
PatientBank (YC S16) Is Creating a Unified Medical Record System - stvnchn
http://themacro.com/articles/2016/08/patientbank/
======
kumarski
Lots of exciting stuff happening in this space! PatientBank is a gamechanger
too. Annotating records and storing it for drug discovery is the biological
dream.

Let's find twins where one has the disease and the other doesn't and slap in
the PlaidAPI to see their daily behavior to find potential drug targets.
Something big coming up hopefully.

\-----------------------

EMR Records Aggregation

\-----------------------

HumanAPI

GetMedal

BloomAPI

UsePrime

ZweenaHealth

Doctrly

Carebox

GorillaHealth

NuskiHealth

PicnicHealth – If you’re developing an application and want to preview what
records look like in here, message me. Happy to help you:

\-----------------

HIPAA Compliance

\-----------------

There’s a host of SDKs that revolve around spinning up HIPAA compliant
applications. They’re each worth looking at.

Aptible

Catalyze

TrueVault

ClearData

Google & Amazon HIPAA Capabilities/Offerings to Developers There’s even large
Fortune 500’s playing in the space of making HIPAA compliant backends more
viable for the early stage innovator.

Google’s HIPAA Offering

Amazon’s HIPAA Offering

~~~
hkiely
As someone who's worked in drug discovery and development, I wish finding bio-
markers and drugging targets were this easy so we could improve the lives of
millions of patients. Patient phenotypic information is locked up in the
clinic notes often as free text or is no longer entered very well at all
because doctors are rushed seeing more patients. Tools like The human
Phenotype ontology format help solve this problem and are being used in
translational biomedical informatics. [http://human-phenotype-
ontology.github.io/downloads.html](http://human-phenotype-
ontology.github.io/downloads.html)

~~~
gmarx
I'm working on this problem

~~~
kumarski
If I can help, feel free to reach out to me. :)

------
leovander
At this point, everyone is trying to get the data from the hospitals and
present it to the patient.

Is there anyone trying to compete with the giants in healthcare to make sure
there is clean data to pull from in the first place?

I spend day and night manually reading CCD/CCDA's making sure they match the
loose specifications that HL7 provides, but there seems to be so many
disconnects between one vendor and another.

I am curious if your digitization of data is mostly pulling from these CCD
documents themselves or actually performing OCR on physical data. Yes, there
are also DICOM/PDF/etc that can act as attachments as well.

I saw in one of the comments you mentioned about integrating with hospital
systems, I am curious to how that might correlate to what access you guys do
have and to which patients as well. I am assuming you can piggy back on levels
of consent and confidentiality that EMR's already have logic for.

Anyway good luck, if you guys are ever looking for remote (US-CA) let me know.

~~~
ndonnellan
Clean data is hard, especially with such fragmentation, but there is progress!
My company supports CCD/HL7 with as many other vendors as will work with us,
but you're right in that the loose specifications make it very hard. I just
worked on a project to import 1M+ patient records and we spent a long time
verifying that we weren't just getting junk. "This field says it's an ICD-9
code, but I just see a string description..."

We also have a restful API that has a lot more traction with startups
(honestly because it makes more sense). There is still so much legacy thinking
around "documents" that we are more often trying to step back and think "is
there a better paradigm we should be pushing here?".

------
shostack
What legal protections are you offering to ensure my patient data is not
monetized down the road, directly or in aggregate? How would you protect
patient data in the event you sell or go under?

~~~
pfletcherhill
Great question! In the case that something happens to PatientBank or we go
under, we guarantee that we'll continue to host users' medical data. It's also
worth noting that we already make it really easy to export your medical
records from PatientBank.

~~~
shostack
You dodged the bulk of my question around privacy, data ownership, etc. Is it
safe then to assume your business plan is to be cavalier with this data
against my authorization and monetize it in a non anonymous fashion?

~~~
mertcelebi
Hi shostack, I am so sorry part of your question was unanswered.

As I wrote in a couple other questions, patients' privacy and their data
security are our top priority at PatientBank. What that means is, in any
product or business decision, patient satisfaction, happiness and their trust
in our service are top things we consider.

So, we would not share patient data with any third party without patients'
explicit consent!

Hope this clarifies things!

~~~
mbrameld
> patients' privacy and their data security are our top priority at
> PatientBank

Is it really your top priority? Things like that always sound so disingenuous
to me. Surely your top priority is building a profitable business, no?
Otherwise there would be no data to even worry about.

When the response to the yes/no question of "Are you going to sell my data?"
is "Your privacy is our top priority" instead of "No", run far far away.

------
ams6110
Question for any MDs on here: How often are old medical records helpful and
studied? Every time I go to a new doctor the first thing is a medical history
interview. They are rarely interested in records from any other provider, in
fact I've never been asked to help facilitate that. But I'm not sure how
typical my experience is.

~~~
kmgrassi
Hi there - this is Kevin Grassi, MD with the PB team. You are absolutely
correct that many primary care doctors rely on the patient to provide a
medical history and rarely need the specific information located in the
medical record. However, if you have complex medical issues, your primary care
doctor may want to see specific data - especially lab or imaging reports.

Many specialist doctors need to see previous medical records before evaluating
and treating the patient. This is especially true in oncology. We work with
the Smilow Cancer Hospital, part of the Yale-New Haven Hospital, to help
ensure that all oncology patients present for their first visit with a
complete medical record.

One final note that is my assessment of how physicians operate in the current
system - doctors are accustom to working with incomplete information.
PatientBank is striving to make previous medical information more accessible
to your next doctor. My hope here is that increased access to information will
cause doctors to pay more attention to your data and lead to better care.

Thanks for your question! I hope this clarifies things.

