adunsulag's comments

They renamed the US Digital Services agency to be DOGE. I don't know if they can rename a branch of government but that's how they are doing it. Musk has then gotten Trump to appoint members of his initial DOGE as representatives in each of the departments (Treasury, Commerce, etc) so they can have acting authority.

Trump's delegated Musk as a Special Government Operative and signed executive orders granting him and all his recommended employees security clearances w/o the requisite background checks that normally would be required.

So they are acting within the government, they are employees, and they've been granted special waivers by Trump to do all this craziness.

I think its going to come down more to the courts looking at whether these 'newly appointed employees' are breaking all kinds of laws passed by congress.

Oracle purchased Cerner which is now sitting on a ton of healthcare data.

I read your comment and yet I see tons of startups putting AI directly in the path of healthcare diagnosis, healthcare clinical decision support systems, and healthcare workflow automations. Very few are paying any attention to the 2-10% of safety problems when the AI probability goes off the correct path.

I wish more people would not do this, but from what I'm seeing, business execs are rushing full throttle into this at the goldmine that comes from 'productivity gains'. I'm hoping the legal system will find a case that can put some paranoia back into the ecosystem before AI gets too entrenched in all of these critical systems.

Was excited about this and then saw AGPL on it. Note the OP's software is MIT. My personal preference is GPL, but MIT is better than AGPL in my opinion.

Its a tool, like any other tool a software developer would use. In areas where I have a lot of repetition or need to pour through verbose (but simple) documentation, its such a game changer. I can spend 5 minutes thinking about what I want the machine to do, give it some samples of what I expect the output to be and wala, it generates it, often times 100% correct if I've got the prompt put in properly, sometimes its good enough with a bit of refinement. This is something I would normally have delegated to a junior team member or sub-contractor, but now I'm saving in time and money.

Occasionally I sink 1-2 hours into a tweaking something I thought was 90% correct but was in reality garbage. I had that happen a lot more with earlier models, but its becoming increasingly rare. Perhaps I'm recognizing the limitations of the tool, or the systems indeed are getting better.

This is all anecdotal, but I'm shipping and building faster than I was previously and its definitely not all trash.

This is where I want highly sensitive healthcare consumers of LLMs to be at. Note summation, suggested diagnosis (provider always in control), and other augmented abilities for the clinical staff without the risk of health care data sent outside the device, or the very local network.

My understanding is that customers believed they had control as Crowdstrike gave them configuration options to delay updates / stagger them. Apparently many of them were surprised that Crowdstrike had the ability to bypass all these configuration options and force the update. I think that is where Crowdstrike's liability skyrockets through the roof.

I was reading your reply and started thinking, this sounds a lot like what I did to do encrypted search with Bloom Filters and indexes. I click on the first link and find the exact website I used when researching and building our encrypted search implementation for a health care startup. It worked fabulously well, but it definitely requires a huge amount of insight into your data (and fine-tuning if your data scales larger than your initial assumptions).

That's awesome that AWS has now rolled it into their SDK. I had to custom build it for our Node.JS implementation running w/ AWS's KMS infrastructure.

Are you the author of the paragonie website? The coincidence was startling. If so, I greatly thank you for the resource.

Edit After going back and re-reading the blog post, looks like you are the author. Again thank you, you were super helpful .

OpenEMR is an OSS practice management system and is certified for medical use by ONC in the USA. It has been deployed in the medical context in many jurisdictions in the USA. There are some government agencies / larger organizations that require 'sole-sourcing' which I think is what you are referring to, it varies by jurisdiction, but I've never heard of anything at the federal level and widespread state level that 'requires' this. If this was the case I doubt we'd have made it through the many times we've been certified.

I will mention that the certification process is expensive. It ranges in the 100K-250K range each time we go through it in fundraising and to go through the certification process.

>To be explicit for readers here, outside applications can connect to some EHR systems using SMART on FHIR, but not all (this is what Apple Health supports in their PHR) - and this is separate from HIEs. For reasons OP mentioned, this is impractical for treatment at scale, but is currently the best way to get your health records in your pocket, or to insurance companies, for example.

Just a minor detail here. My understanding from my attendance at some of the ONC Information Blocking seminars is that if the EHR is ONC certified, they are required to provide access to a patient using any app of the patient's choice. The rules are very different if its a provider app or an app that can provide access to data for multiple patients. Unfortunately, not all EHRs are certified (looking at you mental/behavioral health sector, and cash-only EHRs).

We continue to struggle with this in our own EMR implementation as app providers constantly complain that provider/system level access to the data requires manual human intervention, which we aren't going to change anytime soon. Things like Unified Data Access Profiles (UDAP) Dynamic Client Registration are looking to mitigate some of these problems.

What I'm intrigued about with Metriport is that app providers could connect directly to them to get the patient data as long as our EMR feeds data into the HIEs they work with.

In your FHIR implementation, what version of USCDI do you support? I'm assuming you're following US Core profile's with your implementation guides? Have you implemented US Core STU 6.1.0? I know I'd be interested in using your converter and your exchange product if it could help facilitate what's required for ONC certification in 2026. I didn't see listed anywhere your capability statement URL that would give insight into what your doing.

I congratulate you on your launch and I'm interested in your converter. I'm surprised you didn't mention the TEFCA effort and wondering if you're planning on becoming your own QHIN (Qualified Health Information Network) or if you just plan on interfacing with all of the major QHIN's?

How are you handling interstate data exchange privacy requirements. Some states have restrictions on what data can be shared across state (thinking about this in terms of things like PDMP queries). I'm also wondering how you are handling the patient data access audit trail as well as information blocking filtering requirements. Perusing your documentation, it looks like you pass along the AuditEvent, does your system create additional audit trails for those who access the patient data? Or is that all being handled upstream w/ your QHINs?

Thank you, I looked at Zoho a number of years ago and when I reached out to their team they did not recommend using them for HIPAA related transactions. I'm happy to see that change!

Saying let the courts decide when there is massive ambiguity for the small projects and developers just means that many of us (I know I will) will region block the EU until some one else deals with the court system and provides clarity for the rest us. It is way, way better for legislators to provide intent and clarity then to make things uncertain and ambiguous for the courts to decide. If they truly aren't going to care about a single corporate committer, then lay that out, or if there is a maximum donation threshold (indexed to inflation) of what can be considered reasonable corporate donations, then specify. Otherwise, those of us who can't afford to be caught in a legal battle on another continent will just shut things down.

That results in less software overall for the EU to use and innovate on. Perhaps that will result in better battle hardened software for the EU in general, but considering how much OSS has a huge dependency chain problem (many of them small projects), I'm doubtful that will occur anytime soon.

Seeing a lot of it going on in healthcare right now, especially healthcare startups. Wonder how soon regulators will step in and start stomping down on it... it usually takes several years to a decade for any federal rule to be issued so startups may make it through long enough to turn the bag over to someone else.

What the is the code you are using in your data. Is it SNOMED? CPT4? Something else?

I used to have the same philosophy having also spent hundreds of hours dealing with the bureaucracy both technical and human of HIPAA and the need to have more data to improve health outcomes for people.

I then went through the process of applying for disability insurance and dealt with the quagmire of them wanting access to all of my mental health records. Not a summary of my mental health diagnoses, but ALL of the individual progress notes. I refused them having those records and ended up having to waive any disability coverage due to mental health issues I was facing. That type of data I just didn't trust this insurance company to keep the data safe, especially as the paperwork stated they would share the data with all of their affiliates and partners with no recourse on my part to restrict what was shared. At that point, I realized that there are VERY good reasons why we don't just allow all of our medical data to be open.

I put my kids through both scratch and khan academy javascript. I've found that it helps them come to terms a lot with the underlying mechanics of scratch and my oldest is now graduating onto building web apps. When my child hits a hurdle and feels like doing something easier they go back to scratch.

There's always a nuance, and I laugh when people tell me 'this is relatively simple'. It often seems like it can be done with wordpress but if the client is fixed that the app MUST function in a way that wordpress doesn't accommodate... well then the costs go up dramatically to rebuild some form of wordpress but not using wordpress...

I often like to present things in terms of costs alternatives to my clients. IF it MUST be done with that feature it will cost X dollars to build it that way. If we remove that feature or do this alternative approach we can bring the cost down to Y where Y is much cheaper. It takes a good technical person who is business minded to be able to see these win/win scenarios though. 99% of the time people choose the cheaper option when they find out it can be done for 10K instead of 50K.

Its one of the reasons why you need a good technical cofounder who is ALSO familiar with business strategy to be able to choose from alternatives instead of doing whatever the business guy insists has to be done.

Many stores I go to in rural america ONLY accept cash or check. The areas are so poor they refuse to pay the credit card fee. That and I suspect there's a lot of tax evasion going on.

Perhaps its the people who cook with a lot of home ingredients (eggs, meats, vegetables, fruits) that are feeling the most pain. My food budget has gone up 25% in the last year for the same basket of goods. I track those numbers pretty consistently.