A Patient-Centric Blockchain Framework for Secure Electronic Health Record Management: Decoupling Data Storage from Access Control

TL;DR

This paper proposes a secure, patient-centric blockchain framework for managing electronic health records that separates data storage from access control, ensuring security, privacy, and auditability.

Contribution

It introduces a novel architecture that decouples storage from authorization, formalizes security goals, and provides a practical Solidity implementation for secure EHR sharing.

Findings

On-chain permission grants cost approximately 78,000 gas.

End-to-end access latency for 1 MB records is around 0.7 to 1.4 seconds.

Layer-2 deployment significantly reduces gas costs by 10-13 times.

Abstract

We present a patient-centric architecture for electronic health record (EHR) sharing that separates content storage from authorization and audit. Encrypted FHIR resources are stored off-chain; a public blockchain records only cryptographic commitments and patient-signed, time-bounded permissions using EIP-712. Keys are distributed via public-key wrapping, enabling storage providers to remain honest-but-curious without risking confidentiality. We formalize security goals (confidentiality, integrity, cryptographically attributable authorization, and auditability of authorization events) and provide a Solidity reference implementation deployed as single-patient contracts. On-chain costs for permission grants average 78,000 gas (L1), and end-to-end access latency for 1 MB records is 0.7--1.4s (mean values for S3 and IPFS respectively), dominated by storage retrieval. Layer-2 deployment reduces gas usage by 10--13x, though data availability charges dominate actual costs. We discuss metadata privacy, key registry requirements, and regulatory considerations (HIPAA/GDPR), demonstrating a practical route to restoring patient control while preserving security properties required for sensitive clinical data.