Show HN: Using GPT-3 and Whisper to save doctors’ time
We're Alex, Martin and Laurent. We previously founded Wit.ai (W14), which we sold to Facebook in 2015. Since 2019, we've been working on Nabla (https://nabla.com), an intelligent assistant for health practitioners.
When GPT-3 was released in 2020, we investigated it's usage in a medical context[0], to mixed results.
Since then we’ve kept exploring opportunities at the intersection of healthcare and AI, and noticed that doctors spend am awful lot of time on medical documentation (writing clinical notes, updating their EHR, etc.).
Today, we're releasing Nabla Copilot, a Chrome extension generating clinical notes from video consultations, to address this problem.
You can try it out, without installation nor sign up, on our demo page: https://nabla.com/copilot-demo/
Here’s how it works under the hood:
- When a doctor starts a video consultation, our Chrome extension auto-starts itself and listens to the active tab as well as the doctor’s microphone.
- We then transcribe the consultation using a fine-tuned version of Whisper. We've trained Whisper with tens of thousands of hours of medical consultation and medical terms recordings, and we have now reached an error rate which is 3× lower than Google's Speech-To-Text.
- Once we have the transcript, we feed it to a heavily trained GPT-3, which generates a clinical note.
- We finally return the clinical note to the doctor through our Chrome extension, the doctor can copy it to their EHR, and send a version to the patient.
This allows doctors to be fully focused on their consultation, and saves them a lot time.
Next, we want to make this work for in-person consultation.
We also want to extract structured data (in the FHIR standard) from the clinical note, and feed it to the doctor’s EHR so that it is automatically added to the patient's record.
Happy to further discuss technical details in comments!
---
140 comments
[ 3.1 ms ] story [ 191 ms ] threadObviously the business model is harder with on-prem, but cloud-first for doctor notes is in the long run much harder.
We plan to offer an on-prem option eventually.
In the meantime: - we offer a GDPR compliant EU-based hosting option - we don't store anything (no audio, no transcript, no note): it's stateless and all erased at the end of each consultation - data is pseudonomyzed as it flows though our systems
Our first customers (large healthcare orgs) have been OK with this so far!
First question - you say that you don't store anything (no audio, no transcript, no note), but your legal agreement says that in order to use this service, the doctor asserts to you that they have gotten consent from the patient for you to reuse all data processed through the service for research and development, and to improve the performance, models, and algorithms of this or any other solution you come up with in the future. Why the difference and how do you square A with B?
"Due to the substantial financial, material and human investments made by NABLA within the framework of the Contract for the development and updating of the Solution, NABLA wish to be allowed to reuse the data processed within the framework of the Contract.
The CLIENT, when applicable in the name and on behalf of the DATA CONTROLLER, warrants that the Data Subjects have been informed of their rights and have given their consent for the use of their data within the framework of the Contract when required by applicable laws or the Regulation and authorizes the DATA PROCESSOR to reuse the Data processed within the framework of the Contract, as long as the latter undertakes to comply with the Regulation for all of this Data, for the uses listed below:
- research and development of the Solution,
- improving the performance, models and algorithms developed and trained by NABLA in the context of the Solution or any other solution published by NABLA,"
Second question - you say that you don't store anything (no audio, no transcript, no note) and that it is all erased at the end of each consultation. But do you store any artifacts derived from the audio, transcript, or notes of a consultation, like data processed directly or indirectly from the audio, transcripts, or notes of a consultation that is fed in to an AI model, ML model, or other dataset that you persist after the consultation?
Here's the thing: rigorous medical documentation is not a burden on the practitioner, but rather an integral part of treating someone. You need detailed historical data to diagnose some tricky conditions and treat them correctly.
What's the tool doing to prevent a practitioner from simply blindly copy-pasting the output without verifying it?
> and saves them a lot time.
Which means more billable. Have you considered charging per medical act performed?
You clearly have a personal bad experience with your doctor - but that doesn’t mean that this potential product is a terrible idea.
Would you be upset if someone were to ask you to help with their code and you needed to Google for documentation?
It's not exactly the same thing, but it's a similar situation.
I do tend to agree with you on the rest of your concerns, especially info being used that the patient has no way to verify - but that seems tangential at worst to the product in it's current state.
It's pretty close to the same thing. Programmers are paid for knowing how to program, not for memorizing APIs, system calls, etc. Being able to look up details is essential because it lightens the cognitive load, allowing deeper thought to be put into the real meat of the problem. No programmer can realistically memorize every technical detail they'll need to know.
It's the same with doctors. They're paid because they know the process of diagnosing illnesses, not for memorizing Gray's Anatomy and every pharmacopoeia. Being able to look stuff up is essential for the same reason it is for programmers.
Not to mention that medicine changes, and you want your doctor to have the latest information about whatever it is that ails you.
