Wednesday

26th Jul 2017

Heart of the matter: who owns your health data?

  • Some implantable cardioverter-defibrillators (ICD) are remotely monitored by manufacturers (Photo: stuad70)

The titanium metal box implanted inside Hugo Campos' chest keeps him alive.

The size of a wristwatch, the €20,000 gadget houses a generator, circuitry and a battery with thin wires attached directly to the Californian's heart.

Thank you for reading EUobserver!

Subscribe now and get 40% off for an annual subscription. Sale ends soon.

  1. €90 per year. Use discount code EUOBS40%
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

"It took me about a year to get used to the idea of having the implant and understanding how things work," he told EUobserver.

The device - or implantable cardioverter defibrillator (ICD), made by US-based firm Medtronic - is designed to treat dangerous accelerations in his heart rate.

It also collects a lot of data.

An accelerometer inside the device can tell when he sleeps, eats or walks around, when he is quiet or speaking, or if fluids are building up inside his chest cavity.

All of the information is transmitted to the manufacturer via a cloud. It does not go to the doctor, the hospital or the patient.

If something goes wrong, his cardiologist will receive an alert from the manufacturer.

If it is serious, the doctor will inform Campos.

There are many others like him in the US and in the EU. A senior director at Medtronic said her company alone remotely monitors some 750,000 ICD patients worldwide.

There are two more ICD-makers in the US - Boston Scientific and St. Jude Medical.

The only other two firms which manufacture them - Sorin and Biotronik - are based in Italy and Germany.

For Campos, there is something fundamentally wrong with the idea that a private company can own and control his most intimate of information.

There is a worry the ICD firms have too much leeway to hide potential problems.

And there is a broader worry on security.

An Australian hacker in October last year reverse-engineered transmitters to deliver killer shocks to anyone with a pacemaker or ICD within 10 metres of his laptop.

But for others, big data - US health organisations generated an estimated 150 billion gigabytes of information on patients in 2011 - is big business.

It is also an opportunity to make breakthroughs in medical research and to cut the costs of healthcare.

For their part, EU institutions are currently trying to legislate on the complex issues involved.

A new European Commission data protection bill would require ICD makers to share patient information more easily.

But there are many questions to answer.

'We are at their mercy'

Campos has for the past four years been trying to get access to the raw information stored on Medtronic's database - CareLink.

He has not got very far.

"To think that a corporation has more rights or better rights [than I have] on data that is collected from my body is actually a little bit scary," he said.

He suspects that one reason for the firms' reluctance to open up is corporate liability.

"That is the biggest threat to companies - liability - and the patient knowing that the device is not working properly and being able to sue a manufacturer," he said.

"We must rely on the manufacturer to recognise such problems and issue a recall. In a way, we are at their mercy," he added.

ICDs are prone to hardware failure.

Campos said the thin wires that attach the device to his heart are "the Achilles heel" of the system.

The wires, he noted "are very pliable and they often fail and there have been some recent problems with St. Jude Medical and Medtronic."

"The patient may be unaware that the lead has failed but the generator connected to the lead knows there is a problem," he added.

Medtronic issued a major product recall in October 2007.

The problem hardware was already in use in the bodies of over 200,000 patients.

In May 2009, the firm issued a statement that 13 patients might have died because of the defect. Related settlements were finalised in January this year.

It was the "Sprint Fidelis" lead which failed.

A fractured lead can kill a patient if it fails to tell the defibrillator to send an electrical jolt when the heart goes into arrest. It can also send repeated and potentially fatal shocks.

Medtronic had received alerts that Sprint-Fidelis-wired patients were experiencing inappropriate shocks due to lead failure and launched an internal investigation.

It looked at data from a clinical trial involving 650 patients at 17 hospitals and did a subsequent review of data collected via remote monitoring for 25,000 patients with the Sprint Fidelis lead.

The findings led it to issue a recall for all its Sprint-Fidelis-wired ICDs.

Most of the patients involved fed their data into CareLink.

But in some cases industry outsourcing - a small fraction of the patients used a generator made by a competing firm - made it more difficult to react.

"In those cases patient management was more challenging because, even when they had a remote system, data were not collected in the same way," a Medtronic spokeswoman said.

Big opportunities

The potential benefits for industry of owning the data are massive.

The size of the data pool and how it is used has implications for healthcare policy makers and healthcare businesses.

Estimates say the US health industry could save $200 billion if more advanced analytics were used on patients' health data in order to see patterns in product recalls.

"There is really a large value for hospitals, doctors, researchers and companies and individuals," Christope Wild, head of information and communication technology at Innsbruck Medical University in Austria, told this website.