~~~
newman314
Actually, this brings up a good question. Why not build a system where a
patient can keep their record with them and only share as necessary. I'm
thinking along the lines of a password manager.

This also removes the need for a giant centralized database which would be a
nice ripe target.

~~~
leovander
Somewhere else in the thread someone mentioned about what happens when there
is a network of hospitals speaking to each other. Some places in New York
would call it a regional health information organization (RHIO).

If all your providers are in that RHIO, there will most likely be a central
hub/repo where everyone posts their information to. There are a few localized
initiatives in specific states, and there are larger statewide programs that
try to consolidate all your records.

After all of that, some state funded RHIO's will get incentives for working
with specific partners and even the Social Security Administration (SSA),
which brings up a whole lot of headaches and having to meet their standards
while at the same time meet all your local partners' standards as well.

Because the government has a high interest in ultimately getting everyone on
one network they actual spend a lot of time and effort to try and better these
connections and improve data transfer. One of those is this Blue Button
initiative [1]. They even have multiple github repos [2] so you can see the
underling logic of what a patient model comprises of. What they use is per the
HL7 spec that was established in 2011/2013\. (Every vendor references the same
PDF spec. but there is still a lot of ambiguity in it. Essentially it is
really hard to apply all the conditional logic of a clinical document into an
XSD.) The funny thing is that with a stamped-and-sealed specification that
people still fight over on calls, the HL7 organization are now pushing over to
FHIR [3], a JSON based clinical item model. That will be interesting.

To answer your question/concern, there are definitely initiatives to try and
make this better, but it will take time to get legacy systems up-to-speed and
to meet new standards that are stagnated. You can reference my previous
comment with my concerns about that [4].

Lastly, if anyone is new to the EMR/HIE/Medical field, Motorcycle Guy [5] will
be your best friend.

[1] [https://www.healthit.gov/patients-families/blue-
button/about...](https://www.healthit.gov/patients-families/blue-button/about-
blue-button). [2] [https://github.com/blue-button](https://github.com/blue-
button) [3] [https://www.hl7.org/fhir/](https://www.hl7.org/fhir/) [4]
[https://news.ycombinator.com/item?id=12264411](https://news.ycombinator.com/item?id=12264411)
[5] [http://motorcycleguy.blogspot.com/](http://motorcycleguy.blogspot.com/)

~~~
craftsoftware
Very interesting! Thanks for sharing.

------
contingencies
Interesting. Last year my wife and I founded a mainland China outbound medical
tourism business and _had_ to get in to this stuff to facilitate servicing our
customers. Of course, the Chinese system is very different to the US system.

That said, mostly these customers are interested in the US or Europe (for
cancer and other serious operations) or Southeast Asia for lesser stuff. China
is a _HUGE_ and _WEALTHY_ market just waiting for a decent player in this
space. However, I am now focusing on another business
([http://8-food.com/](http://8-food.com/)) and the focus of the business has
shifted so that the average client has their medical records to be re-
generated by foreign medical service providers. This is not ideal in some
situations, such as remote second diagnosis (which I believe will grow
steadily in popularity). If you would like a local partner for digitizing
available records in China so that wealthy Chinese can access foreign medical
service providers (high resolution film scanning, medical records translation,
etc.), you could do worse than talking to us. Email in profile.

------
jeremyt
I actually think that medical records are basically public. It's only a matter
of time before the various doctors offices or government agencies or private
companies that hold these records are hacked and the records released on the
Internet.

That said, I would definitely trust a private entity with specialized
knowledge over the government or individual doctors offices, so I wish you the
best of luck.

For example, I just had my medical records sent from an old doctor's office,
and the only thing they required was a fax with my signature on it and an
address to send the records to. Could have been sent by anybody to anywhere,
and there were no checks whatsoever.

~~~
ams6110
The difference is that the old manual system is not so prone to mass data
breaches.

My employer used a service called NoMoreClipBoard. They enrolled everyone
enrolled in a health plan, not just those who requested it.

When the inevitable data breach happened, everyone was affected not just those
who had specifically enrolled for this service.

I don't ever want my medical records in any internet-facing system. I realize
that's a fantasy but I'd never voluntarily help make that happen.

FTA: _We use another YC company called Aptible. They’re experts in securing
protected health information, and we follow best practices to make sure our
servers are safe._

It's not just the security of the servers. Many data breaches are the result
of careless handling of data (USB flash drives, laptops, email attachments)
and social engineering attacks.

~~~
mertcelebi
Hi ams6110 - we also use Aptible! It is definitely true that the old, fax-
based system is not so prone to mass data breaches. That is one of the reasons
why hospitals still use fax to transfer medical information.

