20121206

Heart Gadgets Test Privacy-Law Limits

By AMY DOCKSER MARCUS and CHRISTOPHER WEAVER

A recent swell of digital-medical data collected on devices outside of a doctor's office is raising some thorny questions: Who owns the rights to a patient's digital footprint and who should control that information? WSJ's Linda Blake reports.

The small box inside Amanda Hubbard's chest beams all kinds of data about her faulty heart to the company that makes her defibrillator implant.

Ms. Hubbard herself, however, can't easily get that information unless she requests summaries from her doctor—whom she rarely sees since losing her insurance. In short, the data gathered by the Medtronic Inc. MDT +1.12% implant isn't readily accessible to the person whose heartbeat it tracks.

"This is my health information," said Ms. Hubbard, 36 years old. "They are collecting it from my chest."

Amanda Hubbard's defibrillator collects an array of data about her heart, and she is troubled that she can't gain direct access to it. 'This is my health information,' she says. 'They are collecting it from my chest.'

The U.S. has strict privacy laws guaranteeing people access to traditional health files. But implants and other new technologies—including smartphone apps and over-the-counter monitors—are testing the very definition of medical records.

Medtronic says federal rules prohibit giving Ms. Hubbard's data to anyone but her doctor and hospital. "Our customers are physicians and hospitals," said Elizabeth Hoff, general manager of Medtronic's data business. Medtronic would need regulatory approval to give patients the data, she said. It hasn't sought approval because "we don't have this massive demand."

At the same time, companies including Medtronic are pushing to turn the data into money. Ms. Hoff said the company is contemplating selling the data to health systems or insurers that could use it to predict diseases and possibly lower their costs. At a July industry event, a senior Medtronic executive, Ken Riff, called these kinds of data "the currency of the future."

In April, Medtronic created Ms. Hoff's unit in part to look for business opportunities like these.

The primary purpose of the defibrillator implant in Ms. Hubbard's body is to zap her irregular heartbeat back to normal if the need arises. The Big Sandy, Tenn., resident first started experiencing heart-disease symptoms in 2009 while in Samoa for the Peace Corps and has had her defibrillator since 2010. Her implant collects details of her heart-rhythm changes, device performance and hundreds of other data points.

The implant works like this: It records and stores data onboard. Wireless monitors in patients' homes download the files and send them to Medtronic. Doctors can log in to a Medtronic website to review patient reports.

How to Read an Implantable Defibrillator Report

Amanda Hubbard's implantable defibrillator electronically tracks her heart, and when it beats too fast or too slow, zaps it back to normal. The tiny computer also collects a wealth of data beamed over the internet to the company that makes her device. Whether patients could make use of this data is a topic of hot debate.

View excerpts from a doctor's summary report, obtained by Ms. Hubbard through her physician, for a glimpse of what patients would get if they had direct access to the data.

Device makers are in a race to design data-gathering implants. Medtronic and its rivals already collect heartbeats from more than one million people with defibrillators. St. Jude Medical Inc. STJ +0.03% is seeking approval for an implant that crunches numbers to help doctors and patients adjust medication levels.

This would be new territory: Unlike, say, a defibrillator, the St. Jude implant doesn't deliver treatment itself. Instead, it simply gathers data to be used in making treatment decisions—such as whether a patient should increase medicine dosages.

Medtronic officials say they know some patients want to be more active in their care. "This is the direction where things are going," said Tim Samsel, vice president of regulatory affairs for the cardiac-rhythm unit.

But to offer reams of data to patients in a useful format, he said, Medtronic "would actually have to design such a thing" and seek Food and Drug Administration approval. That costly process, he said, could take years.

The summary reports seen by doctors highlight measurements such as instances of arrhythmias that increase stroke risk. The devices also gather large amounts of raw data—for instance, measurements used by engineers to assess device performance—that isn't available to doctors.

Other defibrillator makers also balk at giving data directly to patients. St. Jude said it has no way for patients to access defibrillator data and declined to comment on whether it would give a patient data if asked. Biotronik SE said it would refer patients to their doctors.

