Will smart medicine drive privacy legislation? It should.

This week, I read an article in the Wall Street Journal about an artificial knee from Zimmer Biomet that, after being implanted in a patient’s knee, shared sensor data with the patient’s doctor about steps taken, range of motion for the knee, miles traveled, and various gait statistics. My first instinct was to focus on all the technical insides of the joint and how it was powered, the wireless technology used to send the signals, and the basic underpinnings of how it works.

But then I realized that no matter how cool the sensing apparatus is (it was provided by Canary Medical Inc.), the real story here isn’t the tech, it’s the social implications of having a device implanted inside your body that reports on how well you’re progressing at recovery. And whether or not this is a good thing depends almost entirely on figuring out how to protect that data from interested parties that could cause harm. This is, in other words, about privacy.

To be sure, because medical data is so sensitive and is almost universally regarded as something that should be protected, the advance of connected technology into medical devices and hospitals could pave the way for stronger privacy regulations. It will also drive companies that are interested in providing medical services around aging in place or remote patient monitoring to push for laws that they can work with.

I don’t think it was an accident that a week after the Connectivity Standards Alliance announced plans for a health and wellness working group that it launched a data privacy working group. But let’s look at why privacy matters so much when it comes to health care.

I think there are three elements that together are going to underpin a push for privacy regulations related to connected devices in the health care sector. The first is that the demand for technology to augment the declining number of people who work in health care amid an aging population is going to be inescapable. Second, the potential for consumer harms from a lack of privacy around medical data and care are quantifiable and easily understood. Finally, the Health Insurance Portability and Accountability Act (HIPAA) does not actually do what many consumers think it does, and when consumers recognize that, they will demand action.

The first element is well documented, so I’m not going to spend much time on it. Although I will note that one of the advantages of the smart knee mentioned earlier in the story is that it could save patients a visit to the doctor when the sensors determine everything is functioning well. Using remote monitoring to free time for a doctor may let that doctor see more patients who may need more of their help.

As for harm, proving harm is one of the best ways in the American legal system to drive some form of regulation or legislation. And since using connected device data from medical implants improperly could cause a lot of harm, it could incentivize lawmakers to take action and could potentially lead to lawsuits.

A big potential harm with the connected knee is how an insurer who paid for that knee might react to the data. If a patient isn’t doing their physical therapy it’s completely possible that an insurance firm might decline to pay for further interventions. I don’t foresee an insurance firm clawing back the money paid for the knee, but it could decide that any additional issues on that leg are the patient’s fault and, by extension, decline to reimburse that policy holder for any new knee-related problems.

If you think this is crazy, I share with you the story about insurers tracking whether or not patients were using CPAP machines to prevent sleep apnea. Because these CPAP machines were connected, insurers would track how often a patient used them. If they didn’t use them “enough” the insurers would stop paying for them. Relatedly, not only did the CPAP machine provider, doctor, and insurance firm all have access to the patient’s sleep data, but the machine maker had the ability to share that data with other suppliers of filters and associated gear for the CPAP machine.

In the case of the smart knee, Canary’s privacy policy states that the patient’s medical data from an implanted device is governed by the company’s customer — the hospital or provider who inserts the device, not the patient. It then goes on to note that it does collect personal information through its services: “The information we collect may include health information such as heart rate, insulin levels, number of steps taken per day, stride length, and other information relevant to your medical treatment.”

It also has a section on biometric information that can be used to identify individuals. “If you consent to our collection of biometric information or if our collection of biometric information is otherwise permitted, you agree that we may collect your physiological biological or behavioral characteristics that can be used to establish individual identity as well as patterns or rhythms, gait patterns, and sleep, health or exercise data that contain identifying information from your connected medical device in order to provide the Services” (emphasis mine).

Canary’s policy does include sections on how the data it collects gets used. And in reading it, it’s clear that third-party companies can get access to medical data both as part of providing services on Canary’s behalf (pretty common) as well as for advertising or marketing purposes. So it’s possible that a person with a Zimmer knee might find their step data sent out to companies making knee braces, I suppose.

That’s not the sort of harm I have in mind when thinking about that data leaking, however. There’s a section in the privacy policy about location data, for example. Imagine if a physically implanted sensor in your knee became a way for police to track you. (Today it cannot be used that way because it lacks GPS sensors.) It’s not, after all, a device you can leave at home.

Broadly speaking, the most likely harms are economic and driven by an insurer’s ability to coerce compliance with a physical therapy regime or a doctor’s plan. But the flip side might also be true. What if the device shows it is performing optimally but the patient still is in pain? Does the doctor then ignore the patient in favor of the device data?

If the device data is widely shared, it offers opportunities for other parties to make decisions about a patient’s care. The most likely party would be an insurance company, but in other medical decisions, the party might include the state. For example, period trackers or devices that can track reproductive health could find their data used in lawsuits against women.

Finally, there’s a giant misconception about health care data privacy in the U.S. that I think will soon blow up in people’s faces. Most people think of HIPAA as a law that keeps their medical data between themselves and their doctor. But that is not what HIPAA does. HIPAA is a way to transfer a patient’s medical data when they change insurance providers (it’s a function of our medical insurance tied to our jobs in the U.S.).

Once a person’s medical data gets out of their doctor’s office or outside of their insurer, it’s no longer governed by HIPAA. So when you take your electronic health record and give it over to Apple, it’s no longer protected by HIPAA. I’m not saying that Apple will turn around and sell it, but it’s only a matter of time before a person who handed over their health information to a tech firm providing wellness services or products discovers that their data is being used by third parties or available via a data broker.

So as we start collecting and sharing some of our most personal data, there’s an opportunity to improve health care outcomes, but there’s also a chance of encouraging some real harms caused by a loss of privacy. That is why we need to figure out which of the rules we currently have in place govern medical data privacy and then pass better ones.