If you're dealing with personal health information (PHI), I would advise you to temporarily close your site and hire a lawyer straight away. Whenever you touch this kind of data, regulatory regimes like HIPAA may apply, and you need to be extremely careful. There's not a HIPAA compliance or even a privacy policy statement available on your front page.
See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... as a starting point. We might be able to recommend a lawyer to you if you tell us which state you're located in.
> Whenever you touch this kind of data, regulatory regimes like HIPAA apply,
My understanding is you're an actual attorney, yes?
Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.
I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.
I can't provide legal advice here; sorry. But I will say that there is a pretty big difference between hosting arbitrary customer-provided data where the customer can enter either kitchen recipes or medical data at their choosing, and stating that your service is intended to store PHI and attracting such information as a result.
I like boldcontacts. It wouldn't have been useful for my daughter, but it would have been useful for my grandmother.
I'm not a lawyer so I can give a little bit of legal advice, but... yeah get a lawyer.
Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.
If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.
Good advice:
- don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.
- especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil
- do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.
- even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.
- for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law
I would appreciate a recommendation. I'm in Minnesota.
Are they a covered entity?
While I agree that they probably aren't, their intended customer base is.
And even so, nothing precludes people from pursuing civil damages if there's a data breach - this is far more likely with sensitive data coming from a medical provider to a third party.
And as has been hinted at, the lack of professional presentation is going to hurt a lot, and people will immediately ask "can I trust this platform with any of my information?"
> Kate's App is a tool created to support medical caregivers and the people they care for
Seems like it is intended to be used by covered entities. But it does depend a bit on what "medical caregiver" is intended to mean.
That's not for any of us to determine here. A lawyer can answer that.
I doubt they are.
Better get a HIPAA lawyer if you run a personal blog with comments turned in, got it. What if someone posts their own medical information!?
Sorry for the snark.
This is literally an app that asks for your confidential medical information. My not-a-lawyer interpretation of the law is that it probably is not covered by HIPAA (to be a "business associate" you need to have a direct financial relationship with a covered entity, i.e., a medical provider), but your snark is pretty reductionist.
I don't want to repeat other comments here; but this app smells of a very dangerous attitude: Built with love by novices with grand intentions, with complete blindness to the real consequences that happen when novices are ignorant in their field.
If your goal is to "find a learning project," I suggest finding a very different "learning project." Otherwise, keep "Kate's app" private, word-of-mouth, invite-only for under 20 people.
The 1980s and 1990s are long-gone, you can no longer "learn as you go" when the consequences of your application malfunctioning have real-world implications.
---
A few years ago, my employer used an HR app that appeared built by a novice. In that time period; they sent me a PDF with tax information for half the people in the company; and then they royally screwed up the tax information sent to the IRS for me.
How do you know that the authors are novices with "complete blindness" to real consequences? Where are you getting the "find a learning project" goal from?
It sucks that you've been burnt by that before, but it sounds like your employer was the one who screwed you there, not the author of the application.
Complete lack of legal compliance in the area that they are operating; the style of the name.
The issue of my employer is an example of real world consequences when a novice builds a product without understanding the rules they need to follow.
Unfortunately, there is a cohort of people in the startup scene, and who also participate in Hacker News, who don't like to hear negative feedback even when there are very clear consequences that that feedback is trying to address. Don't be one of those people, especially around issues of legal compliance.
Uh, this is appears to be an application that collects data that is regulated in most legal jurisdictions, lacks a published terms of use, doesn't have a published privacy policy, and at first glance is missing rudimentary security controls related to TLS and content security.
The sparse documentation makes claims about privacy and security, but there is no evidence to back those claims.
They don't know, it's a total guess. That's why they hedge with phrases like "smell" and "if your goal..."
Total guess implies that they closed their eyes and made a random choice. There's a reason why the top posts, including one by a lawyer (who recommends immediately shutting down the site before getting advice), are saying caution is very warranted.
I think you might want to heed the advice about privacy regulations in the other threads.
Just thought, I'd share what I think about the substance of the idea (not the implementation). I think a big untold story in the US healthcare system is how it shifts the burden of coordinating care to patients and/or their loved ones.
To be sure, there is a lot of decisions that the individual (or their NoK) should be making but the amount of paperwork that flies around and lack of coordination between say an insurance company and the provider is astounding. This becomes very pronounced for every corner case and the entire machinery is wired to record things in myriad systems but somehow not make things better when it comes to the core outcomes -- providing healthcare. Every entity in the food chain is out to (and does!) make a buck. Meanwhile, there is a wait time of > 30 days to meet one's primary care physician over a video chat!
So, I absolutely LOVE your idea. The implementation probably requires a lot of iterations here. One suspects that there are ways in which a consumer facing app could make some real money to level the playing field in favor of the patient while being a sustainable busienss.
