Blockchain-based EHR system puts data power back in patients’ hands

Researchers have developed a new framework that aims to overhaul how electronic health records (EHRs) are stored, shared, and secured, offering a patient-first model designed to address long-standing privacy and interoperability challenges in global healthcare systems. The study, titled “A Patient-Centric Blockchain Framework for Secure Electronic Health Record Management: Decoupling Data Storage from Access Control,” introduces a decentralized approach that separates where medical data is stored from how it is accessed. The authors argue that this separation is essential for enabling stronger patient control, stricter privacy guarantees, and a more accountable system for managing sensitive information.

The research team proposes a model that combines blockchain smart contracts with off-chain encrypted storage. According to their findings, this structure reduces the risk of data breaches, eliminates single points of failure, and allows patients to manage permissions in real time without relying entirely on hospitals or service providers. The authors claim the system also aligns with major data protection rules, including HIPAA and GDPR, and is capable of operating at real-world speeds with acceptable costs.

Blockchain access control and off-chain storage form the foundation of the system

Instead of placing medical data directly on a blockchain, the system stores encrypted records off-chain in repositories such as IPFS or cloud services like AWS S3. Only a small amount of metadata, namely hashes, reference links, and access permissions, is written to the blockchain. The study describes this approach as essential for both security and scalability. By keeping personal health information off-chain, the system prevents public exposure while still benefiting from blockchain’s integrity and auditability.

Each patient is assigned a dedicated smart contract that logs all access decisions. The smart contract acts as a decentralized permission manager, recording which providers can access which files, for how long, and under what authorization. The authors state that this design achieves a high level of transparency since all permission updates and revocations are permanently stored on-chain. It also ensures that clinicians and organizations cannot secretly access or modify patient records without generating an immutable trail.

To handle security, the system employs a combination of symmetric encryption and elliptic curve cryptography. Records are encrypted with a symmetric key to ensure efficient processing. That key is then encrypted for each authorized recipient using a method based on ECIES. This two-step technique means that storage providers cannot read the data even if they host it. The encryption also ensures that only individuals who have received explicit authorization from the patient can decrypt and view the record.

A significant feature of the framework is its approach to permission signatures. Patients grant or revoke access using typed signatures based on the EIP-712 standard. This prevents attackers from forging requests or replaying old permissions. The inclusion of nonces ensures that each authorization is unique and valid only for the intended transaction. These signatures form an essential layer of defense against unauthorized viewing, manipulation, or impersonation.

The model also includes support for time-limited access windows. Patients can specify how long a provider may view a specific record. The system automatically respects these expiration windows, requiring the provider to obtain new permission when the period ends. This mechanism helps prevent long-term access creep, where individuals retain privileges indefinitely without oversight.

Emergency access handling is addressed through what the authors call a two-physician override. In urgent situations, two independent physicians can jointly authorize access even when the patient is unavailable. The override is designed to mirror real-world emergency protocols while maintaining decentralized accountability. Every such event is permanently recorded, and access is limited to the immediate need.

Performance testing shows practical speeds and manageable costs for real-world use

To demonstrate the model’s feasibility, the researchers conducted a performance evaluation using blockchain transactions, cryptographic operations, and record retrieval tasks. The smart contract used for managing permissions consumes roughly 78,000 gas on Ethereum Layer 1 per permission update. While this cost would be high for frequent operations on the main network, the authors highlight that Layer 2 platforms reduce the cost by 10 to 13 times, making the system far more practical for hospitals, clinics, and insurance networks with high activity volume.

End-to-end record access, including retrieving a 1 MB file and decrypting it, takes approximately 0.7 to 1.4 seconds in their tests. Most of the delay results from pulling the encrypted data from storage rather than from the blockchain or cryptographic components. This suggests that the framework is fast enough to function smoothly during routine clinical workflows.

The security analysis shows that the system maintains confidentiality, integrity, and authenticity under standard cryptographic assumptions. By relying on established encryption protocols and blockchain immutability, the authors argue that their model is resistant to common attack vectors, including unauthorized access, key forgery, and data tampering.

The study also discusses how the architecture handles metadata privacy. Since blockchain entries are public, even small pieces of metadata can raise concerns about leakage. To mitigate this, the authors recommend minimizing on-chain information, using opaque references, and carefully managing access logs so that they do not inadvertently reveal patient identities or conditions.

The researchers address compliance with HIPAA and GDPR, emphasizing that storing only hashes and pointers on-chain avoids violating rules regarding personal information. Because data remains encrypted and off-chain, no personal details are exposed through the blockchain. Patients maintain control of their own keys, which the authors argue is crucial for meeting informed consent and privacy standards. The framework also supports de-identification pipelines, enabling research institutions to use anonymized versions of the data without violating privacy laws.

Despite promising results, the study acknowledges several limitations. One challenge concerns key compromise. If a patient loses their keys, the system cannot grant or revoke permissions until the keys are restored through a predefined recovery mechanism. The authors suggest designing multi-party recovery protocols but note that such systems can add complexity. Another limitation involves denial-of-service attacks that could target the blockchain or storage nodes. While decentralized networks reduce this risk, they cannot fully eliminate it. The authors also note that revocation, while effective for future access, cannot retroactively remove data already downloaded by a provider.

Gas costs remain a concern, especially for large networks. Although Layer 2 scaling reduces expenses, healthcare systems with many transactions may still face operational costs. The researchers suggest batching permissions or using alternative blockchain designs to lower these expenses further.

Framework signals a shift toward patient-controlled digital health infrastructure

The proposed blockchain model reflects a broader movement in global healthcare toward giving patients greater authority over their digital records. Traditional systems rely heavily on centralized hospital databases that can be breached, mismanaged, or manipulated. By separating storage from access control, the study’s authors aim to create an infrastructure where patients act as the primary custodians of their medical information.

The research signals a shift away from institutional control and toward decentralized transparency. Under this model, no hospital or cloud provider can read patient records without permission. Access is visible, cryptographic, and regulated through a public ledger. This setup ensures accountability across a fragmented healthcare ecosystem where multiple organizations may need to collaborate.

The authors argue that such approaches are becoming essential as global health systems move toward cross-border digital platforms and research networks. Blockchain-backed access control could allow medical professionals from different regions or facilities to access patient data quickly, without compromising privacy. The model’s emergency override system also provides a balance between strict privacy and urgent care needs.