Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Get your health records from any doctor (stayinyourprime.com)
30 points by thetylerhayes on Nov 11, 2013 | hide | past | favorite | 60 comments

I would strongly encourage my patients to stay a mile away from this enterprise. Any outfit that can say "Health is inherently social" does not have the right attitude towards PHI, in my opinion. Any association with Facebook only enhances this opinion, due to their history of "privacy creep." To be clear, I think patients should be informed and access their records if they choose. But be very careful about any social media exposure. Once it's out there, it's out there.

Don't have a Facebook account. Don't want a Facebook account.

Even if I did, I wouldn't want it anywhere near anything related to my healthcare. Requiring a Facebook account to sign up was a huge mistake.

We don't get posting rights to your Facebook account. We can't nor will we ever share anything to Facebook.

We use FB to verify identity and help make it easier for you to invite friends and family, the people with whom you're already sharing your health info. Everything stays private within Prime.

You can post all disclaimers you want, and for the moment I'll assume what you say is true, but it won't make me use FB to log in. Despite all of those disclaimers, the login mechanism to which you've tied your app has proven multiple times to be untrustworthy.

In other words, personally speaking, it's not you that I don't trust, it's FB. I'd go out on a limb to say that's probably what the grandparent poster meant, too. I know, I know, blah, blah, blah, but I don't want to do the mental exercise of walking through the scenarios. "Okay, Prime has convinced me it's trustworthy, but how could FB hose me? Well, they could...". It's easier to just not use the app. And I want to use the app.

Yeah, but many people, especially in the developer community, have a knee-jerk reaction to sharing private data on FB even if that isn't what you are doing. You could easily alleviate the fear by supporting other OAuth providers and allowing people to use their email address to sign up.

I really like the concept BTW!

Email is something we're currently considering.


Don't just consider it--given this summer's events and disclosures, email is the only thing even remotely reasonable.

EDIT: Seriously, I appreciate the desire to get your viral coefficients up and everything, but this is something that is actually important and can ruin people's lives; don't take it lightly.

This may be fairly reasonable to explain to someone with technical experience, but I imagine even among technical people you'll find serious resistance in slightly older generations. I'm pushing 40, and my life is focused around the net, but I still have a Facebook account partly only because my wife canceled hers (too much of a time sink...), and I check it maybe once a month, with a browser profile I use only for Facebook.

Eh, it's not a disastrous problem -- this seems like it would be something you can change without any serious reworking of your central offering. You could also have a one-time, optional Facebook connection where the patient could authorize you to grab their contacts, and then have no further contact with FB.

Can't you get the same benefits by using, say Twitter, as an identity verification?

Twitter doesn't provide email and Facebook has a firm real name policy. Twitter does provide benefits but Facebook is better for identity verification.

I am sure you would prefer to have all their FB data but you will lose a lot of potential customers if you demand they use FB.

Health records is a great space. 2 quick things that jumped out at me, the first is the iPhone feed that showed one user saying they just got a colonoscopy (my thought is that patients typically do not and would not share that type of info), then second down below it says health is inherently social, I do not know that this is true, I believe health is very private and often for good reason (insurance companies used to use such info to reject claims and insured for preexisting conditions, maybe not the case anymore with the reforms. But employers or potential employers can use this info to make hiring decisions). My concerns might sound far fetched and creepy but they are legit concerns on how people can use this info.

In truth I hope my initial concerns are all wrong and you find a huge market. Best of luck.

I don't think your concerns sound far-fetched. I'd say so far our results are "different strokes for different folks" with folks in our target market of having daily/weekly health habits (visiting doctors, getting sonograms, getting treatments, tightening braces) leaning towards the more social end. This is simply because they need to share that data with multiple people/caregivers already (caregivers are often friends and family) and we make it 100x easier for them by 1) surfacing the data, and 2) bringing everyone together in one place.

