Hacker Remix

Show HN: Kate's App

160 points by bhpreece 1 week ago | 181 comments

Caregiving is a natural, human act of compassion and caring, and most of us, at some point, will rely on someone to help us with our health care (> 70%) or be tasked with helping someone else (> 10%).

Kate's App is a tool to coordinate doctor contact information, prescriptions, pharmacies, appointments, notes, and other information with family and caregivers, and do it safely and privately. This is not a clinic portal, and is not associated with any insurance or medical providers.

The app is 95% complete, and is entirely usable as is (for any interested beta users). I intend to clean up the rest of it, and go GA within a few weeks. In the meantime, I would love to answer any questions or hear helpful critiques.

BTW, Show HN is the best.

otterley 1 week ago

If you're dealing with personal health information (PHI), I would advise you to temporarily close your site and hire a lawyer straight away. Whenever you touch this kind of data, regulatory regimes like HIPAA may apply, and you need to be extremely careful. There's not a HIPAA compliance or even a privacy policy statement available on your front page.

See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... as a starting point. We might be able to recommend a lawyer to you if you tell us which state you're located in.

imglorp 1 week ago

This is a frustrating conversation.

It appears that anonymized data medical data are being sold en masse by providers (*) because money. But it's also obvious to us tech folk how trivial it is to combine anonymized patient encounters with location and credit card purchase data etc to de-anonymize it and resell as enriched.

So the only people who are effectively bound by HIPAA are the well-intentioned ones who have to protect themselves and and comply; the rest are laughing at them on the way to the bank.

* https://www.theverge.com/2021/6/23/22547397/medical-records-...

* https://www.scientificamerican.com/article/how-data-brokers-...

* https://www.medicaleconomics.com/view/who-profits-our-medica...

PittleyDunkin 1 week ago

> the rest are laughing at them on the way to the bank.

My understanding is that HIPAA is intended to stop providers from colluding against the patient, not to stop providers or middlemen from enriching themselves with our data.

otterley 1 week ago

And also to make PHI portable across providers.

edwhitesell 1 week ago

Forget about anonymous data; sometimes PII is not sold, it's just given away by staff who don't know better. See my comment here from my own experience: https://news.ycombinator.com/item?id=17183682

hiatus 1 week ago

To my knowledge, HIPAA applies only to entities that accept health insurance or provide services to those entities under a BAA. There have been FTC cases against companies disclosing PHI in breaches but they don't seem to be brought under any HIPAA violation but consumer protection statutes.

From your link:

> The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities")

parsimo2010 1 week ago

HIPAA applies to covered entities, and this app may not be considered a covered entity (the closest they come is a clearinghouse and they probably do not fit the definition), but HIPAA has rules concerning how covered entities deal with business associates.

Kate's App would almost certainly fall under the definition of a business associate, and no health care provider should be entering protected information into the app without entering into an official agreement that the data will be protected according to HIPAA rules.

So technically Kate's App isn't doing anything illegal, but any health care provider entering info into this app would be. To fix the situation, Kate's App needs to certify that their app is compliant and provide an official agreement for providers. Otherwise healthcare providers should stay away, and this app would only be useful for friends and family members.

(I am not a lawyer, but I have analyzed health care data and it's cumbersome to deal with, especially if you are transmitting over a network). https://www.hhs.gov/hipaa/for-professionals/covered-entities...

hiatus 6 days ago

> To fix the situation, Kate's App needs to certify that their app is compliant and provide an official agreement for providers. Otherwise healthcare providers should stay away, and this app would only be useful for friends and family members.

The OP mentions this is for family members and specifically excludes medical providers from the intended audience.

> This is not a clinic portal, and is not associated with any insurance or medical providers.

It seems the target audience is multiple family members involved in coordinating a loved one's care.

jph 1 week ago

> Whenever you touch this kind of data, regulatory regimes like HIPAA apply,

My understanding is you're an actual attorney, yes?

Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.

