By Josh Stager
Medical devices have the potential to significantly improve the quality of patient care, but recent innovations demonstrate that the convergence of health information technology and Big Data are testing the limits of health privacy law. As the Wall Street Journal recently explained, many new devices collect vast amounts of patient data – often without the patient’s knowledge. Medtronic is a leader in this field, as it manufactures many devices that wirelessly collect and transmit data from technology implanted inside patient’s bodies. For example, a defibrillator implant tracks a patient’s heartbeat and provides a shock if the heartbeat stops. It is an important device for people with serious heart conditions, and doctors can use the data collected by the device to provide better treatment. But patients wanting to see data about their own heartbeats are rebuffed.
The pivotal question is: who owns the data collected by such devices? The Health Insurance Portability and Accountability Act of 1996 allows patients to access medical data from hospitals and physicians. However, the data collected by many medical devices is transmitted wirelessly to the device maker. Doctors can only access the data through websites maintained by the device maker – and patients have only been able to access that data from doctors who are willing to share it. Consequently, the data falls outside the scope of HIPAA’s patient access provisions.
While the medical community apparently considers this data to be owned by the companies who develop the technology and store the data, the legal community is less certain. Some argue that HIPAA is too outdated to adequately address the issue, and many patients (and their doctors) have an instinctive sense that the patient must have some ownership rights to the data, given that it is derived from their own bodily functions. Stanford cardiologist Paul Zei articulates the question thusly: “Is the device itself a depository for medical records, or is it part of the patient, and an extension of vital signs that we download into a medical chart?”
While a few enterprising patients have gone to great lengths to access data from their implanted devices (the Wall Street Journal described a man who took a $2,000 training course to learn how to read his device’s data transmissions and persuaded his doctor to copy his data from the manufacturer’s website), patient demand is relatively weak – for now. Few patients actually realize their device is transmitting data until they learn about it through some happenstance disclosure during a checkup. As public awareness increases, patient demand for access to this data will likely grow. Health data analytics is a fast-growing area of smartphone app development, as many people use apps such as Fitbit to track their physical activity or monitor sleep patterns.
Big Data companies also have an interest in the data collected by medical devices. Medtronic has indicated that is looking into ways to monetize the data by selling it to interested third parties. While existing regulations prevent device makers and other third parties from selling data that is patient-identifiable, it is possible that anonymized data could be sold.
Smartphone apps raise another important question: what happens to medical data collected by apps? Such programs are not subject to FDA approval and fall outside the ambit of HIPAA. Nonetheless, phones are increasingly being used to collect and analyze medical data. In addition to health monitoring applications, phone and texting logs have been used by researchers to predict the onset of depression and stress disorders. In this environment, the definition of “medical data” is unclear. Technological innovation appears to be broadening the understanding of what constitutes medical data, but privacy law is stuck in a 20th Century framework.
Unprotected data from implanted devices, smartphone apps, and other medical technology could ultimately be used against patients. Medtronic envisions a future in which health insurers require those at risk of heart disease to wear monitoring devices or face higher premiums. Harvard research fellow Tolu Odomusu worries that an auto insurance company might buy unprotected medical data to prove that a driver’s sleepiness was to blame for a car accident.
The potential for abuse of medical data is substantial, which is what motivated Congress to enact HIPAA 17 years ago. However, HIPAA is clearly straining to keep up with health information technology, as the advances in medical devices demonstrates. New devices reveal a loophole in privacy laws that device makers, data companies, and app developers have exploited. It seems the only actor not benefitting from outdated laws is the patient. Indeed, the FDA offers little guidance to patients seeking access to their device data, other than telling them to ask their doctors for it. The unsustainability of this situation and the inherent privacy risks should be a call to action for Congress to revise HIPAA for the 21st Century.