Show HN: Kate's App
79 comments
·January 9, 2025otterley
If you're dealing with personal health information (PHI), I would advise you to temporarily close your site and hire a lawyer straight away. Whenever you touch this kind of data, regulatory regimes like HIPAA may apply, and you need to be extremely careful. There's not a HIPAA compliance or even a privacy policy statement available on your front page.
See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... as a starting point. We might be able to recommend a lawyer to you if you tell us which state you're located in.
jph
> Whenever you touch this kind of data, regulatory regimes like HIPAA apply,
My understanding is you're an actual attorney, yes?
Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.
I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.
otterley
I can't provide legal advice here; sorry. But I will say that there is a pretty big difference between hosting arbitrary customer-provided data where the customer can enter either kitchen recipes or medical data at their choosing, and stating that your service is intended to store PHI and attracting such information as a result.
bhpreece
I like boldcontacts. It wouldn't have been useful for my daughter, but it would have been useful for my grandmother.
colechristensen
I'm not a lawyer so I can give a little bit of legal advice, but... yeah get a lawyer.
Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.
If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.
Good advice:
- don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.
- especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil
- do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.
- even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.
- for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law
bhpreece
I would appreciate a recommendation. I'm in Minnesota.
roegerle
Are they a covered entity?
nkozyra
While I agree that they probably aren't, their intended customer base is.
And even so, nothing precludes people from pursuing civil damages if there's a data breach - this is far more likely with sensitive data coming from a medical provider to a third party.
And as has been hinted at, the lack of professional presentation is going to hurt a lot, and people will immediately ask "can I trust this platform with any of my information?"
fluidcruft
> Kate's App is a tool created to support medical caregivers and the people they care for
Seems like it is intended to be used by covered entities. But it does depend a bit on what "medical caregiver" is intended to mean.
gwbas1c
I don't want to repeat other comments here; but this app smells of a very dangerous attitude: Built with love by novices with grand intentions, with complete blindness to the real consequences that happen when novices are ignorant in their field.
If your goal is to "find a learning project," I suggest finding a very different "learning project." Otherwise, keep "Kate's app" private, word-of-mouth, invite-only for under 20 people.
The 1980s and 1990s are long-gone, you can no longer "learn as you go" when the consequences of your application malfunctioning have real-world implications.
---
A few years ago, my employer used an HR app that appeared built by a novice. In that time period; they sent me a PDF with tax information for half the people in the company; and then they royally screwed up the tax information sent to the IRS for me.
diggan
How do you know that the authors are novices with "complete blindness" to real consequences? Where are you getting the "find a learning project" goal from?
It sucks that you've been burnt by that before, but it sounds like your employer was the one who screwed you there, not the author of the application.
gwbas1c
Complete lack of legal compliance in the area that they are operating; the style of the name.
The issue of my employer is an example of real world consequences when a novice builds a product without understanding the rules they need to follow.
Unfortunately, there is a cohort of people in the startup scene, and who also participate in Hacker News, who don't like to hear negative feedback even when there are very clear consequences that that feedback is trying to address. Don't be one of those people, especially around issues of legal compliance.
ygjb
Uh, this is appears to be an application that collects data that is regulated in most legal jurisdictions, lacks a published terms of use, doesn't have a published privacy policy, and at first glance is missing rudimentary security controls related to TLS and content security.
The sparse documentation makes claims about privacy and security, but there is no evidence to back those claims.
tantalor
They don't know, it's a total guess. That's why they hedge with phrases like "smell" and "if your goal..."
threatofrain
Total guess implies that they closed their eyes and made a random choice. There's a reason why the top posts, including one by a lawyer (who recommends immediately shutting down the site before getting advice), are saying caution is very warranted.
null
curious_cat_163
I think you might want to heed the advice about privacy regulations in the other threads.
Just thought, I'd share what I think about the substance of the idea (not the implementation). I think a big untold story in the US healthcare system is how it shifts the burden of coordinating care to patients and/or their loved ones.