He noted that every ICD manufacturer currently has its own data system, making it hard to share and compare data from one system to another, however.

"There isn't a standard to see which data needs to be stored and there isn't a standard to port this data to another manufacturer," Wild explained.

Innsbruck Medical University last year purchased software to trawl manufacturers' websites.

The software logs in with a given doctor's credentials and then pulls raw data from the ICD companies into the given hospital's electronic system.

But it did not work out.

"They had a preliminary agreement with one of the manufacturers last year, but that failed because of the proprietary system of the manufacturer and the hospital. So even if both parties agree they could work something out it still fails because of the different formats," Wild said.

A Dutch cardiologist at the Leiden University Medical Centre also said hospitals struggle to use the different data formats.

The Leiden centre has developed a common standard and is running a pilot programme to implement it at its hospital.

But only four out of the five ICD makers allowed it to run the pilot scheme for free.

Where does the EU come in?

Wild said EU policy makers need a debate on whether collection and storage of data should remain in the hands of ICD firms.

The EU commission's draft regulation would require manufacturers to export data in an easy-to-use and interoperable format.

The bill says data should, where possible, be in an open-sourced electronic format.

But industry insiders say the companies are unlikely to comply.

Meanwhile, European patients have more privacy than American ICD users.

In Europe, the clinic which performed the implant procedure has custody of "personal data" - name, address or anything else which can identify the patient.

The ICD maker has custody of "technical data" - the patient's heart rhythms, how much battery life the ICD has left - and the technical data is "anonymised."

But academic studies have shown that "anonymised" data can in many cases be used to identify people, posing the risk of "profiling."

Profiling is a practice of collecting information about individuals to make assumptions about them and their behaviour.

It is used by private firms who sell data to insurance companies, banks or employers, who can use the information to make commercial decisions which may harm the patient's interests.

The degree of mistrust in Europe is evident in so-called tele-monitoring.

Tele-monitoring allows a doctor to keep an eye on his patient from a distance, for example by checking their ICD rhythms on a website under an agreement with the manufacturer.

Martin Borggrefe - a cardiology professor at University Hospital Mannheim in Germany and vice-president of the France-based European Society of Cardiologists - noted that tele-monitoring can have big advantages.

A patient who consents to it needs to have check-ups at a heart clinic just once a year.

A patient who declines is advised to do them every three to six months.

Borggrefe said: "Medical devices are implanted by a cardiologist or a cardiac surgeon with full consent of the patient. If remote monitoring is offered, the patient signs full consent after discussing all aspects of tele-monitoring."

In the Netherlands, more than 50 percent of people opt in.

But in Germany, privacy worries mean that some 90 percent of people opt out.

Meanwhile, consent standards vary from country to country in the EU.

In some cases, they pose the question of whether a seriously ill person is in a position to make a free, rational and well-informed choice on whether to go ahead.

In Italy, a patient must sign the manufacturer's contract on paper in a doctor's office. But in the Netherlands, a patient simply checks a box on an online privacy disclaimer.

Another question for EU lawmakers is people's "right to be forgotten."

It remains unclear under EU law whether a person who signs a contract with an ICD maker can later exercise their right to have his personal data deleted.

EU law under fire

For Erik Vollebregt of Axon Lawyers, an Amsterdam-based law firm specialising in life sciences, the draft EU regulation has failed to take on board industry's concerns.

He noted that the bill's language on profiling is likely to create even more mistrust.

"If you look at the definition of profiling that is basically a functional description of tele-monitoring," he said.

He also said the EU's "right to be forgotten" conflicts with existing manufacturers' obligations to keep patient data for at least five years after the last device has been placed on the market for quality control purposes.

Vollebregt warned the law as it stands "includes a lot of measures that are not going to work for health policy."

He added: "They don't put enough depth and nuance in the statute to be able to deal with processing of personal data for health care purposes in a rational way."

Other specialists have their own take on the subject.

Annabel Seebohm, a lawyer at the German Medical Association, says people with ICD devices who enter into a contract with a manufacturer become a consumer instead of a patient.

"The patient in this regard is more of a consumer and so the 'right to be forgotten' would apply. It's not a doctor-patient relationship here since it is with the manufacturer," she told EUobserver.

There is equal confusion in the US.

An American privacy law on health information - Hipaa - covers service providers who collect data on behalf of doctors or hospitals.

But when contacted by EUobserver, the US consumer protection agency - the Federal Trade Commission - was unable to say whether Medtronic falls under Hipaa because it is a manufacturer, not a service provider, a doctor or a hospital.

