December 17, 2012
Many people will be surprised to learn that the answer to the question: Who owns the data collected and processed by the medical devices that monitor our bodies is not certain. Intuitively, many of us would assume that the data are owned by the person who is being monitored. Under current law, that is not necessarily the case.
The key U.S. federal law governing privacy and control for the health and medical information of individuals is the Health Insurance Portability and Accountability Act (HIPAA). In its present form, however, HIPAA does not apply to data collected or processed by medical devices.
As medical device data are not governed by federal law, the manufacturers of medical devices generally assert ownership and rights of control associated with that data. Thus, if you wear a heart monitor, the data about your heart collected by that device is currently controlled by the manufacturer of the device, not by you or your doctor.
Not only does the individual generally not own his or her own medical device data, but the common practice of the device manufacturers is to authorize access to that data only by doctors and health care delivery organizations. The standard practice of medical device companies is generally to deny the individual patient access to his or her own medical device data.
This issue is likely to become a bigger problem as the range of personal medical devices continues its current expansion into consumer electronics. For example, a wide range of mobile phone based health and medical apps are already available.
You can use your mobile phone to monitor your heart rate and other key medical information. As you do so, however, bear in mind that you do not necessarily own all of that data. Instead, that information about your health and medical condition may be owned by manufacturers of the mobile devices used to collect it (such as Apple) or by the developers of the software apps used to obtain and process it.
Appropriate legislative and regulatory modifications should be made to ensure that individuals have access to, and control over, all information and data pertaining to their health and medical condition, including data collected, stored or processed by medical devices and other information technologies. It is simply unacceptable to permit a situation in which the one party in the health and medical system who does not have access to medical data is the patient.