I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

https://boldcontacts.org

otterley 1 week ago

I can't provide legal advice here; sorry. But I will say that there is a pretty big difference between hosting arbitrary customer-provided data where the customer can enter either kitchen recipes or medical data at their choosing, and stating that your service is intended to store PHI and attracting such information as a result.

colechristensen 1 week ago

I'm not a lawyer so I can give a little bit of legal advice, but... yeah get a lawyer.

Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.

If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.

Good advice:

- don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.

- especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil

- do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.

- even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.

- for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law

bhpreece 1 week ago

I like boldcontacts. It wouldn't have been useful for my daughter, but it would have been useful for my grandmother.

baobun 7 days ago

> I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

Let the data stay client side. Facilitate secure client-to-client communication instead of relying on the gravity well of cloud servers.

It becomes a lot more light-weight, and if done right the rules and red-tape do too as you reduce your presence in the regulatory scope by verifiably preventing access to user data by yourself (and service providers, their partners, hackers, and three-letter agencies).

kamma4434 1 week ago

I woul advise that you get a lawyer for each and every jurisdiction you plan to offer your service in. It’s not that the EU is so happy with the collection of medical data.. and I guess similar but slightly different rules apply everywhere.

gwbas1c 1 week ago

I don't want to repeat other comments here; but this app smells of a very dangerous attitude: Built with love by novices with grand intentions, with complete blindness to the real consequences that happen when novices are ignorant in their field.

If your goal is to "find a learning project," I suggest finding a very different "learning project." Otherwise, keep "Kate's app" private, word-of-mouth, invite-only for under 20 people.

The 1980s and 1990s are long-gone, you can no longer "learn as you go" when the consequences of your application malfunctioning have real-world implications.

---

A few years ago, my employer used an HR app that appeared built by a novice. In that time period; they sent me a PDF with tax information for half the people in the company; and then they royally screwed up the tax information sent to the IRS for me.

diggan 1 week ago

How do you know that the authors are novices with "complete blindness" to real consequences? Where are you getting the "find a learning project" goal from?

It sucks that you've been burnt by that before, but it sounds like your employer was the one who screwed you there, not the author of the application.

gwbas1c 1 week ago

Complete lack of legal compliance in the area that they are operating; the style of the name.

The issue of my employer is an example of real world consequences when a novice builds a product without understanding the rules they need to follow.

Unfortunately, there is a cohort of people in the startup scene, and who also participate in Hacker News, who don't like to hear negative feedback even when there are very clear consequences that that feedback is trying to address. Don't be one of those people, especially around issues of legal compliance.

52-6F-62 1 week ago

Should it be called “healthily” or “contactful” instead? Lol

Startup names are so stupid

tantalor 1 week ago

They don't know, it's a total guess. That's why they hedge with phrases like "smell" and "if your goal..."

threatofrain 1 week ago

Total guess implies that they closed their eyes and made a random choice. There's a reason why the top posts, including one by a lawyer (who recommends immediately shutting down the site before getting advice), are saying caution is very warranted.

52-6F-62 1 week ago

Reminds me of the (so called) engineering teams I’ve worked with at high profile startups who dealt primarily with their software based on “code smell”. It was amazing. If you accomplished something that didn’t make your boss look smarter than you then it was a bad “code smell”. Logic be damned

ygjb 1 week ago

Uh, this is appears to be an application that collects data that is regulated in most legal jurisdictions, lacks a published terms of use, doesn't have a published privacy policy, and at first glance is missing rudimentary security controls related to TLS and content security.

The sparse documentation makes claims about privacy and security, but there is no evidence to back those claims.

salgernon 1 week ago

From the blurb at the top: “ The app is 95% complete, […] I intend to clean up the rest of it, and go GA within a few weeks. ”

Assuming the last 5% is going to just take a few weeks is naive from a development point of view. Everyone learns this the hard way, so I don’t mean it as a dig.

ryanwaggoner 1 week ago

Every completed project was at one point a few weeks away from being done.

curious_cat_163 1 week ago

I think you might want to heed the advice about privacy regulations in the other threads.

Just thought, I'd share what I think about the substance of the idea (not the implementation). I think a big untold story in the US healthcare system is how it shifts the burden of coordinating care to patients and/or their loved ones.