Thank you for the encouragement.
Putting aside all the legal issues, I would like to see more details of what it does before I sign up. Seems like you need to register yourself and then get all your family/carers to register and then link their accounts to yours? There should be some screen shots of the app in action (with dummy data of course).
Shame this is such a legal minefield. I do not think you should put this on GA.
> screenshots
High on my list. Or youtube, or something like that.
Who owns the data and where it is stored?
Also, how identifiable is the data? Can a (US state) government agency subpoena data for individual users?
Does the app/company fall under HIPAA regulation? If it does, what security & privacy measures are in place to guarantee compliance? If it does not, what security & privacy measures are in place to prevent government fishing expeditions?
Finally, what security & privacy measures are in place to prevent app developer having a change of heart about selling the data? What if, say, United Healthcare offers to buy the app and the data for $1B?
> app developer having a change of heart
Yes. Two features high on my list of todos: 1) download all your data; 2) delete all data from the site.
The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.
Otherwise, you have only my integrity. I'm not looking to sell it, but I would love to hand this over to someone with more resources and bigger pockets. If I ever do, I would want those reassurances from them first, and I would definitely give all users fair warning, so they can pull out if they don't have the same confidence I do.
> The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.
I know it's been said elsewhere, but you need a lawyer. This isn't something for you to work out, it's something for you to clearly understand your legal obligations, and what your exposure is based on which jurisdictions a user might log in from.
> you need a lawyer
Legal advice is part of working it out.
Thank you everybody for your comments.
Comments on legal issues: I absolutely agree and 100% plan to get legal advice. In the meantime, if you have personal experience, I would love to learn from you.
Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family.
Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?
Comments on terms of use, etc: Yes, this needs to be done, but I figured the terms of use are of no use until there's something to use.
Comments on "novice" and "learning projects": Yes this was absolutely built with love and grand intentions, and no, I'm not a novice. I wrote this because my adult daughter died of cancer recently, and we really could have used this. If I can help others deal with the pain of diseases like this, then I'm going to try. I'll work through the problems as they come up.
Aside from the security audit, I'm also looking for someone who'll do a much more professional design and L&F for the site.
Another issue I can really use advice on is how to show this to the people who need it. People who aren't dealing with the problem right now, aren't interested. How do I reach the maybe 5% to 10% of people who have the need right now?
Hey mate, it just so happens that I’m working on a very similar thing. Maybe I could help you out regarding security and local-first stuff? Drop me an email if you’re interested. Cheers.
EDIT: In any case, you could take a look at https://github.com/YousefED/Matrix-CRDT. Matrix takes care of e2ee. CRDTs give you local-first super powers.
I am interested in local-first and security. I'll get in touch.
> Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?
The best first step is to conduct a review yourself; you may want to hire or recruit a volunteer to do a security review, but you can kick it off yourself by using free, open source tools to scan your application, your code, and your environment.
Your first stop should be https://developer.mozilla.org/en-US/observatory because there are some simple, prescriptive improvements you can make.
Your second stop should be using a container or cloud security scanning tool to check for vulnerable configurations and packages. There are a myriad of tools available, like Trivy for container scanning, Prowler https://github.com/prowler-cloud/prowler or ScoutSuite https://github.com/nccgroup/ScoutSuite for scanning your cloud environments, etc
Your third stop should be https://www.zaproxy.org/, which is a free download you can use, and https://www.zaproxy.org/getting-started/ is a great way to get started. This will help you quickly identify low hanging fruit that can be found through automated scanning.
Your fourth stop should be running language appropriate static analysis tools against your application. There are too many to mention, but here is a good starting list: https://owasp.org/www-community/Source_Code_Analysis_Tools
All of these will give you quick, tactical things you can address. Once you get through any critical findings (which frequently, but not always means they are directly exploitable without additional effort) you should threat model your application, and build a plan for security - https://owasp.org/www-community/Threat_Modeling
Thank you for these recommendations. I'll check out all of them.
I'm sorry for your loss, and I hope that helping others through this project helps you find some solace. IMHO, it's a mark of character that your response to having a problem is "I want to help other people so they suffer this problem less than I did."
I'm sorry about your daughter. ... I, too, recently lost a close relative to cancer, and yes, understanding and knowing how to navigate everything involved would've helped greatly.
Sounds like many have privacy/compliance concerns. A bit of horizontal padding is all I ask.
I would love to find a good web page designer.
> You data will not be sold, shared, or given away. Your medical data is the most private data you have, and we respect that.
So you're hack proof and idiot employee proof?
Apparently, and they'll never enter bankruptcy proceedings and get sold that way.
Is any company?
No, but I guess a product like this should be built in a way that the company doesn't have access to unencrypted data in the first place.
Privacy concerns aside, I don't really understand what the point of this is, to be honest. You can already add family/caregivers as authorized users on a MyChart (Epic) profile, which is an actual source of truth, not a separate data store that you need to update manually.
