1. Vague Use of “Affiliated Covered Entity”
Why it’s a concern: Without proactively disclosing who the affiliated entities are, this creates ambiguity about where and with whom your PHI might be shared.
2. Broad Language Around Business Operations
Lack of transparency about exactly what operations include would be ideal. Is the data ever anonymized and aggregated for business development?
3. Generic Breach Notification Clause
Clarify your internal threshold for notifying patients of a breach—even if it’s not legally required.
Minor but Worth Confirming
The contact email uses a different domain (@empirical.health) than the company name (525 Medical Group). Make sure the branding/ownership is consistent to avoid confusion or phishing risk.
1. Extremely Broad Data Collection Scope
Why it’s a concern: The scope includes highly sensitive health and mental health information, including GAD7 and PHQ9 questionnaire data (mental health), Sleep Apnea Events, and Atrial Fibrillation Burden—which could pose elevated privacy risks.
2. Vague on Purpose and Usage
“We never take more than we need to make sure we are providing you with the best care possible.”
Why it’s a concern: There’s no specific justification per data type. Are they using your blood pressure for real-time alerts, or just storing it? Without more transparency, it's hard to judge.
3. Data Deletion Requires Account Deletion
“Users can always request data deletion in our app if they wish to delete their account.”
Why it’s a concern: If you want your health data deleted but want to continue using the service, it appears that’s not allowed. It’s all or nothing.
4. No Mention of Data Sharing with Third Parties
Why it’s a concern: There is no statement clarifying whether data is shared with, sold to, or used by third parties (e.g., insurers, researchers, or advertisers).
5. Mental Health Data Handling
Includes GAD7 and PHQ9 (mental health questionnaires)
Why it’s a concern: This is especially sensitive and should be governed by strict standards. There is no mention of how these results are stored, who can see them, or whether they're used for diagnostics, analytics, or alerts.
Full disclaimer:
Not a lawyer, simply a Hacker News occasional reader.
brandonb•9mo ago
Sure. I'll try to group my answers by theme since some of the answers to your questions overlap.
First, the data is never anonymized and sold (if that's what you mean by "business development").
We follow HIPAA, since we do realize you're trusting us with a lot of data on your health. The data is necessary to provide good medical care--i.e., it's actually quite relevant to your heart health whether you have signs of sleep apnea or anxiety!
"Affiliated covered entity" refers to the medical groups that provide medical care. Legally, these have to be a separate corporate entity (a "medical professional corporation") from the standard Delaware C-Corp. All telemedicine companies that operate in the US have to have this structure, and it's why you see two distinct company names (525 Medical Group and Empirical Health).
Data deletion requires account deletion -- this is a fair point.
The data collection not breaking down each data type -- fair point. We can expand the details within this policy a bit.
memcg•8mo ago
Well, I made the mistake of giving you an email address, but bailed when you you wanted more PII just to find out where a lab was in Maryland. Since then I have received 5 emails in my Yahoo spam folder. The "Unsubscribe - Unsubscribe Preferences" links in the emails don't function. I replied with unsubscribe in the subject line, but still get what is now clearly spam.
brandonb•8mo ago
First off, sorry about the unsubscribe links--I reproduced the problem, and we're fixing it.
We're working on getting API access from our lab partner that would let us build a self-serve lab location finder. We know it's a bit of a kludge now. (API access for these types of healthcare services isn't quite as simple as, say, Stripe -- it often requires a few rounds of meetings, approvals, etc.)
Agingcoder•9mo ago
What are you doing to avoid data breaches ?
brandonb•9mo ago
We follow HIPAA (the US privacy law for health data). And we take the security precautions I think you'd expect -- encryption in transit and at rest, MFA, running service accounts under least privilege, everything is in a VPC, dedicated secret manager, threat detection. While these are the "basics" that you'd expect from a modern tech company, they're not always practiced consistently in healthcare.
Agingcoder•9mo ago
Thanks - I would suggest you write this explicitly on your website. I’ll add that the 23andme story will make some people at bit wary.
brandonb•9mo ago
svillar•9mo ago
But first:
1 - Your data retention policy, can you share more about this - in plain english?
From this: https://www.empirical.health/hipaa-privacy
There are some red flags here:
1. Vague Use of “Affiliated Covered Entity” Why it’s a concern: Without proactively disclosing who the affiliated entities are, this creates ambiguity about where and with whom your PHI might be shared.
2. Broad Language Around Business Operations Lack of transparency about exactly what operations include would be ideal. Is the data ever anonymized and aggregated for business development?
3. Generic Breach Notification Clause Clarify your internal threshold for notifying patients of a breach—even if it’s not legally required.
Minor but Worth Confirming The contact email uses a different domain (@empirical.health) than the company name (525 Medical Group). Make sure the branding/ownership is consistent to avoid confusion or phishing risk.
From this: https://www.empirical.health/data-collection
1. Extremely Broad Data Collection Scope Why it’s a concern: The scope includes highly sensitive health and mental health information, including GAD7 and PHQ9 questionnaire data (mental health), Sleep Apnea Events, and Atrial Fibrillation Burden—which could pose elevated privacy risks.
2. Vague on Purpose and Usage “We never take more than we need to make sure we are providing you with the best care possible.” Why it’s a concern: There’s no specific justification per data type. Are they using your blood pressure for real-time alerts, or just storing it? Without more transparency, it's hard to judge.
3. Data Deletion Requires Account Deletion “Users can always request data deletion in our app if they wish to delete their account.” Why it’s a concern: If you want your health data deleted but want to continue using the service, it appears that’s not allowed. It’s all or nothing.
4. No Mention of Data Sharing with Third Parties Why it’s a concern: There is no statement clarifying whether data is shared with, sold to, or used by third parties (e.g., insurers, researchers, or advertisers).
5. Mental Health Data Handling Includes GAD7 and PHQ9 (mental health questionnaires) Why it’s a concern: This is especially sensitive and should be governed by strict standards. There is no mention of how these results are stored, who can see them, or whether they're used for diagnostics, analytics, or alerts.
Full disclaimer: Not a lawyer, simply a Hacker News occasional reader.
brandonb•9mo ago
First, the data is never anonymized and sold (if that's what you mean by "business development").
We follow HIPAA, since we do realize you're trusting us with a lot of data on your health. The data is necessary to provide good medical care--i.e., it's actually quite relevant to your heart health whether you have signs of sleep apnea or anxiety!
"Affiliated covered entity" refers to the medical groups that provide medical care. Legally, these have to be a separate corporate entity (a "medical professional corporation") from the standard Delaware C-Corp. All telemedicine companies that operate in the US have to have this structure, and it's why you see two distinct company names (525 Medical Group and Empirical Health).
Data deletion requires account deletion -- this is a fair point.
The data collection not breaking down each data type -- fair point. We can expand the details within this policy a bit.
memcg•8mo ago
brandonb•8mo ago
We're working on getting API access from our lab partner that would let us build a self-serve lab location finder. We know it's a bit of a kludge now. (API access for these types of healthcare services isn't quite as simple as, say, Stripe -- it often requires a few rounds of meetings, approvals, etc.)