Kate's App is a tool to coordinate doctor contact information, prescriptions, pharmacies, appointments, notes, and other information with family and caregivers, and do it safely and privately. This is not a clinic portal, and is not associated with any insurance or medical providers.
The app is 95% complete, and is entirely usable as is (for any interested beta users). I intend to clean up the rest of it, and go GA within a few weeks. In the meantime, I would love to answer any questions or hear helpful critiques.
BTW, Show HN is the best.
Does the app/company fall under HIPAA regulation? If it does, what security & privacy measures are in place to guarantee compliance? If it does not, what security & privacy measures are in place to prevent government fishing expeditions?
Finally, what security & privacy measures are in place to prevent app developer having a change of heart about selling the data? What if, say, United Healthcare offers to buy the app and the data for $1B?
Yes. Two features high on my list of todos: 1) download all your data; 2) delete all data from the site.
The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.
Otherwise, you have only my integrity. I'm not looking to sell it, but I would love to hand this over to someone with more resources and bigger pockets. If I ever do, I would want those reassurances from them first, and I would definitely give all users fair warning, so they can pull out if they don't have the same confidence I do.
I know it's been said elsewhere, but you need a lawyer. This isn't something for you to work out, it's something for you to clearly understand your legal obligations, and what your exposure is based on which jurisdictions a user might log in from.
Legal advice is part of working it out.
See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... as a starting point. We might be able to recommend a lawyer to you if you tell us which state you're located in.
Sorry for the snark.
And even so, nothing precludes people from pursuing civil damages if there's a data breach - this is far more likely with sensitive data coming from a medical provider to a third party.
And as has been hinted at, the lack of professional presentation is going to hurt a lot, and people will immediately ask "can I trust this platform with any of my information?"
Seems like it is intended to be used by covered entities. But it does depend a bit on what "medical caregiver" is intended to mean.
My understanding is you're an actual attorney, yes?
Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.
I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.
Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.
If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.
Good advice:
- don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.
- especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil
- do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.
- even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.
- for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law
No privacy policy, no real information about the owner behind it. Seems all "trust me, it's private, I pinky swear".
I don't blame you for not using them though since evidently you never looked at your page on mobile ;)
- What country/ies do you accept users from and which jurisdiction do you store their data in?
- Get a HIPPA/GDPR/PHIPA audit by a legal professional ASAP!
So you're hack proof and idiot employee proof?
edit: not a relative link, but a 404 regardless
Just thought, I'd share what I think about the substance of the idea (not the implementation). I think a big untold story in the US healthcare system is how it shifts the burden of coordinating care to patients and/or their loved ones.
To be sure, there is a lot of decisions that the individual (or their NoK) should be making but the amount of paperwork that flies around and lack of coordination between say an insurance company and the provider is astounding. This becomes very pronounced for every corner case and the entire machinery is wired to record things in myriad systems but somehow not make things better when it comes to the core outcomes -- providing healthcare. Every entity in the food chain is out to (and does!) make a buck. Meanwhile, there is a wait time of > 30 days to meet one's primary care physician over a video chat!
So, I absolutely LOVE your idea. The implementation probably requires a lot of iterations here. One suspects that there are ways in which a consumer facing app could make some real money to level the playing field in favor of the patient while being a sustainable busienss.
If your goal is to "find a learning project," I suggest finding a very different "learning project." Otherwise, keep "Kate's app" private, word-of-mouth, invite-only for under 20 people.
The 1980s and 1990s are long-gone, you can no longer "learn as you go" when the consequences of your application malfunctioning have real-world implications.
---
A few years ago, my employer used an HR app that appeared built by a novice. In that time period; they sent me a PDF with tax information for half the people in the company; and then they royally screwed up the tax information sent to the IRS for me.
It sucks that you've been burnt by that before, but it sounds like your employer was the one who screwed you there, not the author of the application.
The sparse documentation makes claims about privacy and security, but there is no evidence to back those claims.
The issue of my employer is an example of real world consequences when a novice builds a product without understanding the rules they need to follow.
Unfortunately, there is a cohort of people in the startup scene, and who also participate in Hacker News, who don't like to hear negative feedback even when there are very clear consequences that that feedback is trying to address. Don't be one of those people, especially around issues of legal compliance.
