Who owns your heartbeats?

We have discussed in class and on this blog how we give up many of our rights to the information we contribute on the Internet, and how products and information that we pay for often doesn’t really belong to us either. As we know, Amazon hasn’t given up the right to delete the annotations we make on e-books on our Kindle at any time (Terms of Use), and Facebook has the “non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook” (Rights and Responsibilities). The lack of exclusive ownership to one’s data become even more problematic when it comes to medical information, which can affect one’s ability to get insurance coverage, be hired for a job, or uphold his or her reputation. (The New York Times story about Target detecting pregnant shoppers touched on the sensitivities regarding that specific medical status.)

Now, a Bay Area patient advocate named Hugo Campos is fighting for the right to access the data that his own body produces. A talk he gave at TEDxCambridge and coverage on NPR’s On the Media have earned him wider recognition in his fight against Medtronic, which manufactured the defibrillator that is implanted in his chest and sends the data it produces to his doctor and to the company’s own servers, but won’t provide it to Campos himself. According to Campos, he’s heard a variety of excuses for not providing him with the data, including:

1. “HIPAA prevents us from releasing data to patients.”
2. “This information is too complex, patients wouldn’t understand it.”
3. “Sure, we’ll give patients their data. But first, let us figure out a way to put it into meaningful context for patients so they can understand it.”
4. “If we give patients their data, doctors will be flooded with phone calls for no important reasons.”
5. “A pacemaker or defibrillator is put into a patient’s body for the therapy it delivers, not for the information it gathers. Making data available to patients does not fit our business model.”

(I didn’t see any proof of statements from Medtronic reflecting the first four points, so we’re forced to just take Campos’s word for it, though it’s far from unimaginable that they would make these arguments, especially the second. Campos points out that the last argument is made in this video from the 2009 USC Body Computing Conference 3.0.)

If the data being considered here is produced by Campos’ heart but collected by Medtronic, who really owns it? In the On the Media interview, Campos says the device is a part of him, but is it really any more a part of him than is a watch that can measure one’s pulse? (Yes, the defibrillator keeps him alive, while a watch wouldn’t, but I’m not sure that makes it any more a part of him than someone that administers CPR is.) I would argue that the heartbeat itself belongs to Campos, but the data regarding that heartbeat belongs to Medtronic. And yet that’s not an argument for Medtronic not sharing the data with Campos. They’re not going to get any more money out of patients by not sharing data with them. They’re not going to be at risk of having their technology duplicated just because they provide Campos with a graph of his heartbeats. If they are providing the information to the doctors, it won’t take any more work for them to provide that same data to patients. Medtronic could have patients sign a waiver that Medtronic is not liable for any misjudgments patients make based on their interpretations of their data. So I can’t figure out what Medtronic’s motivation might be for keeping this data between them and the doctors. This “paternalistic” attitude, as Campos calls it, doesn’t seem to be doing anyone any good. And for a patient like Campos, who keeps careful track of his medical data, it only makes sense that he should be able to at least try to understand the information that Medtronic has collected about his heart.

Until Campos receives the data he has asked for, he has decided to stop transmitting the data that his device collects to his doctor. The device will still keep his heart beating in the case of what would otherwise cause a sudden cardiac arrest, but his doctor won’t be able to regularly monitor its activity—that will have to wait until Hugo shows up for an appointment. In the meantime, some hackers have reportedly offered to help him hack into the device so he can intercept the data it would send to his doctor.

Meanwhile, Karen Sandler, a “cyborg lawyer running on proprietary software,” as she describes her use of her implantable defibrillator, wants the source code to be open-source, for others to inspect and improve upon, as the FDA doesn’t do so. How are we to know what our devices are actually doing if we can’t find out how they work? (Various Medtronic implantable cardiac defibrillators or their parts have been recalled over the years and/or been the subject of product liability lawsuits.)

Check out the ICD User Group that Campos started for more information about this debate.

This discussion doesn’t just apply to data from implantable defibrillators. All kinds of devices can now help us monitor our own health, but then that sensitive information ends up in their hands (and on their servers). For instance, a company called Glooko makes an app and a cord for diabetics that connects the iPhone to a blood glucose monitor and transfers the information to a logbook on the phone. But it doesn’t just store it on the user’s hardware: any information the app collects are stored by the company, and they collect personal, payment, and usage information from each user, which they share de-identified and in aggregate with advertisers and others (Privacy Policy).

eHealth holds great promise for a future in which we, as medical consumers, and our doctors can all remain informed and work together on health solutions. I hope this technology brings us into an age of more open data that allows us to take control of our health in partnership with physicians, rather than creating barriers between us and our own medical data.