This seems like a good experiment in building a CRUD app, but I'd recommend doing that with something with less liability.
I use MyChart. It's a great way for your doctor and clinic to communicate with you.
It's not a place where I'm going to store contact information for all my doctors, or appointments for doctors that aren't at that clinic, or all my prescriptions and all the pharmacies.
When your daughter is reacting badly to her new chemotherapy, and running fevers and throwing up, and somebody needs to call her palliative care specialist and it needs to be you, not her, then where will you find the specialist's phone number?
I hope you'll never be there, but if you are, I think you'll understand.
> I don't really understand what the point of this is, to be honest [...] on a MyChart (Epic) profile
As someone who never heard of either MyChart nor Epic, I'm guessing it could be useful for people like me who don't have those things.
Not really. MyChart (which is provided by Epic) is a way for doctors and clinics to communicate with patients. Although you could give you doctor access to your information on Kate's App, that's not the purpose, and they probably don't want it.
I could understand epic since I think that's mainly for doctors but don't most hospital systems use MyChart or similar portals nowadays to let patients access access their appointments/payment/lab results/doctor notes/etc
MyChart is Epic’s patient frontend.
The header link of static pages like https://katesapp.org/static/What%20Is%20Kate's%20App.html doesn’t work.
The page loads fine on all my devices and browsers. What are you seeing?
Go to that page then click the header link. It goes to https://katesapp.org/KatesApp/.
edit: not a relative link, but a 404 regardless
Ah. Thank you.
Some feedback:
* More screenshots/use cases.
* Information about who you are/why it's called Kate's App. I think that especially for single/small dev teams, this can really help build trust and interest.
* Said elsewhere, but a publicly available privacy policy. Also not seeing any after signing up. Big red flag.
* IMO, don't have usernames AND emails at sign up. Choose one.
* Needs padding on either side. Other formatting issues too, but that was the most glaring one.
Thank you. They're all in my kanban now.
I wasn't aware of that site. Thank you.
No. Absolutely not. You will be held legally responsible if you have breaches.
Great idea!
- What country/ies do you accept users from and which jurisdiction do you store their data in?
- Get a HIPPA/GDPR/PHIPA audit by a legal professional ASAP!
This information is all in the U.S. I haven't looked at international issues. I'll need to put it on my list.
So HIPAA isn't rocket science and HHS provides plenty of HIPAA guidance. Kate's App isn't providing healthcare so HIPAA doesn't apply.
The site might be deemed a Business Associate, depending on the specific facts, which we don't fully possess. That's why I recommended the owner seek counsel.
A business associate to who? The user?
This is not true. I'm not a lawyer, but I am in the healthcare field.
HIPAA very much applies to this type of app or any other type of app that may deal in personally identifying information (PII) related to healthcare.
It would be a mistake to assume a SaaS that stores healthcare PII for coordinating healthcare is not covered under HIPAA. An exception should be filed at the very least.
Edit: If no healthcare provider has access then maybe it could skate by. I interpreted "any user making notes to your account" to mean healthcare providers would have access. Even if not, they should still seek legal counsel. And this app is literally promising safety and security of healthcare information.
Yeah... this is a lawsuit waiting to happen. Medical data is NOT something you handle with a hobby project.
No privacy policy, no real information about the owner behind it. Seems all "trust me, it's private, I pinky swear".
If it was all running locally, I could see someone getting away with it, possibly. At this point, it's just a tool?
Yeah; self-hosted and open source I would be more open to it. This is just kinda sketchy.
That, and also let me tell you about a thing called margins. They help text not run into the edges of the screen.
I don't blame you for not using them though since evidently you never looked at your page on mobile ;)
I look at my page on mobiles all the time. The lack of margins really pisses me off.
Who is on the board and what experience in the field do they have?
I couldn't find a privacy policy so it's likely to be criminal to supply this software to EU citizens.
contra view to these comments: keep going. I worked in health information privacy and security longer than all of them and the number of sincere people in it is diminishingly small. the field has become infested with gatekeeper nerds and petty bureaucrats who insist you pay their toll to proceed, or demoralized and cynical opportunists who just go along to get along.
sure, there are risks, but take them. make a thing for people who take care of other people. this is for a woman who takes care of her husband with alzheimers, or a man who takes care of his wife with parkinsons. fuck the system. make something someone wants.
good luck.
> "I worked in health information privacy and security longer than all of them"
What a claim to make.
"Keep going" is great advice, but what we're looking at here isn't ready for primetime by any stretch.
I could use your experience. Would you be willing to chat offline?
Thank you. You get it.
> fuck the system
This app is the system, with a "trust me bro" approach to privacy and security.
Its creator is probably well intentioned, but this is likely to result in bad things for its users.