Hacker Remix

Show HN: Kate's App

160 points by bhpreece 2 months ago | 182 comments

Caregiving is a natural, human act of compassion and caring, and most of us, at some point, will rely on someone to help us with our health care (> 70%) or be tasked with helping someone else (> 10%).

Kate's App is a tool to coordinate doctor contact information, prescriptions, pharmacies, appointments, notes, and other information with family and caregivers, and do it safely and privately. This is not a clinic portal, and is not associated with any insurance or medical providers.

The app is 95% complete, and is entirely usable as is (for any interested beta users). I intend to clean up the rest of it, and go GA within a few weeks. In the meantime, I would love to answer any questions or hear helpful critiques.

BTW, Show HN is the best.

otterley 2 months ago

If you're dealing with personal health information (PHI), I would advise you to temporarily close your site and hire a lawyer straight away. Whenever you touch this kind of data, regulatory regimes like HIPAA may apply, and you need to be extremely careful. There's not a HIPAA compliance or even a privacy policy statement available on your front page.

See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... as a starting point. We might be able to recommend a lawyer to you if you tell us which state you're located in.

imglorp 2 months ago

This is a frustrating conversation.

It appears that anonymized data medical data are being sold en masse by providers (*) because money. But it's also obvious to us tech folk how trivial it is to combine anonymized patient encounters with location and credit card purchase data etc to de-anonymize it and resell as enriched.

So the only people who are effectively bound by HIPAA are the well-intentioned ones who have to protect themselves and and comply; the rest are laughing at them on the way to the bank.

* https://www.theverge.com/2021/6/23/22547397/medical-records-...

* https://www.scientificamerican.com/article/how-data-brokers-...

* https://www.medicaleconomics.com/view/who-profits-our-medica...

PittleyDunkin 2 months ago

> the rest are laughing at them on the way to the bank.

My understanding is that HIPAA is intended to stop providers from colluding against the patient, not to stop providers or middlemen from enriching themselves with our data.

otterley 2 months ago

And also to make PHI portable across providers.

edwhitesell 2 months ago

Forget about anonymous data; sometimes PII is not sold, it's just given away by staff who don't know better. See my comment here from my own experience: https://news.ycombinator.com/item?id=17183682

hiatus 2 months ago

To my knowledge, HIPAA applies only to entities that accept health insurance or provide services to those entities under a BAA. There have been FTC cases against companies disclosing PHI in breaches but they don't seem to be brought under any HIPAA violation but consumer protection statutes.

From your link:

> The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities")

parsimo2010 2 months ago

HIPAA applies to covered entities, and this app may not be considered a covered entity (the closest they come is a clearinghouse and they probably do not fit the definition), but HIPAA has rules concerning how covered entities deal with business associates.

Kate's App would almost certainly fall under the definition of a business associate, and no health care provider should be entering protected information into the app without entering into an official agreement that the data will be protected according to HIPAA rules.

So technically Kate's App isn't doing anything illegal, but any health care provider entering info into this app would be. To fix the situation, Kate's App needs to certify that their app is compliant and provide an official agreement for providers. Otherwise healthcare providers should stay away, and this app would only be useful for friends and family members.

(I am not a lawyer, but I have analyzed health care data and it's cumbersome to deal with, especially if you are transmitting over a network). https://www.hhs.gov/hipaa/for-professionals/covered-entities...

hiatus 2 months ago

> To fix the situation, Kate's App needs to certify that their app is compliant and provide an official agreement for providers. Otherwise healthcare providers should stay away, and this app would only be useful for friends and family members.

The OP mentions this is for family members and specifically excludes medical providers from the intended audience.

> This is not a clinic portal, and is not associated with any insurance or medical providers.

It seems the target audience is multiple family members involved in coordinating a loved one's care.

jph 2 months ago

> Whenever you touch this kind of data, regulatory regimes like HIPAA apply,

My understanding is you're an actual attorney, yes?

Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.

I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

https://boldcontacts.org

otterley 2 months ago

I can't provide legal advice here; sorry. But I will say that there is a pretty big difference between hosting arbitrary customer-provided data where the customer can enter either kitchen recipes or medical data at their choosing, and stating that your service is intended to store PHI and attracting such information as a result.

colechristensen 2 months ago

I'm not a lawyer so I can give a little bit of legal advice, but... yeah get a lawyer.

Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.

If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.

Good advice:

- don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.

- especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil

- do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.

- even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.

- for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law

bhpreece 2 months ago

I like boldcontacts. It wouldn't have been useful for my daughter, but it would have been useful for my grandmother.

baobun 2 months ago

> I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

Let the data stay client side. Facilitate secure client-to-client communication instead of relying on the gravity well of cloud servers.

It becomes a lot more light-weight, and if done right the rules and red-tape do too as you reduce your presence in the regulatory scope by verifiably preventing access to user data by yourself (and service providers, their partners, hackers, and three-letter agencies).

kamma4434 2 months ago

I woul advise that you get a lawyer for each and every jurisdiction you plan to offer your service in. It’s not that the EU is so happy with the collection of medical data.. and I guess similar but slightly different rules apply everywhere.

gwbas1c 2 months ago

I don't want to repeat other comments here; but this app smells of a very dangerous attitude: Built with love by novices with grand intentions, with complete blindness to the real consequences that happen when novices are ignorant in their field.

