Medtronic says federal rules prohibit giving Ms. Hubbard's data to anyone but her doctor and hospital. "Our customers are physicians and hospitals," said Elizabeth Hoff, general manager of Medtronic's data business. Medtronic would need regulatory approval to give patients the data, she said. It hasn't sought approval because "we don't have this massive demand."
. . .
Some legal experts say the 1996 U.S. law governing patient access to their health files—HIPAA, or the Health Insurance Portability and Accountability Act—hasn't kept up with technology. The law gives patients the right to access information held by doctors and hospitals. However, the raw data gathered by an implant isn't held by a doctor or a hospital: Typically it goes directly to the device maker, which provides a summary report to the doctor. Because of this, the raw data falls outside the scope of HIPAA's patient-access requirements. In addition, Medtronic said, business agreements with doctors and hospitals restrict it to relaying information only to them.
"Is the device itself a depository for medical records?" said Paul C. Zei, a cardiologist at Stanford University Medical Center with a patient, Hugo Campos, who wants the same access to his cardiac-device data as the doctor gets. "Or is it part of the patient, and an extension of vital signs that we download into a medical chart?"Gee. Someone saw this coming years ago.
But as patients pay for more and more of their health care, companies better remember who's really their customer. Furthermore. patients should have access rights to all of their medical information, irrespective of where it resides.