Erica Jefferson, an FDA spokeswoman, said the agency supports patient access but would need to review any plan to provide data directly to patients. "In the current format, the data collected from implantable cardiac devices should be relayed through the physician to ensure proper interpretation and explanation," she said.

Doctors themselves debate whether patients could make use of the data. Some worry it could cause anxiety or even harm if a patient misunderstood the signals. Still, some say that doesn't matter. "They should have it," said David Lee Scher, a retired cardiologist who is leading efforts among doctors to help connect patients with device data.

Some legal experts say the 1996 U.S. law governing patient access to their health files—HIPAA, or the Health Insurance Portability and Accountability Act—hasn't kept up with technology. The law gives patients the right to access information held by doctors and hospitals.

However, the raw data gathered by an implant isn't held by a doctor or a hospital: Typically it goes directly to the device maker, which provides a summary report to the doctor. Because of this, the raw data falls outside the scope of HIPAA's patient-access requirements. In addition, Medtronic said, business agreements with doctors and hospitals restrict it to relaying information only to them.

"Is the device itself a depository for medical records?" said Paul C. Zei, a cardiologist at Stanford University Medical Center with a patient, Hugo Campos, who wants the same access to his cardiac-device data as the doctor gets. "Or is it part of the patient, and an extension of vital signs that we download into a medical chart?"

"Sixteen years after the enactment of HIPAA, a lot of changes are probably warranted," said Paul DeMuro, a Portland, Ore.-based health-care attorney for Schwabe, Williamson & Wyatt.

Device makers do face restrictions on use of this information. They couldn't, for instance, sell identifiable information to a marketing company.

A community of patients nationwide is fighting for access, arguing the data would help them manage their disease. "If anyone should have the data, it's me," said Mr. Campos, 47, a San Francisco Web designer and Dr. Zei's patient.

Five years ago, he fainted on a train platform. Diagnosed with a heart condition called hypertrophic cardiomyopathy, he got a Medtronic defibrillator.

Mr. Campos says he has gone to lengths to understand the data the device collects. "The geek in me was interested," he said. He took a two-week, $2,000 class that trains technicians how to read the reports.

Mr. Campos says he wants to track his heart data the same way he does information from other devices he uses, including a Fitbit gadget that counts steps taken and calories burned, a Zeo monitor he wears on his head to analyze sleep patterns and a blood-pressure monitor.

He keeps a spreadsheet to record arrhythmia symptoms and the circumstances—intensity, activities, his mood. He says he has cut out drinking whiskey and coffee based on his spreadsheet.

Currently, his only option is to see his cardiologist, Dr. Zei, who gives Mr. Campos a report. Even with insurance, Mr. Campos says he pays around $350 out-of-pocket, per visit, for two doctor's visits and device checks per year. "It is like being coerced into paying to get information I should have myself," he said.

After discussions between Mr. Campos, Dr. Zei and Medtronic, a compromise was reached. Still, it is less than what Mr. Campos sought. While Medtronic won't give Mr. Campos his summary report directly, or any raw data, Dr. Zei's office agreed to email Mr. Campos his reports as soon as the office receives them.

Medtronic declined to discuss details of its communications with Mr. Campos but said it was pleased to work with him and other patients "to determine the best path to providing meaningful data to patients."

Tolu Odomusu, a research fellow at Harvard University's Science, Technology and Public Policy program, says people have no idea what information their devices collect. He learned only last year after seeing a physician for severe apnea and being given a "continuous positive airways pressure" machine, or CPAP—a mask that delivers oxygen at night—to improve his sleep.

The device, made by Koninklijke Philips Electronics NV, logs sleeping habits. At a six-month follow-up, Dr. Odomusu said he was shocked when his doctor told him, based on the machine, that he slept fewer hours than he believed.

He worries that data he doesn't know about could somehow be used to his disadvantage. For instance, if he were in a car accident and an insurer wanted to try to blame his sleepiness, "could they get the data from the machine at my home?" he said. "Would that be allowable?"

