email security, and making sure your data is encrypted while it's zooming around. Don't forget to assess vendor risks and have a solid plan ready for any incidents that might pop up! Next, let's take it up a notch with the upgraded set. This includes asset inventory, segmentation, centralized logging, and configuration management--everything you need to keep things running smoothly and securely! These practices fit perfectly with what NIST 800-53 is all about. (aha.org).
• Privacy Threat Modeling with LINDDUN: It's a good idea to use this during your design phase and definitely before you go live. It’s super important to keep track of not just confidentiality risks, but also how you plan to tackle things like unlinkability, intervenability, and transparency. (linddun.org).

---

Interoperability choices you should lock now

• FHIR baseline: We're focusing on R4/R4B, specifically with US Core 6 in the mix.

1. 0 for the U.S. Here’s the exciting part: the R4 platform parts are seen as the standard, which means that any updates down the line will still work with what you’ve already got. Pretty neat, right? Feel free to take a look at it here!

• Introducing the SMART App Launch v2! 2: This one's really focused on simplifying how we find apps, manage scopes, and make app interactions smoother for both patients and clinicians. It doesn't matter if they're using standalone apps or ones that pop up from EHRs; the goal is to make everything as seamless as possible. If you're looking for more info, you can check it out here. Happy exploring!
• Bulk Data Access IG v3.

0. This version is all about improving how we analyze population data and boost public health efforts, thanks to SMART Backend Services. If you want to dive deeper into the details, you can check it out here. Happy exploring!

• TEFCA: We're currently focused on syncing up our governance and identity efforts with CA v2. You're also working on creating stuff that supports brokered or "facilitated" FHIR. There's also some funding set aside for the QHIN FHIR pilot projects and for keeping the specifications up to date. If you want to learn more, you can check it out here.

---

Off-chain storage and IPFS, safely

• IPFS is actually really cool! It's public and uses content addressing, which is a unique approach. Even though the traffic is encrypted, it’s worth remembering that the DHT metadata is still visible to anyone. Just something to keep in mind! Hey there! So, if you're considering using IPFS for routing content without duplicates, here are a few tips to keep in mind. First off, definitely encrypt your payloads to keep things secure. It's also super important to manage who gets to pin your files--make sure you’re in control of that. And try to avoid sharing CIDs that could accidentally reveal any sensitive connections. Stay safe out there! If you’re looking for more details, check this out here. It’s got some good info for you!

Many teams go for private object storage (like that set up with KMS and VPC endpoints) and simply store the content-address hashes on their ledger. It’s a pretty smart move! That way, you still get to enjoy the perks of keeping your integrity intact and ensuring that everything’s above board--no take-backs!

---

Identity and verifiable credentials (what works in production)

• DIDs v1. 0 (W3C Rec) lets you whip up identifiers without being chained to any central registry. When you pair them up with VC 2... You can easily set up portable patient consents, give clinician privileges, or provide device attestations whenever you need to. Check it out here.

If you're looking to access data, I'd recommend using SMART scopes instead of relying on the ledger. It just makes things a bit easier! Make sure you use the ledger to log all the important stuff--like hashes and timestamps--related to consent state or credential status. Just remember, it's crucial to avoid storing any personal health information (PHI) on the blockchain itself. If you want to dive deeper into the details, just click here. You'll find everything you need!

---

Compliance-specific gotchas (don’t learn these the hard way)

• HIPAA De-identification: So, when it comes to this, you've got a couple of choices. You can either follow the 18 identifiers laid out in the Safe Harbor method or opt for the Expert Determination route. Just keep in mind that the latter means you’ll need to do a documented risk analysis. It's all about figuring out which option works best for you! Hey, just a heads up--hashing isn’t the only thing you need to worry about; context plays a big role too! Check out this link for more info: hhs.gov.
• Part 2: So, there's this new thing called the “one-time TPO consent” requirement. It’s in line with HIPAA, which is good, but just a heads-up--there are stricter limits on redisclosure. This all starts in 2024, so make sure you're on track to be compliant by February 16, 2026. Hey, just a quick reminder to double-check that your consent verification controls (VCs) are all set up with those Part 2 flags. It’s super important for making sure everything is handled correctly further down the line! (hhs.gov).
• HBNR (non-HIPAA apps): So, if you're a vendor working with personal health records (PHR) or anything along those lines, make sure to give your users a heads-up if there's ever a breach. Oh, and don't forget to notify the FTC about it too! Hey, just a heads up! The rules are changing in 2024, so it's a good idea to start adding breach-notification automation to what you’re doing. It'll help you stay on top of things! (ftc.gov).
• DSCSA: Well, we've officially closed the chapter on the "stabilization" year, and guess what? The exemptions are now being extended for some specific partner classes. You’ll want to make sure your roadmap really shows the actual dates for everyone involved. Just a quick reminder: making sure you do EPCIS conformance testing and getting your partners on board is super important for this whole process. Don’t overlook it! (fda.gov).

---

Reference stacks we see succeeding

• **Fabric (2.

5. x)**: Ideal for managed networks that deal with sensitive data, including tasks like data cleaning and setting up channel rules. It really nails the whole "hash-on-chain, PHI off-chain" idea. Check it out here.

