Replacing Intake Forms with Verifiable Credentials

You go to a new HCP and the first thing you have to do is fill out a long intake form. Often with the same irrelevant questions from office to office. Each time the office manually inputs these into their system, never to be looked at again.

You then meet with the HCP and they ask you questions on your medical history and current experiences. The problem is that it's difficult to remember the details accurately and even more challenging to know which data is critical and which is irrelevant.

All medical records are now digital, with the capability to transport the data freely at no cost. The reason we don't is that of privacy, security, and ownership of the data. With recent advances in technologies, we now have options that will overcome these criteria in the eyes of patients and regulators. 

Introducing Verifiable Credentials

A verifiable credential (VC) is the digital version of credentials we currently use, such as a driver's license. These credentials prove your identity and membership to an organization, government, university, etc. But being digital, they can implement functions that allow you to customize interactions with code. Before we get into how these can replace the intake form experience, let's discuss the parts of a Verifiable Credential.

Metadata

Verifiable credentials have three overall parts: metadata, subject, and proof. The metadata states how to read/write the information of the VC. Think of them as using different languages like English/Spanish but as programming languages, such as JSON-LD or JWT. We call this the VC's vocabulary. The VC also lists a unique address (Uniform Resource Identifier or URI) where another party can download and configure the vocabulary to interact with it.

If we think of a driver's license, it displays that it's from the New Jersey Government and provides a unique number (license number) for the individual. Similarly, a Verifiable Credential will identify its entity and the VC itself with URI's mentioned above. A URI is a unique set of characters that identifies something on the internet. 

Two types of URI's are URLs (uniform resource location) and URNs (uniform resource names). An URL is what we type in when we visit a website, for example, Linkedin.com. A URN is a name of an individual or entity. One example of a URN is a Decentralized Identity (DID) that provides the unique identification of the entity (in our example, NJ gov or the license number). Either will have a registry that verifies the credentialed. 

Subject

The second part of the VC is the subject. The subject is who and what the VC applies to. For privacy, the identification of the subject is a pseudonym as a URI. A subject can have multiple pseudonyms, and each VC can contain a different ID. This prevents traceability; a verifier may not know that two VCs with different subject IDs belong to the same person.

While the subject part asserts characteristics of the VC holder, the VC can use selective disclosure to protect their privacy. Selective disclosure only discloses the minimum number of data points necessary by the verifier to authenticate the user - for example, the age but not the person's weight. 

Selective disclosure can also use zero-knowledge proofs (ZK-Snarks, Bullet proofs, etc.) to answer questions without disclosing the underlying information. For example, the VC can assert that the user is insured without displaying what insurance they use. Or that they are between 18-35 years old without divulging their actual age.

Proof

The third and final part of a VC is the proof. The proof is a digital signature used to verify the owner of the VC and that the VC has not been tampered with. The signature uses cryptographic functions to transform a message via a private key. The signature is verifiable using the public key of a private-public key pair. There are many types of proofs available and the industry has not yet set a standard.

How Verifiable Credentials replace intake forms

When patients want to interact with a new HCP they pull out their state-issued license to identify themselves. Now, they can use a digital wallet with a verifiable credential. This VC will identify them and begin the interaction. 

The structure of the interaction, after identification, will begin with a data transfer instead of an intake form. The HCP's office will set the policy and the patient will approve or reject it. The office may have one policy or several based on the services performed. Once approved, a connection of digital wallets will allow continual data flow between parties.

Using a VC replaces the need for intake forms. A patient's wallet will contain all of their medical records from various HCPs, including physician notes, exams, and other past data. The policy defines what data they require and the patient can elect to allow access to other data. This data will be the most accurate version with no distortion in recalling the data or remembering the essential details.

The question is, who owns what data? HIPAA currently states the provider owns the data, but the patient may access a copy for a fee. 

We can all agree that our healthcare data is some of the most private data we have. It is also valuable, which we will discuss shortly. It makes little sense that the provider should be the owner of the data. It is my opinion the patient should keep ownership. Should the patient no longer want to work with the HCP, this technology allows them to revoke access to all of their data at any point. 

The Pistoia Alliance is working on a clinical trial platform to grant the patient the right to revoke their consent to take part in a clinical trial. 

Marketplace

As we mentioned, healthcare data is valuable. I believe a marketplace will develop around sharing and using health data. Patients will be incentivized to collect, analyze and sell their data. Below are potential ways a healthcare marketplace could function:

• Patients select which data they will share
• Companies and individuals look through the data and request access to it
• Patients select the type of compensation to provide access. 1.) Someone can create and share a token as payment to patients who submit data. The tokens act as shares of a company. This will eliminate constraints of access to capital. 2.) Direct payments to patients for their data. 3.) Government funding.
• The individual/company that has developed something useful can sell the insights or application. Or they could scale the company themselves.
• Second-order effects will develop from the creation of new businesses. A marketplace of ideas and companies will form.

Blockchains are decentralized and interoperable. Therefore, network effects between different blockchain projects can produce exponential results. For example, the Synaptic Healthcare Alliance is creating a blockchain database of physician contact information that can integrate with this platform. We can also envision a blockchain forming that can link families' medical records together. This link may allow for a better understanding of one's genomic data, while pseudonym identifiers and zero-knowledge proofs prevent privacy risk.

Sources

https://livebook.manning.com/book/self-sovereign-identity

https://www.pharmacytimes.com/view/who-owns-patients-data