If your goal is to "find a learning project," I suggest finding a very different "learning project." Otherwise, keep "Kate's app" private, word-of-mouth, invite-only for under 20 people.

The 1980s and 1990s are long-gone, you can no longer "learn as you go" when the consequences of your application malfunctioning have real-world implications.

---

A few years ago, my employer used an HR app that appeared built by a novice. In that time period; they sent me a PDF with tax information for half the people in the company; and then they royally screwed up the tax information sent to the IRS for me.

diggan 2 months ago

How do you know that the authors are novices with "complete blindness" to real consequences? Where are you getting the "find a learning project" goal from?

It sucks that you've been burnt by that before, but it sounds like your employer was the one who screwed you there, not the author of the application.

gwbas1c 2 months ago

Complete lack of legal compliance in the area that they are operating; the style of the name.

The issue of my employer is an example of real world consequences when a novice builds a product without understanding the rules they need to follow.

Unfortunately, there is a cohort of people in the startup scene, and who also participate in Hacker News, who don't like to hear negative feedback even when there are very clear consequences that that feedback is trying to address. Don't be one of those people, especially around issues of legal compliance.

52-6F-62 2 months ago

Should it be called “healthily” or “contactful” instead? Lol

Startup names are so stupid

tantalor 2 months ago

They don't know, it's a total guess. That's why they hedge with phrases like "smell" and "if your goal..."

threatofrain 2 months ago

Total guess implies that they closed their eyes and made a random choice. There's a reason why the top posts, including one by a lawyer (who recommends immediately shutting down the site before getting advice), are saying caution is very warranted.

52-6F-62 2 months ago

Reminds me of the (so called) engineering teams I’ve worked with at high profile startups who dealt primarily with their software based on “code smell”. It was amazing. If you accomplished something that didn’t make your boss look smarter than you then it was a bad “code smell”. Logic be damned

ygjb 2 months ago

Uh, this is appears to be an application that collects data that is regulated in most legal jurisdictions, lacks a published terms of use, doesn't have a published privacy policy, and at first glance is missing rudimentary security controls related to TLS and content security.

The sparse documentation makes claims about privacy and security, but there is no evidence to back those claims.

salgernon 2 months ago

From the blurb at the top: “ The app is 95% complete, […] I intend to clean up the rest of it, and go GA within a few weeks. ”

Assuming the last 5% is going to just take a few weeks is naive from a development point of view. Everyone learns this the hard way, so I don’t mean it as a dig.

ryanwaggoner 2 months ago

Every completed project was at one point a few weeks away from being done.

curious_cat_163 2 months ago

I think you might want to heed the advice about privacy regulations in the other threads.

Just thought, I'd share what I think about the substance of the idea (not the implementation). I think a big untold story in the US healthcare system is how it shifts the burden of coordinating care to patients and/or their loved ones.

To be sure, there is a lot of decisions that the individual (or their NoK) should be making but the amount of paperwork that flies around and lack of coordination between say an insurance company and the provider is astounding. This becomes very pronounced for every corner case and the entire machinery is wired to record things in myriad systems but somehow not make things better when it comes to the core outcomes -- providing healthcare. Every entity in the food chain is out to (and does!) make a buck. Meanwhile, there is a wait time of > 30 days to meet one's primary care physician over a video chat!

So, I absolutely LOVE your idea. The implementation probably requires a lot of iterations here. One suspects that there are ways in which a consumer facing app could make some real money to level the playing field in favor of the patient while being a sustainable busienss.

bhpreece 2 months ago

Thank you for the encouragement.

harvey9 2 months ago

Putting aside all the legal issues, I would like to see more details of what it does before I sign up. Seems like you need to register yourself and then get all your family/carers to register and then link their accounts to yours? There should be some screen shots of the app in action (with dummy data of course).

Shame this is such a legal minefield. I do not think you should put this on GA.

bhpreece 2 months ago

> screenshots

High on my list. Or youtube, or something like that.

Terretta 2 months ago

EDIT: Developer included this in a summary:

"Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family."

Insofar as no providers or non-family use this, developer may have a point: my comment's covered-entity reasoning can be disregarded.

---

Not saying don't do YouTube, there's a persona who wants to learn from being talked to and shown.

But there's a less online (socially noisy) persona who prefers to read, see, and take in information far faster than a video. So don't skip the screenshots!

PS. I participated in the first patient centered groupware app 15 years ago, sold to the provider networks, so all providers a patient is ping-ponged to can interact as if a virtual team with the patient.

Your idea is viable, and giant hospital networks will buy it. But the top comment on this thread is likely dead right. You likely need to be HIPAA compliant for the providers to participate, regardless whether you sold the app to the patient or to the providers. Because unlike a personal notes app, your entire premise is info sharing among parties.

There is possibly a model for this that is technically outside HIPAA, but what you're showing / saying doesn't sound like it's navigated that.

Even if you use that potentially compliant model, it's then highly unlikely the providers will play ball, as then they'd have to be running as many apps as they have patients and they are too busy and already have to know too many systems. Even if they felt like setting a precedent of installing whatever apps patients ask them to use (they don't), the last thing they want is yet another place to redundantly key in information/communications. (They are required to have a record.) To get around that, you'd have to integrate with what they have, and boom, HIPAA again.