The latest news story to examine the issue of patient access to implantable cardiac defibrillator data (a variation on the theme of “gimme my damn data”) is an in-depth, Page One Wall Street Journal story featuring Society for Participatory Medicine members Amanda Hubbard and Hugo Campos. They have garnered attention in the past – one example is another piece on Hugo on the NPR Shots blog about six months back. The question posed by these individuals is simple — May I have access to the data collected and/or generated by the medical device implanted in my body? — but the responses to the question have been anything but. It is important to note that not every patient in Amanda’s or Hugo’s shoes would want the data in as detailed a format as they are seeking to obtain, and we should not impose the values of a data-hungry Quantified Self devotee on every similarly-situated patient. Different strokes for different folks.
The point is that is if a patient wants access to this data he or she should be able to get it. What can a patient do with this data? For one thing: correlate activities with effects (one example given by Hugo is his correlation of having a drink of scotch with the onset of an arrhythmia — correlated through manual recordkeeping — which led him to give up scotch) and thereby have the ability to manage one’s condition more proactively.
We can get copies of our medical records from health care professionals and facilities within 30 days under HIPAA — and within a just a few days if our providers are meaningful users of certified electronic health records (it ought to be quicker than that … some day). In some states now, and in all states sometime soon (we hope), we can get copies of our lab results as soon as they are available to our clinicians.
Data from implantable medical devices is not covered by HIPAA until it is sent to the patient’s physician (on a periodic basis and usually in edited form — other data is typically retained by the device manufacturer) and entered into the patient’s medical record. It is, rather, governed by FDA rules, and the recent attention to this issue has prompted an FDA spokesperson to say that it would review a plan to give data directly to patients, but that data should be directed to physicians who can interpret it for patients. This is where the action will be in the future: the FDA could develop a framework to allow sharing of this data directly with patients. (The data is collected wirelessly in patients’ homes from the implantable devices.)
Not surprisingly, earlier this year, a Medtronic exec referred to the data in question here as “the currency of the future.” There is clearly a market for the secondary use of patient data — on a de-identified, or anonymized basis — for a variety of purposes, and this is the “big data” we are all hearing about so much lately. (The HIPAA enforcers at HHS recently released guidance on the de-identification of patient data for secondary use — i.e., use for research purposes.) There is value to be extracted from big data, and the question is: Who owns the value? Who owns the data? Suffering as I do from the professional disability of being a lawyer, I am reminded of Moore v. Regents of the University of California, the 1990 California Supreme Court case that found that Mr. Moore, a cancer patient who sought to share in the profits for the commercial cell line developed from cancer cells in a tumor removed from his body, had no property rights in his discarded body parts. Moore could perhaps be read to support the device manufacturers’ perspective that there is no value in the data coming from the implantable device until it is processed by the manufacturer.
Another perspective would be that each patient has a property right in the data generated by his or her body or implants. There have been a couple of discussions on e-patients.net and elsewhere about the notion of a “green button” or a “rainbow button” that would serve as a mechanism for patients to decide how to share their own data (in those cases, the discussion was focused on EHR data, but the principles ought to be the same here). If I want to share my EHR or device data with all, so that it may be aggregated with other patient data and used in research and the development of evidence-based medicine protocols, then I should be able to do so. If I want to donate that data gratis, or if I want to see a small license payment collected by an intermediary (a la the Copyright Clearance Center), if I want to permit it to be used with full identifiers, or as a de-identified record, I should be able to do that.
The quest of patients with implanted devices to gain rights to data should not have to be so quixotic. The information in question is subject to a different regulatory scheme than EHR data, but that is an accident of history, technology and politics. There is no fundamental distinction between a series of MRI images, or a blood test result, and a set of data downloaded from an implantable medical device.
It is possible that we have turned a corner on this issue. It is far from resolved, but the FDA is addressing it — or at least acknowledging it — publicly.
How close are we to resolving this issue? What obstacles do you see ahead? What other sorts of data have remained inaccessible to patients? Where is the next battlefield?
David Harlow is a health care lawyer and consultant at The Harlow Group LLC, and chairs the Society for Participatory Medicine’s public policy committee. You should follow him on Twitter: @healthblawg.