To be sure, there is a lot of decisions that the individual (or their NoK) should be making but the amount of paperwork that flies around and lack of coordination between say an insurance company and the provider is astounding. This becomes very pronounced for every corner case and the entire machinery is wired to record things in myriad systems but somehow not make things better when it comes to the core outcomes -- providing healthcare. Every entity in the food chain is out to (and does!) make a buck. Meanwhile, there is a wait time of > 30 days to meet one's primary care physician over a video chat!
So, I absolutely LOVE your idea. The implementation probably requires a lot of iterations here. One suspects that there are ways in which a consumer facing app could make some real money to level the playing field in favor of the patient while being a sustainable busienss.
bhpreece
Thank you for the encouragement.
harvey9
Putting aside all the legal issues, I would like to see more details of what it does before I sign up. Seems like you need to register yourself and then get all your family/carers to register and then link their accounts to yours? There should be some screen shots of the app in action (with dummy data of course).
Shame this is such a legal minefield. I do not think you should put this on GA.
bhpreece
> screenshots
High on my list. Or youtube, or something like that.
TrainedMonkey
Who owns the data and where it is stored?
warkdarrior
Also, how identifiable is the data? Can a (US state) government agency subpoena data for individual users?
Does the app/company fall under HIPAA regulation? If it does, what security & privacy measures are in place to guarantee compliance? If it does not, what security & privacy measures are in place to prevent government fishing expeditions?
Finally, what security & privacy measures are in place to prevent app developer having a change of heart about selling the data? What if, say, United Healthcare offers to buy the app and the data for $1B?
bhpreece
> app developer having a change of heart
Yes. Two features high on my list of todos: 1) download all your data; 2) delete all data from the site.
The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.
Otherwise, you have only my integrity. I'm not looking to sell it, but I would love to hand this over to someone with more resources and bigger pockets. If I ever do, I would want those reassurances from them first, and I would definitely give all users fair warning, so they can pull out if they don't have the same confidence I do.
ygjb
> The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.
I know it's been said elsewhere, but you need a lawyer. This isn't something for you to work out, it's something for you to clearly understand your legal obligations, and what your exposure is based on which jurisdictions a user might log in from.
bhpreece
Thank you everybody for your comments.
Comments on legal issues: I absolutely agree and 100% plan to get legal advice. In the meantime, if you have personal experience, I would love to learn from you.
Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family.
Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?
Comments on terms of use, etc: Yes, this needs to be done, but I figured the terms of use are of no use until there's something to use.
Comments on "novice" and "learning projects": Yes this was absolutely built with love and grand intentions, and no, I'm not a novice. I wrote this because my adult daughter died of cancer recently, and we really could have used this. If I can help others deal with the pain of diseases like this, then I'm going to try. I'll work through the problems as they come up.
Aside from the security audit, I'm also looking for someone who'll do a much more professional design and L&F for the site.
Another issue I can really use advice on is how to show this to the people who need it. People who aren't dealing with the problem right now, aren't interested. How do I reach the maybe 5% to 10% of people who have the need right now?
sotomski
Hey mate, it just so happens that I’m working on a very similar thing. Maybe I could help you out regarding security and local-first stuff? Drop me an email if you’re interested. Cheers.
EDIT: In any case, you could take a look at https://github.com/YousefED/Matrix-CRDT. Matrix takes care of e2ee. CRDTs give you local-first super powers.
bhpreece
I am interested in local-first and security. I'll get in touch.
ygjb
> Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?
The best first step is to conduct a review yourself; you may want to hire or recruit a volunteer to do a security review, but you can kick it off yourself by using free, open source tools to scan your application, your code, and your environment.
Your first stop should be https://developer.mozilla.org/en-US/observatory because there are some simple, prescriptive improvements you can make.
Your second stop should be using a container or cloud security scanning tool to check for vulnerable configurations and packages. There are a myriad of tools available, like Trivy for container scanning, Prowler https://github.com/prowler-cloud/prowler or ScoutSuite https://github.com/nccgroup/ScoutSuite for scanning your cloud environments, etc
Your third stop should be https://www.zaproxy.org/, which is a free download you can use, and https://www.zaproxy.org/getting-started/ is a great way to get started. This will help you quickly identify low hanging fruit that can be found through automated scanning.
