Positive Airway Pressure and Your Privacy:
What You Should Know
How is my positive airway pressure (PAP) data collected and shared?
Newer PAP devices (including CPAP, APAP AND BPAP1) are generally equipped with modems or cellular capabilities that allow remote access to your machine data, which can include:
- Your adherence: When are you using your machine? How often and for how long?
- Treatment Efficacy: Is the treatment working? Are you still exhibiting sleep-disordered breathing? Is your mask leaking?
When obtaining your device from your physician/medical office or durable medical equipment2 (DME) company, you will be notified of the company’s data privacy policies and must authorize the collection and use of your information. It is important to thoroughly read and understand all paperwork or forms prior to signing off on your machine and beginning use.
Who can access my data and why?
Once you begin using your machine, the data collected is remotely transmitted to the DME company or physician and/or your insurance company. The information will also most likely be automatically sent to your device manufacturer.
DME Company
The DME company where you obtained your machine will often be the initial point of contact through which your insurer and/or healthcare provider will obtain your information. The DME may provide your information to the insurer to secure payment for your device and/or to your physician to ensure continuity of care for your sleep disorder.
Your Healthcare Provider(s)
Your healthcare provider may monitor your PAP data to confirm your device is appropriately treating your sleep disorder and address any issues you may be having with your device. The data will tell your provider if your pressure setting is correct, if you still have sleep-disordered breathing, if you are using your device, and if your mask fits appropriately. This will help your provider make improvements to your treatment plan to ensure long-term optimal treatment of your sleep disorder.
Your insurance company(s)
Your insurance company may monitor your PAP adherence or compliance to evaluate if you meet the insurer’s specific compliance requirements, which may affect payment for your treatment. For more information on this access our “PAP and Your Insurance: What you Should Know” Fact Sheet.
Device manufacturer
According to U.S. copyright law, the manufacturer of your device owns the data created by your machine. You are legally permitted to access the data created and saved by your machine, but your manufacturer is not required to give you the means to do so; however, most major PAP manufacturers offer an online patient user portal/website where you can access (at least a portion of) your data.
Patient
Most device manufacturers have a patient website, app, or other online application where you can access general data regarding the use and effectiveness of your machine to help monitor your sleep health. The machine itself may also display this data. It is not recommended that you “hack” your machine to access data with the intent of changing your machine setting. The settings on your machine are set by trained sleep providers and are based on the results of your sleep study. You should discuss any issues you are having with the PAP treatment with your sleep healthcare providers to determine if your prescription and pressure setting should be revised. Changing your settings on your own may have negative consequences as overtreatment or undertreatment can be harmful.
What is HIPAA and how does it affect usage of my CPAP data?
The Health Information Portability and Accountability Act of 1996 (‘HIPAA’) dictates that your personal health information (“PHI”) be safeguarded. Specifically, the HIPAA Security Rule (published in 2003) safeguards your electronic PHI by requiring your DME company, insurer, and health care providers to employ security controls that protect the confidentiality of your PHI, minimally limit the use and disclosure of your information, and ensure staff is trained to protect patient information properly.
HIPAA affords you many rights, including but not limited to your ability to:
- Access a copy of your health records
- Have corrections made to your health record
- Be notified if your information will be shared
- Request a report of disclosures of your health information
- Give permission for use of your health information for certain uses
For more information on HIPAA and your rights, visit the U.S. Department of Health and Human Services.
What do I need to do to protect my privacy and data?
Educate yourself on HIPAA and any state privacy regulations so that you understand your rights in relation to the use of your health information.
Review your medical providers’ HIPAA/privacy policies and your DME provider’s PAP data privacy policy and/or any authorization forms you may sign regarding your data to determine how your information may be shared and if you are comfortable with the provider’s policies; if not, discuss with your provider to determine how your concerns can be resolved.
Disclaimer: The information provided in this resource applies to the United States only and may not reflect practices in other locations.
1 CPAP (continuous positive airway pressure) provides a constant stream of pressurized air during sleep; BPAP (bilevel positive airway pressure) is like CPAP except that the device provides two different pressure settings depending on whether you are inhaling or exhaling; APAP (auto positive airway pressure) also has two pressure settings, which the device will automatically switch between depending on your breathing.
2 Durable medical equipment is equipment that benefits someone with a certain medical condition. Examples include wheelchairs, blood sugar monitors or CPAP machines.