When is patient data not patient data? When a patient wants his or her ICD data

The latest news story to examine the issue of patient access to implantable cardiac defibrillator data (a variation on the theme of “gimme my damn data”) is an in-depth, Page One Wall Street Journal story featuring Society for Participatory Medicine members Amanda Hubbard and Hugo Campos. They have garnered attention in the past – one example is another piece on Hugo on the NPR Shots blog about six months back. The question posed by these individuals is simple — May I have access to the data collected and/or generated by the medical device implanted in my body? — but the responses to the question have been anything but. It is important to note that not every patient in Amanda’s or Hugo’s shoes would want the data in as detailed a format as they are seeking to obtain, and we should not impose the values of a data-hungry Quantified Self devotee on every similarly-situated patient. Different strokes for different folks.

The point is that is if a patient wants access to this data he or she should be able to get it. What can a patient do with this data? For one thing: correlate activities with effects (one example given by Hugo is his correlation of having a drink of scotch with the onset of an arrhythmia — correlated through manual recordkeeping — which led him to give up scotch) and thereby have the ability to manage one’s condition more proactively.

We can get copies of our medical records from health care professionals and facilities within 30 days under HIPAA — and within a just a few days if our providers are meaningful users of certified electronic health records (it ought to be quicker than that … some day). In some states now, and in all states sometime soon (we hope), we can get copies of our lab results as soon as they are available to our clinicians.

Data from implantable medical devices is not covered by HIPAA until it is sent to the patient’s physician (on a periodic basis and usually in edited form — other data is typically retained by the device manufacturer) and entered into the patient’s medical record. It is, rather, governed by FDA rules, and the recent attention to this issue has prompted an FDA spokesperson to say that it would review a plan to give data directly to patients, but that data should be directed to physicians who can interpret it for patients. This is where the action will be in the future: the FDA could develop a framework to allow sharing of this data directly with patients. (The data is collected wirelessly in patients’ homes from the implantable devices.)

Not surprisingly, earlier this year, a Medtronic exec referred to the data in question here as “the currency of the future.” There is clearly a market for the secondary use of patient data — on a de-identified, or anonymized basis — for a variety of purposes, and this is the “big data” we are all hearing about so much lately. (The HIPAA enforcers at HHS recently released guidance on the de-identification of patient data for secondary use — i.e., use for research purposes.) There is value to be extracted from big data, and the question is: Who owns the value? Who owns the data? Suffering as I do from the professional disability of being a lawyer, I am reminded of Moore v. Regents of the University of California, the 1990 California Supreme Court case that found that Mr. Moore, a cancer patient who sought to share in the profits for the commercial cell line developed from cancer cells in a tumor removed from his body, had no property rights in his discarded body parts. Moore could perhaps be read to support the device manufacturers’ perspective that there is no value in the data coming from the implantable device until it is processed by the manufacturer.

Another perspective would be that each patient has a property right in the data generated by his or her body or implants. There have been a couple of discussions on e-patients.net and elsewhere about the notion of a “green button” or a “rainbow button” that would serve as a mechanism for patients to decide how to share their own data (in those cases, the discussion was focused on EHR data, but the principles ought to be the same here). If I want to share my EHR or device data with all, so that it may be aggregated with other patient data and used in research and the development of evidence-based medicine protocols, then I should be able to do so.  If I want to donate that data gratis, or if I want to see a small license payment collected by an intermediary (a la the Copyright Clearance Center), if I want to permit it to be used with full identifiers, or as a de-identified record, I should be able to do that.

The quest of patients with implanted devices to gain rights to data should not have to be so quixotic. The information in question is subject to a different regulatory scheme than EHR data, but that is an accident of history, technology and politics.  There is no fundamental distinction between a series of MRI images, or a blood test result, and a set of data downloaded from an implantable medical device.

It is possible that we have turned a corner on this issue. It is far from resolved, but the FDA is addressing it — or at least acknowledging it — publicly.

How close are we to resolving this issue? What obstacles do you see ahead? What other sorts of data have remained inaccessible to patients? Where is the next battlefield?

David Harlow is a health care lawyer and consultant at The Harlow Group LLC, and chairs the Society for Participatory Medicine’s public policy committee.  You should follow him on Twitter: @healthblawg.


Posted in: e-patient stories | how I became an e-patient | key people | medical records | news & gossip | PM Tech | policy issues




10 Responses to “When is patient data not patient data? When a patient wants his or her ICD data”

  1. David Harlow says:

    Comment from Bernard Farrell, posted on the S4PM listserv:

    This has been an ongoing issue for diabetes patients. At the recent DiabetesMine Innovation Summit, this topic was one of the main focuses for the day. http://www.diabetesmine.com/2012/11/straight-talking-at-the-2012-diabetesmine-innovation-summit.html

    Without access to insulin dosing, blood glucose readings, carb consumption and exercise we can’t even begin to understand the factors contributing to better blood glucose control. I hope this topic gets a LOT more notice.

  2. A few different trains of thought here, none of which I’ll fully develop this time of evening:
    First, concerning the Moore case, I’m curious how essential it was to regard the tumor as “discarded” tissue. For example, might the court have reached a different decision if the cell line had been developed from a preoperative tissue sample?
    Second, if these devices transmit data wirelessly, with some work it may be possible to “sniff” the data out of the air, a far less malicious use of the security exploits recently described by ComputerWorld. I’m consciously not dealing with the potential intellectual property issues around reverse engineering.
    I’m more interested in the IP rights around the data, which is where I’ll end. Rights to any proprietary data formats obviously belong to the device manufacturer. As David Harlow pointed out, the data content is produced by the patient’s body–specifically, body parts that are still very much in use (the general direction of my first point above). I would add that it’s the patient’s intellectual labor, in the form of decisions about activity and behavior, that makes the data content interesting and give it value. Even if one were to argue that content is not so much a product of intellectual labor as it is a by-product, it still seems that would be the patient’s intellectual property.