Your fourth stop should be running language appropriate static analysis tools against your application. There are too many to mention, but here is a good starting list: https://owasp.org/www-community/Source_Code_Analysis_Tools
All of these will give you quick, tactical things you can address. Once you get through any critical findings (which frequently, but not always means they are directly exploitable without additional effort) you should threat model your application, and build a plan for security - https://owasp.org/www-community/Threat_Modeling
bhpreece
Thank you for these recommendations. I'll check out all of them.
Tarrosion
I'm sorry for your loss, and I hope that helping others through this project helps you find some solace. IMHO, it's a mark of character that your response to having a problem is "I want to help other people so they suffer this problem less than I did."
jimt1234
I'm sorry about your daughter. ... I, too, recently lost a close relative to cancer, and yes, understanding and knowing how to navigate everything involved would've helped greatly.
rgbrgb
Sounds like many have privacy/compliance concerns. A bit of horizontal padding is all I ask.
bhpreece
I would love to find a good web page designer.
rafram
Privacy concerns aside, I don't really understand what the point of this is, to be honest. You can already add family/caregivers as authorized users on a MyChart (Epic) profile, which is an actual source of truth, not a separate data store that you need to update manually.
This seems like a good experiment in building a CRUD app, but I'd recommend doing that with something with less liability.
bhpreece
I use MyChart. It's a great way for your doctor and clinic to communicate with you.
It's not a place where I'm going to store contact information for all my doctors, or appointments for doctors that aren't at that clinic, or all my prescriptions and all the pharmacies.
When your daughter is reacting badly to her new chemotherapy, and running fevers and throwing up, and somebody needs to call her palliative care specialist and it needs to be you, not her, then where will you find the specialist's phone number?
I hope you'll never be there, but if you are, I think you'll understand.
null
diggan
> I don't really understand what the point of this is, to be honest [...] on a MyChart (Epic) profile
As someone who never heard of either MyChart nor Epic, I'm guessing it could be useful for people like me who don't have those things.
bhpreece
Not really. MyChart (which is provided by Epic) is a way for doctors and clinics to communicate with patients. Although you could give you doctor access to your information on Kate's App, that's not the purpose, and they probably don't want it.
i_love_retros
> You data will not be sold, shared, or given away. Your medical data is the most private data you have, and we respect that.
So you're hack proof and idiot employee proof?
cess11
Apparently, and they'll never enter bankruptcy proceedings and get sold that way.
metalliqaz
Is any company?
InsideOutSanta
No, but I guess a product like this should be built in a way that the company doesn't have access to unencrypted data in the first place.
hk__2
The header link of static pages like https://katesapp.org/static/What%20Is%20Kate's%20App.html doesn’t work.
bhpreece
The page loads fine on all my devices and browsers. What are you seeing?
nkozyra
Go to that page then click the header link. It goes to https://katesapp.org/KatesApp/.
edit: not a relative link, but a 404 regardless
bhpreece
Ah. Thank you.
thecosas
Some feedback:
* More screenshots/use cases.
* Information about who you are/why it's called Kate's App. I think that especially for single/small dev teams, this can really help build trust and interest.
* Said elsewhere, but a publicly available privacy policy. Also not seeing any after signing up. Big red flag.
* IMO, don't have usernames AND emails at sign up. Choose one.
* Needs padding on either side. Other formatting issues too, but that was the most glaring one.
bhpreece
Thank you. They're all in my kanban now.
1vuio0pswjnm7
bhpreece
I wasn't aware of that site. Thank you.
Caregiving is a natural, human act of compassion and caring, and most of us, at some point, will rely on someone to help us with our health care (> 70%) or be tasked with helping someone else (> 10%).
Kate's App is a tool to coordinate doctor contact information, prescriptions, pharmacies, appointments, notes, and other information with family and caregivers, and do it safely and privately. This is not a clinic portal, and is not associated with any insurance or medical providers.
The app is 95% complete, and is entirely usable as is (for any interested beta users). I intend to clean up the rest of it, and go GA within a few weeks. In the meantime, I would love to answer any questions or hear helpful critiques.
BTW, Show HN is the best.