I will also say that I think it would be great if our culture was a bit more open about our health on a personal level, rather than being so secretive. But I also understand the current need for that sometimes (like you point out in the job market) and so that's more so a personal hope than a product goal.


> "Get your health records from any doctor"

Awesome! Sign me up!

> Health is inherently social > Provide context for your friends and family by sharing real health information seamlessly. Focus on communicating about your health rather than communicating the technical details.

Yeah. No. Goodbye.

I would love to have all my records all in one place.

But why in the world would I want to share my high blood pressure/high cholesterol/chicken pox/herpes/aids etc. checkups with my friends and family?

There are no social requirements in the app—you can use it to get your record from multiple doctors and never add any friends in Prime.

The target market of the app is people who have close friends and family members that they want to keep in the know about their health. This might not be you, which is totally okay.

> Health is inherently social

Maybe wellness is inherently social. I am a huge fan of Strava.

But there is no way I would give three guys in Oakland access to my medical records.

That's interesting that you think about it that way.

I know a lot of people who upload their scanned prescriptions and reports to Dropbox. Dropbox uses AWS S3 to store data.

Do the 3 guys from Oakland use the same infrastructure? I'm not sure. But Dropbox has access to your files.

I can't say you're someone who uploads medical data to cloud storage, so this is a more general question (since I'm sure more people will have these qualms): Why Dropbox and not Prime? Is it Guido? Drew? Those guys are from the Netherlands and Massachusetts respectively.

If there's a security concern, the NSA (and I'm sure other agencies) pretty much have access to everything, and those employees might just be a couple of guys from Oakland.

Note: This is something I can see as a valid concern from a lot of people, so this question is as much directed to the Prime team as it is to Steve.

Update: I wrote Oklahoma instead of Oakland everywhere.

Update 2: They _do_ use Amazon.

Point taken. Not sure what Oakland has to do with it — we're located across the street from Kaiser Permanente's headquarters of 11,000 people in Oakland — but I think I see where you're coming from. You don't know us. And you deserve the best level of security.

Some more background on us: I worked at Disqus for 3 years. I spent time on the Product team and helped engineer some of their tools too. Owen is a fantastic engineer who spent 4 years at Intel and Oracle before that. We know security, we know scale. We're fully HIPAA-compliant; we even worked with Amazon directly to ensure this. Everything is encrypted and no data is stored on the device.

What could we do differently to put your mind at ease about this? Are there specific technical points you have in mind?

This is a problem that desperately needs to be solved and we're solving it for the people who need it solved most: people who really need their real health records with them right now, whether to show at their next doctor appointment or to family at home or friends on the other side of the country.

Thanks for your thoughts.

I took the liberty of emailing you on the address on your HN profile :)

Did Amazon sign a Business Associate Agreement (BAA)? I know in the past that prevented clients of mine from using AWS in the healthcare space.

Yes, AWS started signing BAAs on June 18th, 2013. FireHost and Rackspace will also sign a BAA.

"AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers."


I work in medical informatics, so my opinion may be biased.

Yes, people need access to their data. No, heath data is not inherently social. Sharing specific pieces of data with specific people does not mean health data is inherently social. I would seriously consider rebranding your efforts as a personal health data access mechanism that can also be specifically shared in the finest ways with specific people. And for the love of all that is holy, disassociate yourself from Facebook. Add your own sign up with email. Do not oauth with any other provider. As soon as you add FB/Google/Twitter/etc. you open the door to your customer having to ask the question about whether or not they want those companies having access to their data. Even if you say they will not, your customer will have to make a judgement call as to whether or not that is true.

As a developer, my opinion might be biased, but I agree with this.

> Amanda Huggankiss

> You tested positive for Herpes, Hepatitis, Chlamidia and HPV

Health and wellness has never been more social.

wives , get an free alert right in your mail box when your husband get aids or syphilis !!!

^^ irl lol

They're social diseases, after all.