But this isn't even about the doctor asking GPT, this is transcribing the video call so the journaling becomes easier and the doctor can spend more time with their patients. A good thing, no?
Pharmacists in other countries do a lot of the basic shit doctors in the USA do, with less overhead, for cheaper and with a much faster turnaround. Antibiotics, blood pressure/cholesterol meds, antidepressants and other rubber stamp drugs absolutely do not need to be strongly controlled.
No one is obligated to do free Googling.
Or maybe you didn’t go the for the Googling?
I just like to point out the small advantages of living in Europe now and again
That is my definition of free
He has medical knowledge which allows him to sort through information.
Any developer who doesn't google today is hindering his ability to develop and slowing the development process. Just like the dev cannot hold all the algorithms and language caveats/syntax in his head, a physician cannot hold all the information in his brain. He may not be familiar with symptoms or might be googling to see if there is anything "new" as pertaining to a patients specific issue.
There was a time steroid injections were the go to for tendon injuries, recently science came out that it results in worse long term outcomes and PT should be the first line treatment.
If they're searching up safety data on a slightly-over-recommended dose for a particular medication (like, say, a gastric bypass patient who takes an oral med that's not absorbed as much as in a person with a normal stomach), I'd much prefer they be certain than guess.
* Presenting potentially new information or methods of doing something. My "old" knowledge might still be correct, but a "new" method may have optimizations or benefits.
* Even though, I'm already 99% correct, it's not worth the hassle of being wrong the 1% of the time - especially when the solution is 20 seconds of internet search.
I shouldn't have to pay for your time so you can educate yourself on the thing you purported to know before I hired you. Especially when the hourly rates are in the hundreds of dollars.
So there is some balance there. And doctors are using software that spits them out shit in real-time and then they send you on your way with some printed info you can readily find on the web.
I just had a knee issue and the doctor thought it may be a torn meniscus. Didn't have me do any range of motion movements. We just chatted and he said I think it is this. Take an xray. Bye.
I go get an xray and results come back the next day over the app. All he says in the app - "xray is normal".
So I'm thinking what the hell. That's where you leave it? So what. Should we do an MRI? What's next. You gave me an anti-inflammatory and your guess was apparently wrong. What a shitty engineer this person would be.
Tech can help in some cases. I like getting lab results back in the app. I like that I can follow up with chat later.
But I fear it's making doctors less effective. And the best ones will be the ones that maintain their traditional craft and nuance even with all the fancy new tools and tech that save them time.
Just like everyone is a React developer these days. Tech and advances can make many people sloppy. And dumber. It can push away great talent due to mandates of the tech or process. And attract new talent that is worse.
I fear that LLMs will kick this to a whole new level :(
Doctor's already today spent too little time with their patients to understand diseases holistically enough.
Adding technically between these 2 will make treatments in most of the cases worse, not better.
Going from a recorded transcript to a summary note, extracted structured data, and diagnostic codes is a big time saver.
You seem quite confident about this, but based on the doctors I know writing notes is a real pain and mostly seen as (important) scutwork. They're only given a set amount of time to see a patient (including notes), and if you can reduce notes they'd actually get more time talking and seeing the patient.
You're not thinking like a hospital administrator. Sounds like these doctors can handle 40% more patients to me!
Everyone hates notes. However, there are already a bunch of dictation services that help write notes more efficiently. They absolutely work well enough.
Adoption and funding is the primary blocker. When my wife works at facilities that have M-Modal, she's 80%+ faster. However, she works at many, who despite knowing the benefits, simply don't care to spend the time, money, or resources on implementing scribe/dictation services.
How are 2 party consent states handled?
Is this HIPPA compliant?
https://www.scribeamerica.com/what-is-a-medical-scribe/
> A Medical Scribe is a revolutionary concept in modern medicine. Traditionally, a physician's job has been focusing solely on direct patient contact and care. However, the advent of the Electronic Health Record (EHR) created an overload of documentation and clerical responsibilities that slows physicians down and pulls them away from actual patient care. To relieve the documentation overload, physicians across the country are turning to Medical Scribe services.
> A Medical Scribe is essentially a personal assistant to the physician; performing documentation in the EHR, gathering information for the patient's visit, and partnering with the physician to deliver the pinnacle of efficient patient care.
https://www.hhs.gov/hipaa/for-professionals/covered-entities...
> If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.
"If you handle, store or transmit protected health information (PHI) to or from a covered entity then you need to be HIPAA compliant."
Source: https://github.com/truevault/hipaa-compliance-developers-gui...
----
The posted software is absolutely free to be non-HIPAA compliant. They're not a covered entity and without a relationship with a covered entity, they're not a business associate. However, without a relationship with a covered entity, they're also unlikely to generate any meaningful revenue.
