On October 28, 2015, the U.S. Copyright Office of the Library of Congress (the “Office”) issued a Final Rule containing several exemptions to the Digital Millennium Copyright Act that expanded access to medical device computer programs and the patient data they generate. The Digital Millennium Copyright Act allows intellectual property holders to install “technological protection measures” (TPMs) in their software which blocks unauthorized inspection of data to protect copyright. Under the Act, the Library of Congress grants exemptions to TPMs every three years.
In the Final Rule, the Office included an exemption for researchers investigating computer programs on devices and machines for good faith security research. The Office found that legitimate security research has been hindered by TPMs that limit access. Covered devices include medical devices used for patient implantation or corresponding personal monitoring systems, as long as they are not used by patients or for patient care. The research exemption begins 12 months after the regulation’s effective date, meaning it starts on October 28, 2016. Additionally, the Office created an exemption for patients who seek to passively access information that is already being generated by their own medical devices or personal monitoring systems. Unlike the research exemption, the patient monitoring exemption takes effect immediately, and it is limited to patients themselves, as opposed to researchers or other parties.
Opponents to the exemptions included various medical device manufacturers and trade groups, who argued that the above uses were not fair uses of the intellectual property at stake. They also raised concerns about patient safety issues, including the fear that requesting data at a higher rate could reduce battery life of crucial medical equipment, and accordingly requested that the FDA provide input. The FDA expressed apprehension about providing access to patient health information or other personally identifiable information and advised that the exemptions require compliance with all existing laws and regulations. The Office also adopted the FDA’s suggestion that the research exemption exclude devices that are or could be used by patients. There were also concerns raised about responsible disclosure of security flaws. The Register did not adopt an express disclosure rule, but noted that there is already an intent in the statute that information derived from research activity be used primarily to promote the security or safety of those devices.
Expanding access to computer programs and the data generated by such programs also has a potential impact on intellectual property rights beyond the copyright realm. For example, as an unintended consequence, inspection of a computer program, or data generated thereby, may yield knowledge of a trade secret or a patent application that has been filed but remains unpublished. As such, the enhanced right of researchers to inspect software should be taken into consideration by those who wish to gain legal protection around their software inventions.
These changes reflect growing interest by the Federal Government to support efforts to address cybersecurity threats and related safety issues as well as support and encourage open data and better access to information that enables research and innovation, and to promote patient access to their health information to support patient engagement.