On October 28, 2015, the U.S. Copyright Office of the Library of Congress (the “Office”) issued a Final Rule containing several exemptions to the Digital Millennium Copyright Act that expanded access to medical device computer programs and the patient data they generate. The Digital Millennium Copyright Act allows intellectual property holders to install “technological protection measures” (TPMs) in their software which blocks unauthorized inspection of data to protect copyright. Under the Act, the Library of Congress grants exemptions to TPMs every three years.
In the Final Rule, the Office included an exemption for researchers investigating computer programs on devices and machines for good faith security research. The Office found that legitimate security research has been hindered by TPMs that limit access. Covered devices include medical devices used for patient implantation or corresponding personal monitoring systems, as long as they are not used by patients or for patient care. The research exemption begins 12 months after the regulation’s effective date, meaning it starts on October 28, 2016. Additionally, the Office created an exemption for patients who seek to passively access information that is already being generated by their own medical devices or personal monitoring systems. Unlike the research exemption, the patient monitoring exemption takes effect immediately, and it is limited to patients themselves, as opposed to researchers or other parties.