This content is for paid members only.

Join for $20/month or $175/year

Amanda DiTrolio

HTN | Community Brain Trust | 6/20

June 20, 2023
Community Brain Trust

👋 Welcome to this week’s edition of 🧠 HTN Community Brain Trust 🧠 – a community-only email, sent to your inbox every Tuesday, surfacing the top insights and conversations from our community.


In case you missed them, here are highlights of a few interesting conversations from different channels:

Threads included below:

  1. Navigating PHI restrictions with offshore dev teams
  2. Patient interview best practices
  3. Unexpected uses of ChatGPT by doctors
  4. Mom-and-pop medical billing cos
  5. HIPAA compliant Twilio alternatives

1. Navigating PHI restrictions with offshore dev teams

Q: Are there any restrictions when working with an offshore dev shop in terms of whether they can access PHI? Are there separate restrictions if the PHI is from patients covered by Medicare or Medicaid plans (aka, any CMS-specific regulations)? I've heard mixed feedback and perspectives from founders but haven't seen a definitive answer about what is/isn't permitted

– Anonymous Bot | via #buildersask

Steve Avila: From my experience selling into healthcare systems they always asked in security reviews if PHI was going OUS; outsourcing dev work never created an issue as long as those teams didn't have access to PHI. I don't know of formal restrictions however

Mark Olschesky: HIPAA does not prohibit data access outside of the country or by non-citizens but many organizations will require this contractually so if you cannot provide it you may lose deals.

Matt Fisher: It’s correct that HIPAA doesn’t prohibit offshore access, but there is a part of the Medicare regs that can be used as a basis for blocking offshore access without consent or some will push for none at all. If you want someone from offshore to have access, you’ll need to be sure that your customer contracts don’t prohibit or that you get consent, if necessary. If it’s possible to setup access so that it is a remote, secure connection to data hosted in the US that could also provide comfort and make it easier to get consent.

Roc Hargrove: we have done a hybrid. some offshore, some not. the offshore do not have access to phi which has helped with the comments noted above. a lot easier to say that they don't have access to phi.

Mark Olschesky: That is specifically for healthcare plans that are providing Medicare advantage though, right @Matt Fisher

Not for business associates dealing with Medicare/Medicaid data.

Matt Fisher: I have seen many health system contracts push it down to business associates stemming from participation in MA. Very often though the system contracts just try to block offshore data use/access, but consent can be negotiated in in many instances.

Michael Stratton: Unless you’re going only D2C and no other integrations, you’re probably better off planning for no offshore access to PHI or you’ll likely create a headache for yourself at a time you don’t want it.

Kaitlyn O'Connor: Note also that this can definitely vary by payer. For example, some Medicaid programs specifically prohibit offshore access to health data. Some of my clients will create demo environments for the offshore dev team to work from that doesn't include real PHI. I'm not a technical expert on exactly how this works though

Kiel Dowlin: It's best practice to keep your data segregated and ideally only accessible via the minimum number of people needed - as mentioned above you'll hit some contractual and security review issues about this depending on your scale. When we were building we used offshore devs in Costa Rica - and we just had a replica - no phi ever left the USA - we built a data scrambler + deidentifier etc to ensure we had real data for the devs to leverage but that it was no way re-identifiable. We had a small onshore employed team and scaled up with offshore.

Jonathan Belanger (JB): (related question, piggy-backing)

Even though HIPAA allows patient data to leave the US, there are of course commercial contracts that stipulate US patient data cannot leave the US.


  1. How often have you seen these kinds of requirements show up in contract negotiations?
  2. For those with a global team (:us: and :flag-eu:), what other strategies have you employed to address these requirements?

(patient de-id'ing with tenant-scoped keys can be a heavy engineering lift. I'm interested in other strategies as well)

Samir Unni: (This solution is Palantir-specific, but) this frequently came up with customers’ offshore data engineering/analytics teams. We used branching or parallel projects to create deidentified datasets with the same schema and same associated data pipelines. There’d usually still need to be a US-based RP for manual data integrity checks on the identified data.

Eric Jain: Our bigger customers usually bring it up, no off-shore data storage seems to be a checklist item, don't know if it would be a show-stopper. Definitely don't send any EU data to US -- Meta was just fined $1.3B for that!

Mark Olschesky: We didn't have any problems with it with our provider-focused business, whether or not those buyers were less concerned with their larger operational compliance requirements remains to be seen. I'd say the converse is much trickier (harder to justify having a DE-based team and DE-only data access as a US company) and much more common immediately when contracting as a company that does cloud-based software.

Matt Spivey: @Jonathan Belanger (JB) At startups, I’ve seen this come up as soon as we sign contracts with the first large provider or payer. I know of one lucky startup who experienced this on their first contract.

For engineers outside the US, this often means ensuring they have no access to production data. I’ve known others to negotiate using a remote desktop or pairing for certain types of sensitive information.

