Post Authored by Stephanie Nikitenko
Due to the rapid development of technology, Artificial Intelligence (“AI”) and robotics have become an integral part of our society. For example, surgeons now use robotics to perform complex and precise surgeries. Soon, medical professionals may be able to achieve the impossible: tapping into and manipulating the human brain. From a medical standpoint, this is an immense achievement that stands to help millions of people. From a privacy perspective, it is problematic, because the current laws are not able to adequately handle these rapid technological advances. Some of these advances are discussed below.
First, Facebook and Elon Musk recently developed a brain-computer interface (“BCI”) called Neuralink. The Neuralink is made of “flexible ‘threads’ that can be implanted into a brain and could one day allow you to control your smartphone or computer with just your thoughts.”  The ability to connect thoughts to technology poses concerns. For example, the connection controlling the transfer of thoughts to technology might not be secure. This could lead to possible hijacking of that connection, a potential breach of the data being transmitted, and biological data being hacked. BCI works by reading neural activity to decode what the brain is saying. In some cases, BCI even gives new inputs to the brain and changes how it functions. This is risky because if someone with ill intentions was able to control these inputs, it could lead to neurological damage, a breach of privacy with regard to the biological information being transmitted, and—in its worst and most extreme form—even mental manipulation.
Next, there is Neuropace, a bioelectric medical device that monitors and prevents seizures.  These devices work by using standard electronic processes found in microprocessors and Bluetooth devices, and applying them to devices emulating the texture of the human body’s soft organ tissue. Physicians can accurately and continuously access an individual’s health information this way. Due to the neural network insights being collected and shared in real-time, there are concerns about the data’s security and regulations regarding access to the gathered information.  If this neural data is not secure, it could be vulnerable to hacking, which could allow third parties to have access to sensitive personal information, such as health conditions. It would also give hackers real-time streaming of important biological data. Ordinarily, this information is only shared between patients and doctors. But, if third parties had the ability to gain access to that information, they could sell sensitive personal data and could both exploit and publicize privileged information.
Reading and rewriting neural activity has resulted in ethical concerns. In 2017, Marcello Ienca, a neuroethicist, released a paper outlining four specific rights that need to be recognized in the age of neurotechnology: 1) the right to cognitive liberty, 2) the right to mental privacy, 3) the right to mental integrity, and 4) the right to psychological continuity.  The right to cognitive liberty holds that people have the right to freely decide whether they want to use neurotechnology. The right to mental privacy comports with being able to keep neural data private or choosing to release it publicly. People not physically or psychologically harmed by neurotechnology have the right to mental integrity. Finally, the right to psychological continuity prevents unauthorized alterations to the sense of self.
The above concerns were the exact reason why the Health Insurance Portability and Accountability Act (“HIPAA”) was enacted. HIPAA creates a baseline of privacy protection,  because it overrides less protective privacy laws and keeps only the stronger ones.  It also distinguishes between consent and authorization. In order to use and disclose protected health information for treatment, payment, and health care operations, healthcare professionals must first obtain consent.  In contrast, an authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, other than those covered under consent. Authorizations also allow protected health information to be disclosed to a third party specified by the individual.  The neurotechnology devices discussed above may change HIPAA law about consent, regulation and proper storage of neural data. Additionally, future laws and policies need to consider how information transmitted from human brains to smart technology will be regulated. At the very least, new legislation seems likely, in order to both account for this new technology and prevent severe privacy breaches.
 Sigal Samuel, Brain-Reading Tech is Coming. The Law is Not Ready to Protect Us, Vox (Aug. 2019), https://www.vox.com/2019/8/30/20835137/facebook-zuckerberg-elon-musk-brain-mind-reading-neuroethics.
 Laura Mueller, Hacking the Human Body, Chicago Health (Aug. 2019), https://chicagohealthonline.com/hacking-the-human-body/.
 Samuel, supra note 1.
 Health Information Privacy Law and Policy, HealthIT.gov (Dec. 2018), https://www.healthit.gov/topic/health-information-privacy-law-and-policy.
 What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?, U.S. Dept. of Health and Human Serv. (July 2013), https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html.
About the Author:
Stephanie Nikitenko is currently a 3L at UIC John Marshall Law School in Chicago. At UIC John Marshall, she’s the President of the Intellectual Property Law Society (IPLS) and primarily concentrates her studies on the subject of Intellectual Property. She recently spent a semester working in the JMLS Trademark Clinic where she assisted clients with the Trademark Registration process with the USPTO. Additionally, under the supervision of an attorney, she currently assists a law firm with both their trademark and patent matters.