Good idea, horrible messaging. I doubt anyone thinks that health is "inherently social"

homepage error: link for "Not a member of a current Prime provider?" is http://stayinyourprime.com/%10#providers

Also, higher-level: how should potential customers check if their provider is already on Prime?

Finally, my first question when I see a service that will help me with sensitive, private data for free is: who is paying for this? Maybe the providers are paying; maybe the plan is to sell "non-personally-identifiable" data; maybe there will be ads and/or targeted 3rd party offers; but if the site is secretive about its business model, I assume the worst. In this case the privacy policy seems to suggest the latter two options, which are bad enough for email hosting, but really quite dangerous for medical data. The process of pseudonymizing medical data is difficult and necessarily imperfect; so the consumers of any pseudonymized data need to be responsible parties.

Thanks for the note about the error, should be fixed soon.

Good point about letting people check the full list of providers!

To the question about business model, all three of us agree wholeheartedly that free services rightfully bring a certain level of skepticism. All things considered we don't think it would be possible to charge for the app, but do feel there are not enough truly consumer-focused offerings in the health space. So we are thinking hard about what the revenue model will be. We don't have any plans to sell info in any regard and are under the impression that would require a direct opt-in from consumers if that offers any solace.

"We don't have any plans to sell info in any regard and are under the impression that would require a direct opt-in from consumers if that offers any solace."

This is interesting. Are you then not considering exposing APIs to anonymous data or such like?

Like you say, anonymizing data is nigh impossible, so I'd rather just avoid it entirely. Maybe local processing?

We are thinking a user driven OAuth style service would be valuable.

Makes sense.

I work in the healthcare space. This seems like a HIPAA nightmare, but I;m sure they've thought of this and I would be interested in their strategy for dealing with HIPAA.

In what way? The technical aspects of HIPAA are pretty straightforward (although a lot of work), and it appears the user is in control of who can see their data.

We're fully HIPAA-compliant, as Tyler mentioned in another comment. Data is encrypted, and isn't stored on the device. HIPAA (and specifically MU Stage 2) is actually more helpful for what we are doing than anything else; letting patients get access to their records electronically is a hugely important step towards solving major problems in the health industry.

"Get your health records from any doctor"

We must have a different definition of "any," since this will not get them from my primary care physician. His records are not computerized. (If I don't pay my copay at the time of my visit, my bill is typed on a typewriter.) He started practicing medicine in the late 1960s, joining his father's practice. I'm sure that some older doctors, in smaller towns (I'm in a D.C. suburb), are the same way.

Your point that smaller practices are more likely to not have an EHR is generally correct, but it's changing very quickly.

Some quick facts:

* More than 50% of clinics and hospitals in the U.S. have an EHR (electronic health record system) of some kind: http://www.hhs.gov/news/press/2013pres/05/20130522a.html. That means they can give you an electronic copy of your record.

* Meaningful Use says providers have to offer records electronically.

* Meaningful Use Stage 2 (goes into effect in 2014) says doctors also have to offer the record in whatever format you as a patient choose.

* The whole main point of HIPAA, the reason why it came to be, is that it gives every U.S. citizen a right to their health record, and to the ability to take it with them wherever they go.

The bottom line is: if your doctor isn't giving you an electronic copy of your record — and in 2014, in the format of your choice — they're breaking the law. It's your right to have your health record, and not just in paper form.

"The bottom line is: if your doctor isn't giving you an electronic copy of your record — and in 2014, in the format of your choice — they're breaking the law." This is demonstrably false. Meaningful use is not at this time a mandate. It is an incentive program. The incentive will likely turn from a carrot to a stick in the future, but as of 2014 there is no mandate on US physicians to comply with meaningful use stage anything. http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRI...

You're right, I mistyped that. Meaningful Use is an incentive. The right to getting an electronic copy of your record is part of HIPAA.

So the overall point of what I wrote is still true — you have a legal right to your health record in the electronic format of your choosing:

> (ii) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.

That's from HIPAA § 164.524 Access of individuals to protected health information. (c)(2)(ii). Direct link: http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&tpl=/ecfrbrowse/...