Duncan Reece: You may want to look at HITRUST requirements

Roc Hargrove: we saw it on probably every security questionnaire we did. I don't know if we would have lost the deals since we didn't have devs offshore, but it's nice to not have to have that conversation.

2. Patient interview best practices

Q: Hello. What's the best way to interview people with a specific medical condition to learn more about their experience (outside of a medical study)?

I have seen the impact of Diabetes 2 on 40 to 65-year-olds and am exploring creating lifestyle products (not medical products) to help them with everyday living. I'm also conscious of privacy and sensitivity, so want to be respectful. Has anyone found a practical way to find friendly people willing to talk?
– Gomez | via #buildersask

Sharon Lee: Hi @Gomez - as a user experience designer, I’ve run into this kind of need before.

We usually create a user interview or testing protocol that outlines what we want to cover, goals for the interviews, and any visual materials to share during the session. We’ll meet 1 on 1 with folks in person or on the phone/zoom/etc and compensate people with a giftcard for their time. It is so important to practice the questions with someone ahead of time to finesse how to ask them sensitively and adjust the number of questions to fit the allotted time.

When it comes to recruiting from scratch - I’d suggest looking into any patient advocacy groups related to type 2 diabetes who you could reach out to and ask about sharing the opportunity with their community. You could also personally share the opportunity on Facebook health groups (where appropriate) or on your social media if you’re comfortable with that. Often people are excited and interested to share about their experience!

Create a basic consent for people to sign ahead of time so they can see that the conversation may cover sensitive topics, recognize that they can stop the convo at any time if uncomfortable, and understand how the information they share will be used (de-identified and grouped for insights into xyz project). And Calendly is great for scheduling sessions.

Hope that’s helpful!

Rebecca (Wasley) Chaveriat: check out this group: Savvy Cooperative

Elijah Kelley: Thrivable is useful for T2D research.

Anil Kumar: Humlife360 - doing a similar product

3. Unexpected uses of ChatGPT by doctors

Doctors Are Using Chatbots in an Unexpected Way @Dev Dash [Link to article]
– Evan Brociner | via #news

Lisa Bari: Ah, my aunt wrote that. It’s an odd article. I definitely don’t think healthcare providers should use ChatGPT currently - certainly there will be various uses for LLMs inside a close, protected, specifically trained system, but using the publicly available system outside of HIPAA or other protection or validation really concerns me.

Rahul Sharma: +1 @Lisa Bari. Off the shelf LLMs for narrowed healthcare use-cases leave a lot to be desired. Beyond the risk of hallucinations, short term memory and a lack of in-context learning makes for clinical (and subclinical) cases not-so-useful (and scary if blindly used in practice)

We’re trying to solve for the aforementioned with some novel techniques for personalized and empathetic responses that prioritize safety/trust through guardrails. We created an interactive demo if you want to check it out…

Michael Stratton: This is a great article and it highlights a trend we’re likely to see across all industries with LLMs - the actual use cases are way more mundane and unpredictable than anyone thinks upfront.

Asking it to reword something more empathetically is actually a great use of off the shelf LLMs and on the surface there doesn’t seem to be any HIPAA risk (Dr. Kohane is the exception.) I actually can’t think of any improvement a medical specific LLM would make to the use case of “How can I empathetically explain to a patient they need to drink less.” The doctor even stated he asked non-MDs to come up with a script first. The doctor still has to review and potentially tweak the model’s output before delivering to the patient, so they’re implicitly providing a layer of validation.

Dr. Kohane’s case is interesting - there is a chance he is doing it in a HIPAA compliant way (Not entering any PHI/PII into the system), but that does seem somewhat unlikely. Assuming the doctor is just using the model to point them in the right direction and following up w/ their own validation then I don’t see why this is any worse than the current method of clinical decision making.

Evan Brociner: Anyone think there should be a good way to track decisions made with a LLM model? For example, MD used this LLM for generating this email to patient using this prompt.

Michael Stratton: Why does it matter? and why is the LLM held to a different standard? ie: hypothetically, if a provider bought a bunch of templates(or hired a consultant to write them) for follow up emails/bad news delivery/etc…, would they need to tell patients? What if the provider had a template edited by their friend who is better at that sort of messaging? Wouldn’t it also potentially negate the effect if the bottom of the email said something like “This email was edited by ChatGPT to sound more empathetic”

I understand it a little more for medical decision making… but back to the same question on why is a LLM held to a different standard than say a research paper? The physician is still responsible for the ultimate decision making. It’s not like when a physician gives advice today they track which papers they read to inform that reasoning. But they still have to be able to defend the reasoning when a patient asks how they came to that recommendation.

Evan Brociner: Interesting point - yeah I agree decision making is more important to potentially track LLM usage. I guess what I was originally intending for the email example, if for example a LLM model is used to summarize patient history in the email for provider. If information is wrong and if LLM hallucinations - who is to blame for provider? LLM? Provider + LLM? Hospital system for agreeing to integrate LLM?

