Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2020 Dec;98(4):1257-1289.
doi: 10.1111/1468-0009.12481. Epub 2020 Oct 20.

Ethical and Legal Implications of Remote Monitoring of Medical Devices

I Glenn Cohen  1 Sara Gerke  1 Daniel B Kramer  2
Affiliations

Ethical and Legal Implications of Remote Monitoring of Medical Devices

I Glenn Cohen et al. Milbank Q. 2020 Dec.

Abstract

Policy Points Millions of life-sustaining implantable devices collect and relay massive amounts of digital health data, increasingly by using user-downloaded smartphone applications to facilitate data relay to clinicians via manufacturer servers. Our analysis of health privacy laws indicates that most US patients may have little access to their own digital health data in the United States under the Health Insurance Portability and Accountability Act Privacy Rule, whereas the EU General Data Protection Regulation and the California Consumer Privacy Act grant greater access to device-collected data. Our normative analysis argues for consistently granting patients access to the raw data collected by their implantable devices.

Context: Millions of life-sustaining implantable devices collect and relay massive amounts of digital health data, increasingly by using user-downloaded smartphone applications to facilitate data relay to clinicians via manufacturer servers. Whether patients have either legal or normative claims to data collected by these devices, particularly in the raw, granular format beyond that summarized in their medical records, remains incompletely explored.

Methods: Using pacemakers and implantable cardioverter-defibrillators (ICDs) as a clinical model, we outline the clinical ecosystem of data collection, relay, retrieval, and documentation. We consider the legal implications of US and European privacy regulations for patient access to either summary or raw device data. Lastly, we evaluate ethical arguments for or against providing patients access to data beyond the summaries presented in medical records.

Findings: Our analysis of applicable health privacy laws indicates that US patients may have little access to their raw data collected and held by device manufacturers in the United States under the Health Insurance Portability and Accountability Act Privacy Rule, whereas the EU General Data Protection Regulation (GDPR) grants greater access to device-collected data when the processing of personal data falls under the GDPR's territorial scope. The California Consumer Privacy Act, the "little sister" of the GDPR, also grants greater rights to California residents. By contrast, our normative analysis argues for consistently granting patients access to the raw data collected by their implantable devices. Smartphone applications are increasingly involved in the collection, relay, retrieval, and documentation of these data. Therefore, we argue that smartphone user agreements are an emerging but potentially underutilized opportunity for clarifying both legal and ethical claims for device-derived data.

Conclusions: Current health privacy legislation incompletely supports patients' normative claims for access to digital health data.

Keywords: GDPR; HIPAA; health policy; implantable cardioverter-defibrillators; pacemakers.

PubMed Disclaimer

Figures

Figure 1
Figure 1
Flow of information from a patient's implantable cardioverter‐defibrillator (ICD) to a clinical site via remote monitoring. The ICD system includes a wire inserted through a chest vein into the heart (red star), connected to a generator placed under the skin near the shoulder (yellow star) [Color figure can be viewed at wileyonlinelibrary.com]
Figure 2
Figure 2
Example of information gleaned from typical remote monitoring transmission from an implantable cardioverter‐defibrillator. The top panel shows data regarding device characteristics including electrode measurements, battery life, and programmed parameters for pacing and high‐voltage therapy. The bottom panel shows the device recording of an arrhythmia event, in this case an episode of ventricular fibrillation that was recognized by the device and treated with a high‐voltage shock, after which a normal rhythm resumes. (Figure shown with patient's permission.) [Color figure can be viewed at wileyonlinelibrary.com]
See this image and copyright information in PMC

Comment in

References

    1. Kramer DB, Fu K. Cybersecurity concerns and medical devices: lessons from a pacemaker advisory. JAMA. 2017;318(21):2077‐2078. - PubMed
    1. Kramer DB, Tsai T, Natarajan P, Tewksbury E, Mitchell SL, Travison TG. Frailty, physical activity, and mobility in patients with cardiac implantable electrical devices. J Am Heart Assoc. 2017;6(2). - PMC - PubMed
    1. Kramer DB, Jones PW, Rogers T, Mitchell SL, Reynolds MR. Patterns of physical activity and survival following cardiac resynchronization therapy implantation: the ALTITUDE activity study. Europace. 2017;19(11):1841‐1847. - PMC - PubMed
    1. Kramer DB, Mitchell SL, Monteiro J, et al. Patient activity and survival following implantable cardioverter‐defibrillator implantation: the ALTITUDE activity study. J Am Heart Assoc. 2015;4(5). - PMC - PubMed
    1. Aripiprazole with digital ingestion tracking (Abilify MyCite). Med Lett Drugs Ther. 2019;61(1564):15‐16. - PubMed

Publication types