The Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.  Certain activities and classes of works, however, are exempted from this prohibition.  The exempted classes of works are determined by the U.S. Copyright Office every three years and remain in effect for the ensuing three-year period. 

The latest set of exempted classes was released last week.  While many of the 2015 exemptions are similar to those in the 2012 list, there are two additions that will be particularly noteworthy for medical device companies.

The first provides an exemption, in limited circumstances, for accessing patient data in a networked medical device system:

Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system and does not constitute a violation of applicable law, including without limitation the Health Insurance Portability and Accountability Act of 1996, the Computer Fraud and Abuse Act of 1986 or regulations of the Food and Drug Administration, and is accomplished through the passive monitoring of wireless transmissions that are already being produced by such device or monitoring system.

The second provides an exemption for security research of medical device software, again, in limited circumstances:

  1. Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986, as amended and codified in title 18, United States Code; and provided, however, that, except as to voting machines, such circumvention is initiated no earlier than 12 months after the effective date of this regulation, and the device or machine is one of the following:
    1.  A device or machine primarily designed for use by individual consumers (including voting machines);
    2. A motorized land vehicle; or
    3.  A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.
  2. For purposes of this exemption, ‘‘goodfaith security research’’ means accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.

Those who benefit or are otherwise affected by these exemptions are encouraged to mark their calendars for the next round of rulemaking in 2018 so that their voices will be heard.