Privacy law typically would prevent that, said Nicolas Terry, a law professor at Indiana University's law school. Specifically, he said, laws prevent third parties that aren't involved in health care, such as auto insurers, from accessing health data collected by prescribed devices unless they get a patient's OK.

But that isn't necessarily the case with nonprescribed devices. "You get a very different scenario if you take your iPhone and buy the sleep-monitoring app," he said. "There is no real law that protects that data."

A Philips official said a patient who wants data from a CPAP machine can be set up to access from home the same data the doctor sees. The company doesn't use the data, she said.

Smartphone apps, meanwhile, are now available to collect everything from medical images, such as X-rays, to electrocardiography readings. There is even iDry, an app to help patients manage incontinence.

Apps like these, by definition, collect health-related data about people. But because they don't necessarily require FDA approval or a doctor's participation, most fall outside the boundaries of HIPAA restrictions on data use.

The developer of iDry, Jeff Pepper, says for instance that he will provide researchers with detailed, but anonymized, data covering instances of incontinence logged by customers. He said he is voluntarily using HIPAA guidelines to eliminate identifiable information about his users. "Nobody's going to be able to sell diapers to a particular customer," Mr. Pepper said.

Apple Inc., AAPL +1.56% which makes tablets and smartphones for which many apps are designed, declined to comment. Its guidelines require app-makers to publish data policies and to obtain users' permission before transmitting their data to third parties.

Michael Seid, a researcher at Cincinnati Children's Hospital Medical Center, has been wrestling with privacy in a clinical trial he is running. Twenty teenagers with Crohn's disease and ulcerative colitis have agreed to have their cellphone use tracked. Doctors want to see if changes in social interaction—decreases in texting and calls—correspond to feelings of sickness.

In 2010, MIT researchers used similar methods to predict health. Studying early-morning and late-night call and text patterns, they could discern if a person was suffering from colds, stress or mild depression.

A company founded by some of the researchers, Ginger.io, is working with Dr. Seid. "Your smartphone leaves a trail of data exhaust wherever you go," Dr. Seid said, calling it "a continuous measure of health."

Some members of his research team expressed discomfort with what they see as "Big Brother" aspects of the experiment. He said they raised concerns that insurance companies might insist on such tracking. These are areas of continuing discussion, he said.

At Medtronic, officials say they are looking into ways to capitalize on patient data. The company is developing a matchstick-size monitor, implantable without surgery, that could track measures such as heart rate and arrhythmia that can predict heart disease.

Medtronic's Ms. Hoff said she can envision a future where employers might require insured workers with a family history of heart disease to have the device implanted or face higher insurance premiums. She said the company has also contemplated whether it could sell analytics services to hospitals seeking to predict worsening heart disease. But those efforts are nascent, she said.

"I would love to build a more consumer-oriented business," Ms. Hoff said, but the company doesn't believe demand for such a service yet exists.

Ms. Hubbard, the Tennessee patient, says she didn't think about any of this until she saw posts by Mr. Campos online describing his efforts to get Medtronic reports. Ms. Hubbard has Long QT Syndrome, which causes rapid heartbeats that can trigger a seizure, fainting or death.

Ms. Hubbard, whose insurance ran out in mid-2011, when her eligibility for Peace Corps coverage expired, said she began wondering, if she wasn't regularly seeing a doctor, "Who gets my information? What happens to my data?" In August she asked Medtronic for the data. The company told her to talk to her doctor.

When she called the cardiologist at Vanderbilt University Medical Center who put in her implant, the office told her she must come in for a checkup to get her reports, which she did.

The doctor who implanted her device, Pablo Saavedra, said that since Ms. Hubbard hadn't been coming in for checkups, the information sat in the Medtronic system without doctors knowing what was there. At her checkup, diagnostic tests detected a problem: The electrode attached to her heart had become dislodged. Dr. Saavedra says there was a chance it wouldn't have shocked her heart when needed.

Ms. Hubbard had surgery last month to fix that. And she plans to keep trying to get reports sent to her directly. "If I had been able to follow my own reports, I would not have walked around for an entire year with a potentially dangerous problem," she said.

No comments: