John W. Christie
Georgetown Law, Class of 2017
This spring, Elon musk announced that he was starting his newest venture, Neuralink Corporation, in an effort to develop what he calls “neural lace” technology. This company would be dedicated to the idea of merging humans with computing technology through the implementation of mini electrodes that interface directly with the brain. Mr. Musk has spoken at length about his fears of Silicon Valley’s rush to develop artificial intelligence and believes that Neuralink will help us “escape human obsolescence.”
Aside from the initial “installation” of the Neuralink technology, the company would likely act, in part, as a health care provider delivering routine care, diagnosing and treating problems, and managing the evolution of the technology. Although a large part of this technology would increase the transfer of information between consenting individuals, it is critical that a company like Neuralink be classified as HIPAA “covered entity” in order to help protect the medical privacy of its users.
The Health Insurance Portability and Accountability Act (HIPAA) was officially implemented through the Federal Privacy Rule in April of 2003 and was created to prevent fraud and unauthorized access, disclosure, and use of “individually identifiable health information.” HIPAA specifically regulates the permitted uses and disclosures of protected health information by covered entities. Covered entities include health care providers, which are defined as “a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business” and includes professionals who provide devices to patients.
HIPAA also provides protection for individual’s health information, to include genetic information, “whether oral or recorded in any form or medium” that is received by a health care provider and “relates to the past, present, or future physical or mental health or condition of an individual.”
Depending on how companies like Neuralink would access and transmit data, this presents an incredibly large possibility for abuse of customer’s most private data: their brain activity. Access to mental information has the potential to be incredibly profitable and would be very attractive to many business organizations looking to increase profits from customers. Due to the sensitive nature of this information, mechanisms to protect this data are even more important.
Although thoughts and memories are not yet specifically included in the traditional categorization of individually identifiable health information, a good case can be made since HIPAA protects any information that is transmitted through any form or medium. Information captured by these proposed brain interface devices is not drastically different from data received by neurological devices such as neurostimulators which the FDA and HIPAA already regulate.
A merger of biological and machine intelligence will likely not be without fault and will present some unique challenges; however, obtaining classification as a HIPAA-covered entity for companies like Neuralink would be a start. Including these companies would provide rights that would be critical to supporting the psychological need for individuality. This is because HIPAA guarantees individuals the right to restrict the use and disclosure of protected health information as well as the right to authorize what is disclosed to third parties.
Admittedly, HIPAA protections are not absolute and would not solve all of the related privacy issues. Brain interfaces may mean that human brains could be hacked: allowing unauthorized parties access to memories, thoughts, and other sensory input. This presents a problem for the technology, but should not be used as an argument to forgo updating the law to provide HIPAA protections.
Elon Musk claims this technology is 8 to 10 years away. Antonio Regalado, MIT Technology Review senior editor for biomedicine, does not believe this claim and cites the many difficulties with Neuralink’s vision. Regardless, it is important for legislators to understand the potential privacy implications of this technology and create proposals that can effectively regulate the respective companies in order to protect the privacy of citizens.