We follow HIPAA (the US privacy law for health data). And we take the security precautions I think you'd expect -- encryption in transit and at rest, MFA, running service accounts under least privilege, everything is in a VPC, dedicated secret manager, threat detection. While these are the "basics" that you'd expect from a modern tech company, they're not always practiced consistently in healthcare.
brandonb · 7h ago
(OP here) Let me know if folks have questions!
svillar · 1h ago
Very interesting, I am evaluating paying for the service and giving it a try.
But first:
1 - Your data retention policy, can you share more about this - in plain english?
1. Vague Use of “Affiliated Covered Entity”
Why it’s a concern: Without proactively disclosing who the affiliated entities are, this creates ambiguity about where and with whom your PHI might be shared.
2. Broad Language Around Business Operations
Lack of transparency about exactly what operations include would be ideal. Is the data ever anonymized and aggregated for business development?
3. Generic Breach Notification Clause
Clarify your internal threshold for notifying patients of a breach—even if it’s not legally required.
Minor but Worth Confirming
The contact email uses a different domain (@empirical.health) than the company name (525 Medical Group). Make sure the branding/ownership is consistent to avoid confusion or phishing risk.
1. Extremely Broad Data Collection Scope
Why it’s a concern: The scope includes highly sensitive health and mental health information, including GAD7 and PHQ9 questionnaire data (mental health), Sleep Apnea Events, and Atrial Fibrillation Burden—which could pose elevated privacy risks.
2. Vague on Purpose and Usage
“We never take more than we need to make sure we are providing you with the best care possible.”
Why it’s a concern: There’s no specific justification per data type. Are they using your blood pressure for real-time alerts, or just storing it? Without more transparency, it's hard to judge.
3. Data Deletion Requires Account Deletion
“Users can always request data deletion in our app if they wish to delete their account.”
Why it’s a concern: If you want your health data deleted but want to continue using the service, it appears that’s not allowed. It’s all or nothing.
4. No Mention of Data Sharing with Third Parties
Why it’s a concern: There is no statement clarifying whether data is shared with, sold to, or used by third parties (e.g., insurers, researchers, or advertisers).
5. Mental Health Data Handling
Includes GAD7 and PHQ9 (mental health questionnaires)
Why it’s a concern: This is especially sensitive and should be governed by strict standards. There is no mention of how these results are stored, who can see them, or whether they're used for diagnostics, analytics, or alerts.
Full disclaimer:
Not a lawyer, simply a Hacker News occasional reader.
brandonb · 1h ago
Sure. I'll try to group my answers by theme since some of the answers to your questions overlap.
First, the data is never anonymized and sold (if that's what you mean by "business development").
We follow HIPAA, since we do realize you're trusting us with a lot of data on your health. The data is necessary to provide good medical care--i.e., it's actually quite relevant to your heart health whether you have signs of sleep apnea or anxiety!
"Affiliated covered entity" refers to the medical groups that provide medical care. Legally, these have to be a separate corporate entity (a "medical professional corporation") from the standard Delaware C-Corp. All telemedicine companies that operate in the US have to have this structure, and it's why you see two distinct company names (525 Medical Group and Empirical Health).
Data deletion requires account deletion -- this is a fair point.
The data collection not breaking down each data type -- fair point. We can expand the details within this policy a bit.
But first:
1 - Your data retention policy, can you share more about this - in plain english?
From this: https://www.empirical.health/hipaa-privacy
There are some red flags here:
1. Vague Use of “Affiliated Covered Entity” Why it’s a concern: Without proactively disclosing who the affiliated entities are, this creates ambiguity about where and with whom your PHI might be shared.
2. Broad Language Around Business Operations Lack of transparency about exactly what operations include would be ideal. Is the data ever anonymized and aggregated for business development?
3. Generic Breach Notification Clause Clarify your internal threshold for notifying patients of a breach—even if it’s not legally required.
Minor but Worth Confirming The contact email uses a different domain (@empirical.health) than the company name (525 Medical Group). Make sure the branding/ownership is consistent to avoid confusion or phishing risk.
From this: https://www.empirical.health/data-collection
1. Extremely Broad Data Collection Scope Why it’s a concern: The scope includes highly sensitive health and mental health information, including GAD7 and PHQ9 questionnaire data (mental health), Sleep Apnea Events, and Atrial Fibrillation Burden—which could pose elevated privacy risks.
2. Vague on Purpose and Usage “We never take more than we need to make sure we are providing you with the best care possible.” Why it’s a concern: There’s no specific justification per data type. Are they using your blood pressure for real-time alerts, or just storing it? Without more transparency, it's hard to judge.
3. Data Deletion Requires Account Deletion “Users can always request data deletion in our app if they wish to delete their account.” Why it’s a concern: If you want your health data deleted but want to continue using the service, it appears that’s not allowed. It’s all or nothing.
4. No Mention of Data Sharing with Third Parties Why it’s a concern: There is no statement clarifying whether data is shared with, sold to, or used by third parties (e.g., insurers, researchers, or advertisers).
5. Mental Health Data Handling Includes GAD7 and PHQ9 (mental health questionnaires) Why it’s a concern: This is especially sensitive and should be governed by strict standards. There is no mention of how these results are stored, who can see them, or whether they're used for diagnostics, analytics, or alerts.
Full disclaimer: Not a lawyer, simply a Hacker News occasional reader.
First, the data is never anonymized and sold (if that's what you mean by "business development").
We follow HIPAA, since we do realize you're trusting us with a lot of data on your health. The data is necessary to provide good medical care--i.e., it's actually quite relevant to your heart health whether you have signs of sleep apnea or anxiety!
"Affiliated covered entity" refers to the medical groups that provide medical care. Legally, these have to be a separate corporate entity (a "medical professional corporation") from the standard Delaware C-Corp. All telemedicine companies that operate in the US have to have this structure, and it's why you see two distinct company names (525 Medical Group and Empirical Health).
Data deletion requires account deletion -- this is a fair point.
The data collection not breaking down each data type -- fair point. We can expand the details within this policy a bit.