The federal commission was also unable to say what Hipaa means for patient access to health information, such as ICD data.

Amid the uncertainties, Campos' ICD battery has another three years to go.

He told this website he has nothing against tele-monitoring or other leaps forward in medical technology and practice.

But he firmly believes the US and Europe should enshrine patients' access to their data as a "civil right."

"There is nothing more intimate than an implanted electronic device," he said.

Opinion

Why are our medicines so expensive?

The EU should be promoting open innovation in upcoming trade talks with India and should work to bring down the prices of essential medicines, both abroad and within its borders.

Focus

Chronic Diseases

Chronic diseases are the main cause of death and disability in Europe and the growing trend is straining the region’s healthcare budgets. EUobserver examines the issues.

Opinion

Stop blaming Trump for Poland’s democratic crisis

If you were to judge events purely on the US media's headlines, you would be forgiven for wondering if the Polish government had anything to do with its recent controversial judicial reforms.

EU Commission sets red lines for Poland on Article 7

The EU executive expects Warsaw to halt the judiciary reform and address concerns over the rule of law, and not to force out supreme court judges, or else the sanctions procedure will start.

News in Brief

  1. Member states relocate 3,000 migrants in June
  2. Top EU jurist says Malta's finch-trapping against EU law
  3. EU judges rule to keep Hamas funds frozen
  4. EU court rejects passenger data deal with Canada
  5. US votes in favour of Nord Stream II sanctions
  6. Greece makes return to bond market
  7. Trump accuses the EU of protectionism
  8. EU parliament's Brexit group urges progress on talks

Stakeholders' Highlights

  1. EU2017EELocal Leaders Push for Local and Regional Targets to Address Climate Change
  2. European Healthy Lifestyle AllianceMore Women Than Men Have Died From Heart Disease in Past 30 Years
  3. European Jewish CongressJean-Marie Le Pen Faces Trial for Oven Comments About Jewish Singer
  4. ACCAAnnounces Belt & Road Research at Shanghai Conference
  5. ECPAFood waste in the field can double without crop protection. #WithOrWithout #pesticides
  6. EU2017EEEstonia Allocates €1 Million to Alleviate Migratory Pressure From Libya in Italy
  7. Dialogue PlatformFethullah Gulen's Message on the Anniversary of the Coup Attempt in Turkey
  8. Martens CentreWeeding out Fake News: An Approach to Social Media Regulation
  9. European Jewish CongressEJC Concerned by Normalisation of Antisemitic Tropes in Hungary
  10. Counter BalanceOut for Summer Episode 1: How the EIB Sweeps a Development Fiasco Under the Rug
  11. CESICESI to Participate in Sectoral Social Dialogue Committee on Postal Services
  12. ILGA-EuropeMalta Keeps on Rocking: Marriage Equality on Its Way

Latest News

  1. EU defends airline data-sharing after court ruling
  2. Stop blaming Trump for Poland’s democratic crisis
  3. EU and US scrap on Russia sanctions gets worse
  4. Czechs, Hungarians, and Poles have one month to start taking migrants
  5. EU Commission sets red lines for Poland on Article 7
  6. Court told to 'dismiss' case against EU migrant quotas
  7. Russia's EU pipeline at 'risk' after US vote
  8. EU Commission to act on Poland

Stakeholders' Highlights

  1. European Friends of ArmeniaEuFoA Director and MEPs Comment on the Recent Conflict Escalation in Nagorno-Karabakh
  2. EU2017EEEstonian Presidency Kicks off Youth Programme With Coding Summer School
  3. EPSUEP Support for Corporate Tax Transparency Principle Unlikely to Pass Reality Check
  4. Counter BalanceEuropean Parliament Improves the External Investment Plan but Significant Challenges Ahead
  5. EU2017EEPM Ratas: EU Is Not Only an Idea for the 500mn People in the Bloc, It Is Their Daily Reality
  6. Nordic Council of MinistersCloser Energy Co-Operation Keeps Nordic Region on Top in Green Energy
  7. ILGA-EuropeGermany Finally Says Ja - Bundestag Votes for Marriage Equality!
  8. EPSUJapanese and European Public Sector Unions Slam JEFTA
  9. World VisionEU, Young Leaders and Civil Society Join Forces to End Violence Against Girls
  10. UNICEFNarrowing the Gaps: The Power of Investing in the Health of the Poorest Children
  11. EU2017EEEstonia to Surprise Europe With Unique Cultural Programme
  12. International Partnership for Human RightsEU-Kyrgyzstan Human Rights Talks Should Insist on Ending Reprisals Vs. Critical Voices