Who Owns Your Data?

The answer may shock you.

By Aimee Swartz

As Americans, we all have the legal right — with few exceptions — to access our health records held by the doctors, hospitals, and others that provide healthcare services for us, thanks to the HIPAA Privacy Rule. To view this information, all a patient — or a patient’s designated “personal representative” — has to do is ask.

Granted, we may have to make the request in writing and pay for the cost of copying and mailing or the cost of the medium — a CD or flash drive, for example — on which the information is stored. We may have to wait 30 days. But for the most part, accessing these data is leaps and bounds easier than it once was.

Our rights do not extend only to health records. Last year, a new federal rule removed legal barriers that stop medical laboratories from providing lab test results directly to patients and their designees. While we can still access our laboratory test reports through our doctors, the new rule lets patients obtain their test reports directly from the laboratory within 30 days of a request.

These two rules have empowered patients to take a more active role in their own care and decision making, from tracking their health progress to adhering to treatment plans. Unfortunately, our rights to health data do not extend to medical data generated by implantable medical devices.

Unfortunately, our rights to health data do not extend to medical data generated by implantable medical devices

An internal cardioverter defibrillator (ICD), for example, collects hundreds of data points a day, from how fast the heart beats to whether fluid is building up around the heart. It also captures vital data about the ICD’s function, such as the integrity of its leads, or wires, that deliver the shock, and the device’s battery life.

“I don’t have direct access to any of this data except through my medical record,” says Kim Goodsell, who had her ICD device implanted in 1997.

Goodsell has a genetic condition called arrhythm-ogenic right ventricular cardiomyopathy (ARVC), which causes dangerously abnormal heart beats and increases the risk of sudden cardiac death. Her ICD was implanted to protect her from this danger. In the event of a malignant heart rhythm, the ICD will deliver a lifesaving shock that momentarily stops the heart, interrupting the chaotic rhythm so that the heart’s natural pacemaker can reset itself to a normal rhythm.

But, as is the case with all devices, ICD components also have the potential to fail, causing the device to malfunction and unnecessarily deliver body-wrenching shocks. One study found that 17 percent of patients with an ICD device suffered from an inappropriate shock over a period of about four years. (Each year, about 300,000 people in the U.S. are implanted with an ICD.) Goodsell was on her bike the first time she received an inappropriate shock.

“It was like a bomb exploded in my chest,” she says.

The high-voltage shock the ICD delivered was so powerful it sent both Goodsell and her bike into the air. It’s since failed three times, most recently when Goodsell was in a remote fishing village in Baja, Mexico — 18 hours away from the nearest facility that could disarm the device to prevent a potential cascade of shocks.

Goodsell says having access to data generated by her ICD in real time rather than at her quarterly appointments with her cardiologist would have allowed her to make more informed decisions about her health and to better manage her condition.

“I would not have put myself at risk by traveling to Mexico, but would have sought medical attention that could have preempted a failure,” she says.

The Food and Drug Administration, the government agency that regulates medical devices, requires that the data generated by the device be sent only to the patients’ hospitals or doctors. If patients want access to their data, they are told that they have to get it from their healthcare provider, who receives a summary of the data from device manufacturers.

Similarly, device manufacturers maintain that their customers are physicians and hospitals—not patients. Data from a medical device like an ICD isn’t produced in a format that most patients could comprehend and could cause confusion or harm if patients misunderstood or misinterpreted the data. Besides, they argue, few patients have requested these data.

Making the data patient-ready for those requests would require regulatory approval. This could takes years and a significant financial investment that manufacturers have little incentive to make, especially because some companies are already aiming to turn the data into money by selling it — anonymized and de-identified — to health systems or insurance companies.

“The irony is that patients are the ones living with disease — not doctors. If anyone should have access to our data, it’s us,” says Hugo Campos. Like Goodsell, Campos has a genetic heart condition that puts him at increased risk of sudden death. He had an ICD implanted in 2007 after he fainted on a train platform.

“I want to monitor my heart data the same way I count my steps or monitor my blood pressure,” he says. Looking at these data will allow him to “correlate activities with effects.”

Through manual record keeping on a spreadsheet, he’s already seen that scotch causes his heart to beat irregularly — a finding that led him to give up the drink. “Imagine what I could learn if I had access to all my data,” he says.

For now Campos’ only option is to go through his doctor to get his health data. However, he doesn’t have any plans to stop trying to gain direct access and encourages all patients to join him in his mission.

“Patients are becoming more and more active in managing their health and staking their claim to their own data. As we become more vocal as a group, these basic rights can no longer be ignored,” Campos says.