And that was also the point of OP's comment. OP was saying small practices might not always be able to provide a health record to their patients. Your health record is your legal right and so is an electronic copy (provided the data is stored electronically) as of the latest revision to HIPAA which has been in effect since September 2013.

But if the records are not maintained electronically, then there is no requirement to provide them electronically. The paragraph before the one you quoted, ends with:

>if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.

If the records are only hard copy, then there is no requirement to convert them into an electronic format just to provide them to an individual. I know this is the case with my primary care physician and I think it may be the case with other smaller practices. Many of these may be small practices run by older doctors, so they may simply retire. If you've been practicing since say 1970 or so and haven't converted everything to electronic format by now, why bother?

> If the records are only hard copy, then there is no requirement to convert them into an electronic format just to provide them to an individual.

Correct. Yet over 50% of providers have an EHR. And that number is growing every month.

> If you've been practicing since say 1970 or so and haven't converted everything to electronic format by now, why bother?

Because Meaningful Use incentivizes you to do so. The government gives you money.

I think there has to be some more stronger reasons to justify sharing medical / health information with friends. Sharing that with my health providers may be a good idea but definitely not with friends.

Why would providers partner with you? I work in healthcare and I'm having a hard time imagining how you sell this to them.

I can't speak for every provider but one example is that of improved outcomes, improving the lives of patients and increasing the efficiency of physicians' daily workflow: http://news.cnet.com/8301-11386_3-57610765-76/digital-health...

What efforts are you doing in the medical community to get them using your service?

Prime is still only for consumers (patients). We don't sell the app to the medical community.

No android? Meh.

"Health is inherently social."

No. It's not.

http://stayinyourprime.com/img/screens/primeLaunch.png is a particularly hilarious example of what's wrong with that concept that health is social.

I can fairly confidently say that I have never thought -- and I am almost never likely to think -- "Hey, you know what I need? A social network that tells all my friends when I get a colonoscopy."

The premise of Prime is that the network would be a much smaller subset than, say, your Facebook friends. I know that's been said before and perhaps left by the wayside, but we really think it will hold true in this case (that your Prime friends will be family members and dearest friends). Looks like we need to communicate that, and the fact that every share is opt-in, more clearly.

Yeah, kind of winced when I read that.

There's a very interesting problem in this space we're about to all be hit by, right?

Most all of the healthcare problems we have could be solved/made better/made less expensive by massive data mining (disclaimer: I work in a related area nowadays). The problem is, to be most useful, that data has to be both complete and correlated with other such data points.

That pretty much destroys privacy as we know it, at least until we find some way of updating our societal mores to be less discriminatory.

Example: How great would it be to have automated notification of STD/STI risks (Siri suggests: wear a rubber if they take you home tonight, no reason)? How about having a simple way of being warned when cold season is actually happening in your area (some threshold of people in your vicinity are currently seeing a doc about a rhinovirus case, so be careful)?

Even more concretely: we can't optimize the hospital services because all that data is silo'ed and fragmented so badly. Your medical history is always incomplete.

There is a lot of negative commentary on this thread (thanks HN for always providing such valuable feedback), but I'd like to point out what I think is useful and positive with Prime.

First, health is inherently social. When you're sick, do you tell your loved one (boy/girlfriend, spouse, parent, close friends, etc?). Of course you do. You want them to know that you might need their care for a few days, that you might have to miss some events that you'd planned together, that you might need help going to the pharmacy to pick up some meds, etc. More serious health issues are even more social. Name one person you know who has suffered from a severe medical condition who has not told their loved ones. When my close family and friends are ill or going in for checkups that are potentially not routine, I want to know immediately what happened. If my loved one were to be drastically ill, I would want to know everything about their condition, the test results, the doctors' reports, the latest research, etc. Surely the HN community understands the desire to geek out over knowledge (health knowledge) and Prime aids that.

