I am not a lawyer in real or fictional life, but it seems to me that the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) provisions for patient access to Personal Health Information (PHI) would apply, at least in the U.S., to any data processed or maintained by ResMed on a sleep patient.
For more than you want to know about "Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524", Google the phrase in quotations and it should be the top link returned.
HIPAA applies to "covered entities" like doctors, hospitals, clinics, pharmacies, and insurance plans, and it also covers something called health care clearinghouses. To determine what is a covered entity, Google the phrase "covered entity guidance tool" and a pdf from the Center for Medicare & Medicaid Services should appear as the top link.
To be considered a health care clearinghouse, and therefore a HIPAA covered entity, the answer to the following two questions about a business or agency must be "yes":
1. "Does the business or agency process, or facilitate the processing of, health information from nonstandard format or content into standard format or content or from standard format or content into nonstandard format or content?"
2. "Does the business or agency perform this function for another legal entity."
It seems to me that this is exactly what ResMed does. It takes the data from our CPAP machines and processes it into a format made available to our health care practitioners and insurance companies. This should make them a HIPAA covered entity and require them to provide patients with access to their own data in readable form for free or for a reasonable charge. If you read further in the HIPAA rules, it is difficult to charge for electronic access to PHI.
Furthermore, on page 19 of ResMed's 2018 SEC Form 10K, they state the following:
"In some of our operations, such as those involving our cloud-based software digital health applications, we are a business associate under HIPAA and therefore required to comply with the HIPAA Security Rule, Breach Notification Rule and certain provisions of the HIPAA Privacy Rule, and are subject to significant civil and criminal penalties for failure to do so."
The HHS requirements for business associate contracts with covered entities (such as your sleep doctor or health insurance plan) include the following mandatory provision.
"(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information . . ."
The above information can be found by Googling "Business Associate Contracts SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS". Look for the link on hhs_dot_gov.
Has anyone asked ResMed for access to their AirMini data, citing HIPAA?
