Georgetown Law
Technology Review

In late 2018, Researchers at MIT announced that they had developed a wirelessly controlled electronic pill (or capsule) capable of being ingested and remaining in the human body for up to a month. According to the researchers, the capsule can store and release drugs over time. It also carries a specially designed sensor, which allows it to detect environmental conditions and relay the information to a smartphone for early diagnosis of disease.  Although just developed, this technology has already raised concerns regarding patients’ privacy and autonomy.

In 2017, another electronic pill approved sparked similar concerns. This pill, approved by the FDA, has an embedded sensor to monitor a patient’s compliance with their medication regimen. When splashed by stomach fluid, the sensor generates an electrical signal which is received by a patch worn on the patient’s left rib cage. The patch also uses Bluetooth technology to send the user additional information,  including heart rate and body surface temperature, to a smartphone app.

According to Deven McGraw, former Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, the technology could enable coercive consent practices. Insurance companies, for example, could require patients to take their medication in the electronic pill form or refuse to pay for it—thereby coercing their consent to monitoring. Every year, patients fail to correctly take their medication, costing insurance companies  $100 billion in additional medical treatments. If the latest electronic pill technology can reduce such noncompliance, insurance companies might choose to require patients use this technology to reduce their costs.

Privacy advocates also worry that electronic pills are susceptible to data breaches. However, the possibility of an unauthorized data use is minimized because the data collected would be considered individual health information therefore subject to regulation under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers and their business associates to limit access to health data to authorized personnel.

Nevertheless, because there are several steps involved in the transmission of electronic pill data—risk of data breach still exists. To address this issue the FDA has issued guidance to help medical device developers identify and address cybersecurity risks from design to market.  In addition, the 2017 electronic pill set a high standard in protecting collected information. Information collected by the pill is encrypted the moment it reaches the patch and remains encrypted when it is stored in the cloud.  The MIT capsule, if ready for market, may be subject to the same standard.