Furthermore, I recently suffered some major personal health issues. When I was in the midst of a flurry of doctors visits and medical procedures, my family and friends were all very curious to know what was happening and if they could help out, etc. I was already exhausted by the doctors' visits, and sharing the result of every test and exam with dozens of people was really straining for me. I was extremely lucky to have people near me who could assist me in spreading the word to the people who cared, but this whole "sharing information" problem would have been perfectly solved with Prime. I intentionally did not share any of my health information on Facebook, because I didn't trust Facebook's data privacy and sharing policies. While health is social, it's still private. But Prime may solve this.

For more routine procedures, I can see Prime being very useful. Did my elderly grandmother get her flu shot yet? Check. What was the result of my father's latest checkup about his cholesterol level? Easy to know.

Beyond "social", Prime provides centralized repo for all your medical data. Remember Mint? Remember how everyone gave up their bank passwords to a web-based service so they could see pretty charts and better budget and manage their finances? Remember how Mint took that information and sold ads and upsells against it? Yeah. Right. That's what is happening with medical data, too. Someone (Prime, perhaps) is going to be the one to collect all this information in one place, make it easy to read and understand, and become "the Mint of health data". I would bet on this. The world of health data is too fragmented to not be consolidated sometime soon.

The issues Prime faces are not small: first, ingesting data, and second, earning their users' trust.

I wish them the best of luck.

"Name one person you know who has suffered from a severe medical condition who has not told their loved ones."

Any number of friends or random acquaintances who are seeking professional help for psychological reasons, or for cancer, or for something seen as embarrassing ("Hey Mom, I've been pissing blood due to a UTI--turns out you were right not to like her...").

"The world of health data is too fragmented to not be consolidated sometime soon."

Which is fucking scary...the ways that this can go wrong, especially given how ruthless and amoral and short-sighted your average startup is these days, are legion. I'd rather see a model similar to safety deposit boxes with revocable keys than the doubtless ad-driven pharma-sponsored nightmare that's probably being concocted in the Valley as we speak by some MBAs too stupid to know any better.

"When you're sick, do you tell your loved one (boy/girlfriend, spouse, parent, close friends, etc?). Of course you do."

This is __highly__ subjective. I don't do this. But neither your comment nor mine proves anything.

I have a feeling they're coming from the premise that pre-Facebook no one wanted to share what they're doing, filtered pictures of what they're eating, etc. The world evolves. As someone else has mentioned, maybe they're ahead of their time. Then again, maybe not. The only thing they're getting flak on here is the social part of the product. I'm unwilling to believe they just did that for a "Web 2.0" badge. However, it'll be interesting to know how they figured health is inherently social.

Psychological illnesses, cancer, etc may be too sensitive to share. Even pregnancy for that matter. Fever, stomach aches, head aches may be noise - I know people who just trudge along their day without a second thought. But this is anecdotal.

I do think they're building something cool here and wish them the best of luck!

Thanks, right on! (Regarding our viewpoint on timing.)

You're also right that it's subjective but it seems that at some point everyone comes to share or hear about health info and we are working to improve the communication difficulties in that realm.

> Name one person you know who has suffered from a severe medical condition who has not told their loved ones.

Outside of people involved in the medical treatment (who would be prohibited from naming them by HIPAA), the fact that they haven't told their loved ones would mean that other people wouldn't really be able to name them, generally.

That doesn't mean they don't exist.

>>First, health is inherently social. When you're sick, do you tell your loved one (boy/girlfriend, spouse, parent, close friends, etc?)

What is happening is that you are using the term "social" in a literal way, whereas in this context (the tech industry) it means something very specific.

I agree that the word "Social" is loaded -- the tech industry has contorted its meaning and I did (yes) take the word in a more literal/historical sense. Prime might be wise to rethink the branding. Maybe "social" is the wrong word, even if its the right concept.

The copy on that page brings this to the brink of Poe's Law. Maybe they're just ahead of their time.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact