Show HN: Kate's App

Original Article ↗ Hacker News Discussion ↗

Scope and Purpose of the App

  • App is for patients and families/caregivers to coordinate medical information (contacts, appointments, prescriptions, medical documents, logs).
  • Not intended as a clinic/insurer portal; explicitly framed as “for families, not providers,” though wording about “medical caregivers” creates some ambiguity.
  • Some commenters question the unique value versus tools like Google Docs, WhatsApp, or existing patient portals (e.g., MyChart), while others note those don’t unify data across providers or multiple caregivers.

Legal, Regulatory, and Jurisdiction Issues

  • Major concern: handling highly sensitive health data without visible terms of service, privacy policy, or compliance posture.
  • Repeated advice to consult lawyers, especially on HIPAA, FTC, COPPA, US state privacy laws, GDPR, Canadian PIPEDA, etc.
  • Debate on whether HIPAA directly applies:
    • One side: app is not a covered entity; HIPAA applies only if health providers use it under a Business Associate Agreement.
    • Other side: by design targeting health information and “caregivers,” risk is high; at minimum, providers using it could be in violation.
  • EU-focused comments note that accepting EU users without GDPR-compliant policies and a Data Protection Officer (given medical data) is likely illegal.
  • Several suggest temporarily taking the service down until legal and compliance issues are addressed.

Security and Data Protection

  • Critiques: no visible HIPAA/privacy statements, rudimentary access control, unverified accounts, potential for insecure ID-based URLs, unclear encryption practices, no self-service deletion initially.
  • Suggestions:
    • Encrypt data in transit and at rest; consider application-level encryption so admins can’t read PHI.
    • Implement strong access control, logging, deletion mechanisms.
    • Run automated security scans (OWASP tools, cloud/container scanners).
    • Consider local-first / client-side storage or end-to-end encrypted architectures to reduce regulatory surface.

Trust, UX, and Presentation

  • Lack of identity information about the operator, missing policies, and hidden WHOIS are seen as major trust gaps.
  • UI feedback: add padding/margins, fix broken links, improve design and mobile layout, provide screenshots or demo videos.
  • Some praise the idea as humane and needed given fragmented healthcare, while others say it’s too legally risky as a “learning project” unless kept very small/invite-only.

Future Direction and Suggestions

  • Ideas: calendar view, FHIR/HealthKit integration, interoperability with provider systems, or pivoting to local/self-hosted.
  • Mixed advice: some urge “keep going but harden security and read regulations”; others insist on shutting down publicly until legal and compliance basics are in place.