  3. Peter Cabeceiras says:

    Mr. Moore’s story seems similar to Henrietta Lack’s story. In the 1950’s a scientist at Johns Hopkins extracted some of Lack’s cells. Surprisingly, they became the first immortal human cell line. They were critical for 20th century biological research. I, as an undergraduate, have even used these “HeLa” cells in cancer biology research. These cells created a multi-billion dollar industry. The family never received remuneration for Lack’s contribution. However; the book that they had written about this has sold fairly well up to this point.

    Patients with implantable devices should have more access to their own data. Instead of having to go see the doctor to get a thirty page read-out for their Medtronic pacemaker, they could have this information sent to their, and their doctor’s, smart phones. One problem with these devices having the ability to connect with smart phones is that it introduces the risk of someone hacking into the device. I believe that as time goes on, these risks will be significantly reduced.

    Furthermore, the data needs to be optimized for the user. The patient should be able to see a useful readout of whatever data they keep track of. The doctor should receive the data displayed in a way that allows them to see everything they need to see, all in one place. If this is done electronically then it will save an immense amount of paper, and time that the physician uses to search through the papers to find relevant information while dictating or charting. The problem is that Medtronic, and other companies that make implantable devices, do not have very much incentive to keep revising and improving the display of these read-outs. The quandary with health information sharing and possession will have to be solved by legal, medical and corporate professionals working together, otherwise progress will be mired in a slowdown.

  4. […] without the expertise to interpret it, would be harmful to patients. A number of heart patients, including noted ePatient Hugo Campos, argued the contrary, citing their own examples of how AliveCor and similar devices had helped them […]

  5. What a mess you are all creating: HIPPA rules data taken care of by third party. HIPPA has nothing to do with the patients and HIS/HER data because such data belongs to the citizen in question.
    Next in legal terms: Your question what the Patient wishes to do with his data is none of Your …. business! It is mine and what I wish to do with my own property is not for you to question me.
    Next to the understandin of ‘medical data’ or better, since you refer to ‘ICD 9 or 10’ and the reference of some smart coockie in FDA: Coded Data enters into Analytical Processes that are predefined by ICD-9/10 Diagnostic Codes and ATC pharmaceutical codes. Those 2 coded DB that were created by WHO in 38 languages are working outomatically and do certainly not refere to a medical Doctor’s knowledge about Algorithms. Therefore if I have access to such alogrithsm and I am a compurte engineer, a beach-bum or a professor for literature – I can enter the codes and than see instantly if soemthing is wrong with the combination of my prescriptions etc.
    And finally, plese read the PPACA -Patient Protection and Affordabvle Care Act. Apart from the absolute ruling that a patient has a right to get his digital data from his providers and they have to give it to him instantly, now (and not, like you wrote above, in a month or 10 days) and all of it, it also rules ‘quote comparative effectiveness research, examining the “relative health outcomes, clinical effectiveness, and appropriateness” of different medical treatments by evaluating existing treatment’by anyone who can run such analytics. That is anaylitcs, guys, not diagnostics! I as a patient, citizen, person, user, beach bum or stock brocker can run such as much and probably better than the guys from FDA bvecause I concentrate only on my data – not on the other 300 million or so Big Data.
    We will meet on this subject soon publicly.

    • Gunter, who is the “you all” that you say is creating a mess?

      Also, you quote someone as saying “ICD 9 or 10” and I can’t find any mention of that in this post or the other comments. Am I missing something?

      What do you mean by “We will meet on this subject soon publicly”? I see from your LinkedIn profile that you’re CEO of a company that makes a medical data storage card. Is that what you’re talking about?

      • Hi,
        1) the termm ICD is in teh header of the artice.
        2) using the slopopy plural ‘you all’ related to the article and comments. No offence was intendendet – I apologize.
        3) Yes, I do speak from legal, medical, methodolical and analytical knowledge of dealing with patient data.
        4) We will mett publicly soon is that we will approach the USA market soon as we have done in teh German health market where professional expertise wanted first to stop Patient Empowerment but then joined the flocks since the Law (both in Germany and the USA) are on the patient’s side.

        • > ‘you all’ related to the article and comments

          Thanks for your note, but I still don’t understand what you mean about who’s creating a mess. Are you saying this discussion is making things more complicated than they need to be, or that the US medical system is a mess, or…. ?

          (Nobody will disagree with you about the US system, if that’s what you mean.)

        • Hugo Campos says:

          Gunther, the acronym ICD stands for “implantable cardioverter defibrillator”—mentioned in the opening line of the article—not “International Classification of Diseases”. I believe this to be the source of the confusion.

  6. Statement above: What can a patient do with this data?
    This reminds me of a meeting at the Medical Record Institute in Washington some 10 years ago where the govt. lawyer asked exactely this question to my lawyer: What would your client do with this data? In compliance with US (not EU) legal practice my lawyer jumped up and replied angrily: ‘Peter,this is none of your dammend f… business. You my lose your license if you ask this again. It is the citizen’s constitutional right and you have no right even to ask this question.’ After a few seconds the govt. lawyer apologizes and told my laywer: ‘Haim, am sorry, you are right. We have no right to ask a citizen what he is doing with his private, personal property.’
    A pesonal information such as information about data that were collected in my body or from my body, whether colleced by means of a device or otherwise, are certainly my private, personal property.
    If the FDA wants to play the (European type) role of controlling what a citizen is doing with the information they are certainly outside their legal authority. To relate to an unwanted ‘guardian’ such as a doctor is deffentily not what the constitution asks from free citizen.

Leave a Reply