Scholars advocate mandated patient access to health device data.
At-home health care devices, such as Apple watches and blood sugar monitors, have become commonplace, with consumers now able to monitor their own heart rates, sleep patterns, and even blood oxygen levels.
In a recent paper, Charles Duan of Cornell Law School and Christopher Morten of Columbia Law School argue that consumers should have a right to access health data derived from such health devices. They propose a legal framework to solidify this right.
Duan and Morten explain that health devices collect and retain raw measurements from the individuals who use them. Computations from that raw data then estimate values for natural phenomenon, such as a heart rates. Health device manufacturers traditionally store these data within their own cloud service that requires an account to access, and they further limit access to these data by having consumers sign limiting terms of use for the data.
Market forces alone do not provide financial incentives for manufacturers to allow consumers to access their own data, according to Duan and Morten. They explain that consumers should be able to extract their data so they will no longer be shackled to one particular manufacturer’s product. But they point to the fact that device manufacturers have currently created technological blocks to prevent consumers from downloading and accessing their own data.
No law mandates manufacturers to allow consumer access to health device data, according to Duan and Morten. They argue that, without a new framework, it will not be possible to access the full benefits of their home health devices, including the opportunity for consumers to collect health data for individual use and for researchers to aggregate mass amounts of health data to study.
They note that consumers with access to raw data and corresponding calculations would be better able to make informed health decisions about medical care. Consumers would also be able to send these data to health care providers to keep on file in case they stop using their devices, Duan and Morten explain. On a large scale, access to aggregated health data from health devices could advance research—such as the ClinVar public database on genetic variants—and test manufacturers’ claims about the performance of their health devices.
Duan and Morten acknowledge arguments against mandating health device data access, including that manufacturers may be better equipped than consumers to protect data privacy and security. They also acknowledge the claim that having exclusive control over patient data encourages manufacturers to continue to develop health devices and their related “data ecosystems.”
But manufacturer databases have fallen victim to significant security breaches in the past, and secrecy over patient data risks hiding safety issues or false efficacy, according to Duan and Morten.
In designing a legal framework that would facilitate consumer access to health device data, Duan and Morten draw from three existing health information regulatory frameworks which govern patient access to medical records, electronic health records, and provide a public database for data sharing.
Their ideal framework would mandate that manufacturers share data with consumers, create a standard for storing data, and propose a large data infrastructure of anonymized health device data for consumers and researchers to use. Duan and Morten point to the Health Insurance Portability and Accountability Act of 1996 as an example of a legal mandate that their framework would emulate. Although this existing statute mandates that health care providers share health information with consumers, Duan and Morten claim legislators could create an additional right under the statute for consumers to access their health device data. Duan and Morten also propose that the U.S. Department of Health and Human Services (HHS) could issue regulations requiring manufacturers to provide access through a network similar to an electronic health record system rather than continue to store data in an inaccessible internal cloud system.
As support for their argument, Duan and Morten refer to the Health Information Technology for Economic and Clinical Health Act, under which HHS created financial incentives for health care providers to adopt electronic health records. This statute also allowed HHS to continue to maintain standards for data formatting and discourage companies from using practices to block consumers from accessing their records, Duan and Morten claim.
Duan and Morten explain that—just as with the government-run genetic database ClinVar—the government could create a public database for depositing and sharing anonymized patient health device data. This supported database would allow regulators to encourage sharing data indirectly and shift the burden of developing patient data privacy practices to the government rather than to companies that may prioritize profit over patient benefit.
In the end, Duan and Morten acknowledge that there may be multiple regulatory avenues to meet the three elements of their ideal framework, but whichever avenue is pursued, they argue that consumers must possess a right to access their health device data.
