February 16, 2017
Health information privacy concerns: when data from a pacemaker leads to arrest
Mr. Compton, a 59-year old man from Ohio. was charged with arson and insurance fraud, based on information police obtained from his pacemaker. This case raises privacy concerns around medical devices, their data, and the use thereof.
In September 2016, Mr. Compton’s house caught on fire. After discovering the fire, Mr. Compton packed items in suitcases (clothes, computer, charger to the pacemaker), broke one of his windows, threw the suitcases out and eventually jumped out himself. Mr. Compton alleged that he then placed the suitcases in his car and escaped the burning house.
During the investigation, the police obtained a search warrant for the data from Mr. Compton’s pacemaker. The cardiologist analysing the medical data concluded “it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.” As a result of the investigation, Compton has been arrested and charged with arson and insurance fraud.
The pacemaker data is likely protected health information (PHI) under The Health Insurance Portability and Accountability Act (HIPAA) because the data is “received by a health care provider” and “relates to the past, present or future physical or mental health or condition of any individual” (45 C.F.R. § 160.103). Also, HIPAA requires that the information is “individually identifiable health information” which is of no issue here since the data identifies Mr. Compton personally. Generally, in order for a health care provider to lawfully disclose PHI, the individual must authorize such disclosure in a written and signed instrument. However, there are exceptions to the authorization, if the disclosures are made “for a law enforcement purpose to a law enforcement officer” in compliance with a court order (45 C.F.R. § 164.512(f)).
In this case, as discussed above, there seem to be no direct statutory violation against the care provider (Mr. Compton’s hospital) disclosing the pacemaker data to the police. Here, the police had a valid search warrant and the information was indeed relevant for the investigation. However, arguably, the revealed pacemaker data raises concerns about what kind of data that is covered by HIPAA. Considering “traditional” PHI under HIPAA, the vast majority concerns medical records such as journals that describe the health status of the patient. With today’s technology, as seen in this case, information can be as detailed as what pulse a person had at an exact given time. This information is far more intimate than a report of your general health status. Despite PHI being defined as “present” information, one might argue that ”present” information should not include real time information such as a person’s pulse.
The issue with real time information is that the information is no longer only health information, it can also work as a surveillance and monitoring tool—which again raises clear privacy concerns. As technology evolves and changes the information landscape, the privacy protection of health information must adjust simultaneously. Therefore, Mr. Compton’s case is likely not the last we will see regarding this intricate privacy concern.