• Besu (QBFT) + Tessera: This is a great pick if you're looking to create a privacy-focused Ethereum network. It's especially effective if you're planning to use EVM tools and L2 bridges in your setup. If you're looking for more details, you can check it out here.
• Cloud Services covered by BAA: We're diving into a few key areas here, including KMS, logging, EDI/B2B (specifically X12), and resilience options. Think AWS KMS/HSM for security, B2B Data Interchange for HIPAA X12, and of course, we've got the Resilience Hub in the mix too. We’ve chosen these options because they’re all HIPAA eligible. Want to dive deeper into this? Check it out here for all the details!

---

Indicative delivery plan (what we actually do on engagements)

• Weeks 1-2: We’re going to start things off by exploring different use cases and mapping out the data. Then, we’ll jump into a LINDDUN workshop, which should be pretty interesting. Plus, we’ll take a look at any gaps in the regulations that we need to address.
• Weeks 3-6: Alright, so here’s what we’ll be diving into next! During these weeks, we’ll work on setting up our reference architecture. We’ll also choose the best ledger for our needs, tackle FHIR/SMART contracts, and put together the consent VC schema. Plus, we’ll sketch out a solid plan for KMS/FIPS. Exciting stuff ahead!
• Weeks 7-14: Alright, it’s time to dive in and start building the MVP! We’ll be focusing on SMART 2 during this phase. There are basically two main steps here. First, you need to set up the Bulk Data v3 server and client. Then, you'll want to bootstrap the Fabric/Besu network. After that, it's all about managing the issuance and verification of consent. It's a bit of a process, but once you're in the groove, it flows pretty smoothly! Also, if it’s relevant, we’ll check out how to handle DSCSA EPCIS ingestion. If you want to dive deeper into this topic, just click here to explore more!
• Weeks 15-22: During this time, we'll really tighten things up for the pilot. We're going to zoom in on the key stuff for HPH CPGs, run a penetration test, and collect all the compliance paperwork we need--think Part 11 validation docs and audit logs. Plus, we’ll make sure everything is good to go for TEFCA readiness.
  For more info on this, check out the article from AHA. It's got all the details you need!

---

Key takeaways

• Try not to store any personal health information (PHI) directly on the blockchain. It's a smarter move to use commitments and proofs instead. Just a quick reminder: when you're putting your design together, make sure to include HIPAA de-identification and Part 2 redisclosure rules right from the start. Think of them as the building blocks, not something to tack on later! (hhs.gov). Stay ahead of the curve by getting in sync with USCDI v3 and FHIR US Core 6. 1, SMART 2. You've got the latest updates with version 2 and Bulk Data v3, so you'll be all set and won’t have to worry about rushing around in 2026. (healthit.gov). Hey there! If you're working in the drug supply chain, make sure you've got what you need to handle EPCIS on a larger scale and to back up those attestations with a solid ledger. Just a heads up--make sure you're on top of your DSCSA deadlines, depending on what your role is. (fda.gov). Before diving into any pilot programs, it’s definitely a good idea to implement the key controls from the HHS HPH CPGs. Trust me, it'll set you up for success! These tools are super important for keeping your customers safe during security reviews and defending against those pesky ransomware attacks that are all too common these days. (aha.org). To keep your crypto safe for the future, make sure you're using FIPS 140-validated modules right now. And hey, don’t forget to put together a plan for migrating to Post-Quantum Cryptography (PQC) for your key and signature layers. That way, you'll be set to protect your sensitive personal health information (PHI) in the long run! (csrc.nist.gov).

---

Appendix: Quick-reference links

• TEFCA CA v2. Hey everyone! Just a heads up about the FHIR roadmap and the upcoming 2025 QHIN FHIR pilots. It’s pretty exciting stuff! If you want to dive deeper, check out the details over at healthit.gov. You don’t want to miss this! Get ready, because the HTI-1 final rule is about to drop, and it’s bringing along USCDI v3 and FHIR US Core 6. We're expecting to see the rollout of SMART v2 by January 1, 2026. More details here: (healthit.gov). So, we’re eyeing some plans for stabilization and exemptions related to the DSCSA sometime between 2025 and 2026.
  If you want the details, check this out: (fda.gov).
• Want the scoop on HIPAA de-identification guidelines? You’ve come to the right place! Check it out here: (hhs.gov). Hey everyone, just a heads up to save the date! The deadline for complying with the 42 CFR Part 2 Final Rule is coming up on February 16, 2026. Definitely something to keep on your radar! Check out the details right here: (hhs.gov). Hey there! Just a heads-up that the new FTC HBNR updates will kick in on July 29, 2024. Mark your calendars! Check it out: (ftc.gov).
• Jump right into the new SMART App Launch v2! 2 and Bulk Data IG v3.

0. 0. Get the details: (hl7.org). Curious about LINDDUN privacy threat modeling? Check this out as your ultimate resource: (nist.gov). You’ll find all the info you need!

If you need a hand customizing this to suit your needs, we can take everything we've talked about and put together a great backlog for you. Once we’re set, we can roll out an MVP that will meet the approval of your compliance and security teams.