Recently, a judge in Ohio ruled that a man’s pacemaker data could be used against him at trial. It caused quite a stir, health data being, of course, subject to strict regulations.
Definitions of health data and the different laws that govern their use
There are two types of data in the health sector: medical data and health data (1).
Medical data are defined as a set of public files that are published to help make research progress.
Health data, on the other hand, are directly linked to the medical condition of a person. They are considered sensible and confidential and cannot be exploited except for medical use.
In European countries, health data are classified among the most sensible data (1). According to The General Data Protection Regulation of April 27th, 2016 that repeals the Directive 95/46/EC, users have to be informed that their data are being used. They also have to give their consent or oppose the treatment of said data. The processing of sensible data is still forbidden except in specific cases such as medical follow-up, public health reasons, or when consent is given by the concerned individual.
In the United States, it is the federal Health Insurance Portability and Accountability Act (HIPPA, 1996) “extended by a Privacy Rule in 2001 and again by changes mandated by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act (part of the American Recovery and Reinvestment Act of 2009 (ARRA)) and the Genetic Information Non-Discrimination Act (GINA) of 2008” (2) that rules on the treatment of health data. Patients are informed of the conditions in which their health data will be used and protected.
According to Bonnie Kaplan, from Yale, “patients can be harmed when data about them is used to violate privacy”. In Ross Compton’s case, is it a violation of privacy? Or is it the same as checking someone’s call log or browser history?
The case of Ross Compton of Butler County, Ohio
Mr Compton is suspected of deliberately setting fire to his home and then claiming the insurance policy (3). He is being accused of aggravated arson and insurance fraud.
In order to prove their theory, the police obtained a warrant for the data stored by the man’s pacemaker. They had a cardiologist check what the device had recorded before, during and after the fire. The physician concluded that the events could not have taken place how Compton says they did.
His lawyer filed a motion to suppress the evidence but a judge ruled that the data could be used in a court of law.
In Mr Compton’s case, it is a device placed inside his body by physicians, designed to keep him alive and whose data was supposed to be used only by said physicians that is now used against him.
Late 2013, 3 million patients in the world used monitoring devices under the control of healthcare professionals. In 2018, they should be 19 million (1). People wearing smart watches just for the sake of checking their sleep pattern, record their runs, etc are even more numerous. All those people could, one day, be on the stand and data from medical and/or smart devices could be used against them, to expose their lies and prove their location or the type of activity they were doing. Said data could be self-incriminating but there would be no way of pleading the 5th.
Mr Compton’s case is the first of its kind, but it could create a precedent in the United States and even spread to other countries.
The law states that “A HIPAA-covered health care provider or health plan may share your protected health information if it has a court order. This includes the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order” (4).
It could dissuade someone wearing a device like a pacemaker from lying or committing a crime but it could also dissuade them from wearing the potentially life-saving device altogether in fear of it being used against them.
Data from a murdered woman’s Fitbit were used before to help solve the criminal investigation (5), but the device had belonged to the deceased party and used to prove the version of events of the killer was not true. Data obtained from a living person’s smart or medical device had never been used before.
The question we must ask ourselves here is not whether or not smart devices owned by a deceased victim can be used in a court of law. The answer to it is simple: yes. The question we must ask ourselves is whether or not data, especially health data, obtained from a device that belongs to someone who is still alive can be used against them. That is one tricky question and there is no simple answer. The information gathered from those devices could help put criminals behind bars but it could also lead to abuse of power and violation of privacy.
By Marine Rouet
Published on July 21st, 2017
(1) https://www.kamitis.com/Smart-Textiles-223.html (2) http://bioethics.yale.edu/sites/default/files/files/ISPS14-025.pdf (3) https://www.cnet.com/news/judge-rules-pacemaker-data-can-be-used-against-defendant/ (4) https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html (5) https://www.theguardian.com/technology/2017/jun/23/smart-devices-solve-crime-murder-internet-of-things