Enhancing Health Data Protection in Legacy EHR Systems: A Feasibility Study of Privacy PIN under GDPR Compliance

Abstract

Introduction: The widespread adoption of Electronic Health Records (EHR) has revolutionized healthcare delivery while introducing critical challenges in health data security and privacy. Despite advancements, legacy EHR systems remain vulnerable to breaches and struggle to comply with stringent regulations like GDPR. Current blockchain-based solutions, while promising, suffer from non-minimalist integration, ambiguous ownership models, and hybrid storage vulnerabilities. This research addresses these gaps by proposing Privacy PIN, a decentralized, privacy-preserving plugin designed to retrofit legacy EHR systems for GDPR compliance. Privacy PIN integrates cryptographic sovereignty, biometric authentication, and blockchain-anchored data governance to empower patient-centric control over health data, bridging the divide between regulatory mandates and scalable digitization.Methods: This research simulates Privacy PIN on the Sepolia Ethereum Testnet sandbox to emulate Ethereum Mainnet. Black-box testing validates Privacy PIN output reliability under GDPR requirements. Performance analysis extends to capacity expansion solutions, including Polygon and BASE, measuring gas costs, block throughput, and cost-effectiveness to assess compatibility for massive adoption for global health. Delphi method is also applied to explore certain GDPR rights. Results: Privacy PIN has the ability to individually implement the eight object rights in the GDPR, right to be informed, right of access, right to data portability, right to rectification, right to be forgotten, right to restrict processing, right to object to processing and right in relation to automated decision making and profiling. Additionally, this research also proposes a technical framework for integration with existing EHR systems, accompanied by an example provided as a demonstrative case study in the appendix. Discussion: There are also limitations in the research: (1) ethical risks of health data NFTization enabling black market exploitation; (2) infrastructure gaps (e.g., unstable energy or networks in Sub-Saharan Africa) deepening healthcare disparities; and (3) rapid blockchain evolution like Solana jeopardizing Ethereum-based compatibility. Additional challenges include informed consent barriers for non-technical users and ethical oversight complexities. Conclusion: Privacy PIN provides a cost-effective solution for GDPR-compliant EHR modernization, leveraging decentralized identity, biometric authentication, and NFT-based data sovereignty. While constrained by infrastructural, ethical, and technological dependencies, its modular design enables incremental adoption across heterogeneous healthcare systems. Future work should prioritize the standardization of Web3 health identifiers, patient education initiatives, and policy frameworks to harmonize privacy preservation.