Lisa Bari: The argument that it should be held to the same standard is valid without the context of real life behavior. MDs and many others have and will misuse it. Healthcare does need a higher standard of care, traceability, and evidence.

Michael Stratton: I agree that healthcare needs to be held to a higher standard.

@Evan Brociner Provider is to blame, they’d be exposed through malpractice… they have an incentive to validate. There is pretty good precedent for professional liability.

If you go to a doctor and they just blindly input what you say to ChatGPT and regurgitate the output, if they’re wrong and it causes you harm, they’d be liable. The same as if they input your symptoms to google/bing/ask jeeves/yahoo and just regurgitated the first result.

4. Mom-and-pop medical billing cos

Q: Meta-question: Why do you think there are still many “mom-and-pop” medical billing companies given so many tech revenue cycle management / billing companies that supposedly should make it easy for providers to do it in-house?
– Max Akhterov | via #builderask

Matthew Robben: Broad brush - given what they do, physicians are generally fans of relationships & in-person trust. A mom and pop that positions their firm on those things stands a good chance to win a deal relative to a tech firm sending them cold outbound emails. Also physicians tend to be VERY busy. If the mom and pop thing is working ‘good enough’ the pain and disruption of switching a core workflow likely outweighs the perceived benefits for them.

Manas Kaushik: I am not sure we live in the world where tech large cos are crushing everything esp in this community. If you are a small customer of any large co, you know the tradeoffs well.

Clay Spence: I actually think it's because the tech doesn't really improve things very much. Billing / rcm is intrinsically hard

There are a lot of health insurance plans out there. Each insurance plan has different rules and a different set of terms to express them, and they change every year. So eligibility checks return a jumble of data that is difficult to make sense of, and then the insurers will just randomly deny claims and you have to call them.

5. HIPAA compliant Twilio alternatives

Q: Twilio HIPAA plan is sooo expensive. Anyone got a discount or alternative?
– Mahsa Rostami | via #builderask

Brendan Keeler: Sendbird maybe

Neha More: AWS is an option, but not as clear documentation to integrate

Gabe Strauss: I was able to get up and running with AWS SNS/SES

though it requires some developer work. But it's covered by AWS' free BAA, so it's far less expensive than Twilio if your volume is low

Doug Krieger: Clarification (cc @Mahsa Rostami) -- the use case to replace is sms and email verification. Sendbird doesn't do sms or email. Building a verification system for both (and especially sms) feels like it's on the wrong side of the build/buy equation. Also, for more context, we're on GCP not AWS, and vpc pairing across providers is more cost/risk against build IMO. Any alternative managed service recommendations for verification, factoring in BAA tax?

Wassaf Farooqi: I’d recommend you try and push Twilio to see if they can provide a discount if you are an early stage company. With end of quarter coming up, they may push it down to get a deal.

AWS pinpoint is not terrible to integrate with though - I don’t think you would need to deal with VPC pairing, you would end up using the Amazon services through a service account and access it via API. (So it would not seem much different than a paid vendor). You main build will be setting up SNS topics / subscriptions to get per user data.

Doug Krieger: @Wassaf Farooqi given we're not currently using AWS at all though, we'd still have to create and make compliant our usage of an AWS account though, right? That's a significant difference between a managed platform focused on this use case like Twilio. Currently exploring Google Workspace SMTP Relay w/ GCP, seems viable

Wassaf Farooqi: Your usage of AWS would be minimal - so compliance can primarily be done through setting up AWS Guard Duty/ AWS Security Hub, and then cleaning up the default recommendations. you'd probably be looking at worst case 2 weeks of effort to set up and document things for future security reviews. The HIPAA tax comes for us all, one way or the other.

Given that, in the past, I have and have seen others negotiate Twilio down to 1k/month or less for HIPAA, definitely a better option to try push them VS setting up AWS.

If you are doing SMS as well, you may need to look at registering the campaign to make sure operational messages you send from applications are not going to be filtered by carriers. Twilio has some docs here about it, but I'm not certain if this will apply to you or not - it depends how carriers view the phone numbers you are sending from.


Here we highlight a question from the Slack that needs some additional community insights - if you have a helpful thought, jump in below!

Q: Hey all! Wondering if there is a solution out there that helps understand benefit design on a plan by plan basis for providers. E.g., wondering if there is an easy way to research what billable codes are covered, at what unit #s etc. I know Turquoise covers the rate piece, but are there companies that do both (the plan design AND the rates?)

– Morgan Flannery | via #builderask

Jump in with some insights here!


If you have your own question(s) to ask, don’t forget that a good place to start is our HTN Knowledge Bot. It’s our smart search tool that makes it easier to access the wisdom shared within the HTN powered by ChatGPT. You can log in and use it on the website (here) or see how to use it directly in Slack here.

Check out the example ask below!


Here we highlight helpful resources from across the community:

  1. Usability and feedback patient interview guide via Sharon Lee
  2. Founder Refresh Grants & Continuing To Grow Your Company via Chris DiBlasi
  3. The State of AI in Healthcare Part III via Rikin Mathur