But, at PatientBank, security and privacy of our patients are our top
priorities. So, we go above and beyond what HIPAA recommends in terms of
security best practices. You can read more about that here:
[https://www.patientbank.us/legal/hipaa](https://www.patientbank.us/legal/hipaa)

~~~
Pfhreak
The concern, I think, is that all the leaf nodes outside of your direct
control also need to be secure. All the nurses, doctors, and other caregivers
with access to the system need to be prevented from exposing that data. Is it
_possible_ for that data to end up on USB drive? A laptop? Sent in plaintext
anywhere? etc.

The protection needs to be automatic. Training people is a "good intentions"
solution, and will always result in failures. It should be mechanically
impossible for the data to escape in a way you do not approve of.

~~~
kaybe
This data is worth too much to be fully secure ever imho.

And it's not like it expires. You can change your credit card number, you can
change all your leaked passwords, but you can't change your past. Once it's
breached it's out there until the end of tech.

------
nradov
Their records won't be unified in any meaningful sense since when a provider
generates new records for a particular patient those won't automatically be
pushed to PatientBank. I think in the long run this problem will be more
effectively solved by providers exchanging data with each other using IHE
integration profiles. It's great to give patient's easier access to their
charts, but from a care delivery standpoint routing clinical data from a
provider to a patient and then back to another provider is unnecessarily slow
and error prone.

~~~
leovander
Bingo.

If you search for my previous comments in this thread, you can see my concerns
about the general state of IHE's.

In one of the comments I mentioned about Blue Button, which allows patient's
to pull their data. (To be fair, I haven't really seen the button in too many
places out in the wild).

I guess ultimately in order to be able to get your charts from where ever you
move, all those smaller IHE's need to feed into one repository and then have
those scale up from county to county and even statewide.

The problem with that of course is how all the partner systems are queried or
what profiles that have decided to use. i.e. will a data source being pushing
documents to the repository every time there is a new patient or update, or
will that network go out and ping every data source for their most up-to-date
record.

If PatientBank is just dealing with Fax primarily and working with FHIR, I am
curious how long they will work with Fax until there is a high adoption rate
of FHIR for them to be able to get properly clinical items, that one of their
clients could then pull their data and then push their data to their new
provider.

~~~
nradov
I think you might have mixed up HIEs and IHE.

With XCPD there's no real need for one central repository. Independent systems
can interoperate on a peer-to-peer basis. In the USA a central patient chart
repository would be a non-starter anyway for political and business
competition reasons.

------
pfletcherhill
Hi all—this is Paul, I'm a co-founder at PatientBank. We gather medical
records online. Feel free to send any questions, comments, or feedback my way.
My co-founders and I will be around ready to answer!

~~~
throwanem
How do you handle authentication and authorization? Suppose I have a nefarious
enemy who attempts to use your service to obtain my medical records so he can
poison me or embarrass me or something. How does he fail?

~~~
pfletcherhill
We make it really easy to request medical records, but we also verify
requesters' identity before allowing them to view medical records we collect.
We actually use an awesome YC company called BlockScore to handle a lot of
that ([https://blockscore.com/](https://blockscore.com/))!

~~~
kaybe
I wasn't really able to get the details on that page, but it seems like they
do verification by checking personal information like name, birthday and
address against a database and ask a few multiple choice questions related to
them. How is that not easy to circumvent if the attacker has that set of
information? (can probably be obtained by a social attack on the victims bank)

I'm assuming there's something I missed there.

~~~
throwanem
I don't think there is. Knowledge-based authentication is extremely vulnerable
to identity theft.

------
z3ugma
A good amount of your icons etc use "PB" as the abbreviation. In the US
healthcare system, "PB" is often used for "professional billing," a function
that the medical records department is often closely involved with. I can see
this confusing the hospital customers who are providing the data.

------
Meegul
Will you guys be looking for interns next summer? I'm a CS major who's
currently finishing up a software engineering internship at a major healthcare
company. I'd love to get in touch, if so.

~~~
mertcelebi
Hey Meegul, thanks for your comment! We'd love to chat! You can always reach
out to me at mert@patientbank.us or info@patientbank.us!

------
Eriselle
In what ways does this offering differ from Microsoft's HealthVault? Is it
that you do the gathering of health data on behalf of the patient?

~~~
mertcelebi
Great question! For Microsoft's HealthVault, patient would have to gather the
records themselves AND enter the information into HealthVault manually.

We make it super easy for patients to gather their medical information and
make it even easier to manage (share with physicians, family members etc.)
their information.

------
hkiely
How are you different from Picnic Health or CareSync?

~~~
pfletcherhill
Good question, hkiely! There are a number of great products out there to help
people manage medical data—those are certainly two of them. Our focus at
PatientBank right now is on just one piece of that problem: making sure people
don't have to request their medical records over fax or in-person. What that
means is that our market often differs from folks who use a personal health
record. Many of our users have been asked by their doctor, their insurance
company, or a lawyer to gather and share their medical records—sometimes even
from just one specialist or hospital—and they want help doing so.