To be sure, there is a lot of decisions that the individual (or their NoK) should be making but the amount of paperwork that flies around and lack of coordination between say an insurance company and the provider is astounding. This becomes very pronounced for every corner case and the entire machinery is wired to record things in myriad systems but somehow not make things better when it comes to the core outcomes -- providing healthcare. Every entity in the food chain is out to (and does!) make a buck. Meanwhile, there is a wait time of > 30 days to meet one's primary care physician over a video chat!

So, I absolutely LOVE your idea. The implementation probably requires a lot of iterations here. One suspects that there are ways in which a consumer facing app could make some real money to level the playing field in favor of the patient while being a sustainable busienss.

bhpreece 1 week ago

Thank you for the encouragement.

netdevphoenix 1 week ago

This is a lovely idea. Very HN like in the good sense.

Sadly, it is also vert HN like in the not so good sense. Unlike the software world, the real world is not ours to program as we see fit. In the real world, laws matter. And I am concerned that you haven't really read upon the consequences of doing an app like yours without any due diligence. You can't just use people's health data like that.

Anyone using this app could potentially sue you as you are likely breaking the law of the country you live in (I am going to guess it is an Anglo-Saxon country).

You should asap bring the app down, contact all users, send them their info, delete them from your servers, notifying them of that and get a lawyer specialising in health related law. With their assistance, you can build an organisation to build the app. This should also limit your liability.

Over2Chars 1 week ago

I am not sure that if you choose to freely share your medical information with people of your choice, it's protected or governed by HIPAA or protected PII, per se.

For example, I believe Brooke Shields told the world she had post-partum depression and was prescribed some anti-depressant and felt it helped her.

https://www.webmd.com/depression/postpartum-depression/featu...

That's "medical information" about "a prescription". She could have, instead, shuffled it into some rando app, and shared it with her family. I don't think any HIPAA laws were broken.

Of course, US laws https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must...

The above doesn't describe anything about private parties. If this "Kate" is some rando app developer, they can do whatever they like. Anyone who is willing to trust a random developer with their information can do so afaict.

IANAL and YMMV etc.

netdevphoenix 1 week ago

As much as folks in the software world believe in complete software development freedom, you can't just build whatever you want and release it. Laws exist that regulate what you can release as much as folks might dislike it. Health apps are just one example.

The problem is that OP literally mentions "medical caregiver" as distinct from "families" which can be interpreted to mean someone that operates as covered entity. That alone puts OP under the risk of being sued and being punished with a very large fine. All a user needs to do is put their data there, share the info with their care assistant who works for a health company. Once that happens, OP is breaking the law.

Terretta 1 week ago

EDIT: Developer included this in a summary:

"Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family."

Insofar as no providers or non-family use this, developer may have a point: my comment's covered-entity reasoning can be disregarded.

---

> Anyone who is willing to trust a random developer with their information can do so afaict.

No, not "anyone" in a multi-party app when "someone" is regulated.

This reasoning (a patient can choose to disclose) doesn't apply here, as the app expects providers to info-share new info, ongoing.

The providers are regulated, they have to keep records, and their sides of their tools have to be covered.

That said, even some U.S. national insurance companies bury a clause in their agreement where, to your point, the patient agrees to sort of declassify their info such that it's (the insurer company's theory goes) no longer considered HIPAA and the insurance company can go bananas with it (e.g., sell it to drug companies).

I had lawyers look into this on behalf of our firm benefits, and we challenged that clause. The national insurance company everyone has heard of instantly gave us a new employee insurance agreement without that clause, which suggests to me they knew it was dicey. (Imagine pinging Google and them dropping a clause from their TOS "just for you". That would only happen if they knew it didn't have legs.)

But, dicey or not, it suggests a path to try if you want to attempt this!

Over2Chars 1 week ago

As I said, the description isn't clear about whether the regulation entity is a party to it, or is what is being shared in it (I think the clarification suggests I was right).

You, Brooke Shields, can share your information with your boyfriend, Tom Cruise, about who you see for your anti-depressants: the amount, name of the doctor, dosage. You can even use a random app developed by some Joe Dev installed through f-droid as an APK with data stored in North Korean data centers (does North Korea have data centers?). The world is yours.