HIPAA very much applies to this type of app or any other type of app that may deal in personally identifying information (PII) related to healthcare.
Edit: If no healthcare provider has access then maybe it could skate by. I interpreted "any user making notes to your account" to mean healthcare providers would have access. Even if not, they should still seek legal counsel. And this app is literally promising safety and security of healthcare information.
I couldn't find a privacy policy so it's likely to be criminal to supply this software to EU citizens.
sure, there are risks, but take them. make a thing for people who take care of other people. this is for a woman who takes care of her husband with alzheimers, or a man who takes care of his wife with parkinsons. fuck the system. make something someone wants.
good luck.
What a claim to make.
This app is the system, with a "trust me bro" approach to privacy and security.
Its creator is probably well intentioned, but this is likely to result in bad things for its users.
This seems like a good experiment in building a CRUD app, but I'd recommend doing that with something with less liability.
As someone who never heard of either MyChart nor Epic, I'm guessing it could be useful for people like me who don't have those things.
It's not a place where I'm going to store contact information for all my doctors, or appointments for doctors that aren't at that clinic, or all my prescriptions and all the pharmacies.
When your daughter is reacting badly to her new chemotherapy, and running fevers and throwing up, and somebody needs to call her palliative care specialist and it needs to be you, not her, then where will you find the specialist's phone number?
I hope you'll never be there, but if you are, I think you'll understand.
Comments on legal issues: I absolutely agree and 100% plan to get legal advice. In the meantime, if you have personal experience, I would love to learn from you.
Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family.
Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?
Comments on terms of use, etc: Yes, this needs to be done, but I figured the terms of use are of no use until there's something to use.
Comments on "novice" and "learning projects": Yes this was absolutely built with love and grand intentions, and no, I'm not a novice. I wrote this because my adult daughter died of cancer recently, and we really could have used this. If I can help others deal with the pain of diseases like this, then I'm going to try. I'll work through the problems as they come up.
Aside from the security audit, I'm also looking for someone who'll do a much more professional design and L&F for the site.
Another issue I can really use advice on is how to show this to the people who need it. People who aren't dealing with the problem right now, aren't interested. How do I reach the maybe 5% to 10% of people who have the need right now?
The best first step is to conduct a review yourself; you may want to hire or recruit a volunteer to do a security review, but you can kick it off yourself by using free, open source tools to scan your application, your code, and your environment.
Your first stop should be https://developer.mozilla.org/en-US/observatory because there are some simple, prescriptive improvements you can make.
Your second stop should be using a container or cloud security scanning tool to check for vulnerable configurations and packages. There are a myriad of tools available, like Trivy for container scanning, Prowler https://github.com/prowler-cloud/prowler or ScoutSuite https://github.com/nccgroup/ScoutSuite for scanning your cloud environments, etc
Your third stop should be https://www.zaproxy.org/, which is a free download you can use, and https://www.zaproxy.org/getting-started/ is a great way to get started. This will help you quickly identify low hanging fruit that can be found through automated scanning.
Your fourth stop should be running language appropriate static analysis tools against your application. There are too many to mention, but here is a good starting list: https://owasp.org/www-community/Source_Code_Analysis_Tools
All of these will give you quick, tactical things you can address. Once you get through any critical findings (which frequently, but not always means they are directly exploitable without additional effort) you should threat model your application, and build a plan for security - https://owasp.org/www-community/Threat_Modeling
EDIT: In any case, you could take a look at https://github.com/YousefED/Matrix-CRDT. Matrix takes care of e2ee. CRDTs give you local-first super powers.
Shame this is such a legal minefield. I do not think you should put this on GA.
High on my list. Or youtube, or something like that.
* More screenshots/use cases.
* Information about who you are/why it's called Kate's App. I think that especially for single/small dev teams, this can really help build trust and interest.
* Said elsewhere, but a publicly available privacy policy. Also not seeing any after signing up. Big red flag.
* IMO, don't have usernames AND emails at sign up. Choose one.
* Needs padding on either side. Other formatting issues too, but that was the most glaring one.