When a covered entity (a HIPAA-required provider) does business with a private non-covered entity _and_ that transaction involves HIPAA controlled information, they must enter into a Business Associate Agreement (BAA). This effectively forces the private entity to maintain the same HIPAA standard as the provider.
A private company is absolutely free to build non-HIPAA compliant software, but they completely unlikely to get any healthcare providers to actually use it.
The blog posts also mention French trained ML.
> Cedille is a new open source French language model created by Coteries. It is trained to understand and write French and is also the largest model of its kind for French. Cedille is trained using large databases of publicly available content on the internet filtered for toxic content.
Expanding into the US, yes - they would need to deal with HIPAA, but until they do they likely don't need to.
Secure and HIPAA-eligible
Digging deeper (https://www.nabla.com/blog/privacy-security/):This data processing is done on Nabla's servers, which are powered by the HIPAA and GDPR compliant Google Cloud Platform (GCP), and on HIPAA-eligible LLM servers.
EDIT:
I was very curious about this and did a bit of research. The answer to it is squishy. It seems to be mostly a marketing term. The best definition I found was this:
"A service that is HIPAA eligible is one that is capable of being configured in a way that could meet HIPAA compliance requirements, but you have to know how to do it, it doesn’t happen ‘out of the box.’"
https://www.cleardata.com/articles/hipaa-eligible-hipaa-comp...
So it sounds great but doesn't actually mean that much.
The second you said that in a pitch to executive leadership, they'd realize you have no idea how to operate in healthcare.
* they may be HIPAA-compliant (ie: they fulfill the requirements), * they haven't gone through a HIPAA-certification (no third-party cert), * they aren't using services that aren't HIPAA-certifiable
The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.
There are a bunch of HIPAA guides out there.
So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.
HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.
I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.
Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:
https://aws.amazon.com/compliance/hipaa-eligible-services-re...
Here's google's:
https://cloud.google.com/security/compliance/hipaa-complianc...
In general it means that the service may not be HIPAA compliant by default, but can be configured to be HIPAA compliant.
HITRUST is something else and it outside the scope of this discussion IMO. Not sure why you brought that up.
The is no certification requirement, so there is nothing to ”stand up in court”. Straight from the horse's mouth:
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance.
https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-...
Nothing like “subtly wrong” clinical notes to affect positive medical outcomes. And time pressed medical professionals are certainly well suited to vigilance tasks like correcting machine generated errors. /s.
I sincerely hope this never sees the light of day.
Doctor's handwriting is notoriously bad. Now try putting that into an EMR. Good luck with that! You think you're going to get someone who gets paid $2000/hr to type shit up? Yeah, guess again.
I used to type, now I dictate.
Quality of note is provider dependent though. If an LLM can improve quality of notes across the board through simple summary that’s interesting. But the input matters - is the provider actually asking the right questions? Did they look at past relevant history and other notes and put it in their current note?
The LLM should be in a HIPAA compliant environment and have access to the EMR. Then it provides a tidy summary for that. Second it should have relevant questions for the provider to ask during the interview but also a real time/dynamic component which generates relevant follow up questions dependent on patient responses.
Lastly it should put together the old and the new and generate a new note which can then be edited by the provider. Editing notes is much easier than generation of a new high quality note.
This could elevate a lot of problems we have with our public healthcare(Canada).
This is a task that perhaps can be supported with AI some day, but there are fields that deserve the application of a mature technology, not the gold rush rush game of integrating today's hottest thing.
The summarization part, though, is dangerous. It's a very quick path to us losing all faith in our own medical records. Any way you slice it, no matter how much you train it, it's still going to be vulnerable to hallucination errors that slip by the reviewing doctor and become part of the patient's medical history.
Maybe you should re-evaluate whether that's the right choice based on your own comment, especially when ethics and safety experts are being fired by big tech co.
I think the general idea is interesting but this is the wrong benchmark to convince people imo. What is the actual error rate of Google's Speech-to-Text on this your data? How convinced are you that it's properly labeled? That it's 3x lower isn't necessarily impressive. Then a follow up question... What I as a patient would want to know is something else, how does it compare against medical secretaries that usually transcribe documents like these?
That way you still get the benefit of summaries, without polluting the medical records with hallucinated AI nonsense.
I'd be pretty concerned if my doctor relied on this to be honest.
My doctor could vet it for accuracy, I suppose, but why? He's already putting his notes in my records anyway.
Their website's privacy policy doesn't say anything about their product. It's also incorrect (they seem to have switched tracking providers without updating their privacy policy). I would quote the sections that are incorrect, but their terms and conditions forbid copying any content from their site. Their T&C also forbids me from linking to their page or terms.
I very much doubt that using this product as advertised is even legal under the GDPR. The company is French and health data, even pseudonymized, is strictly regulated. The "demo" doesn't feature any explicit consent at the very least.
It looks like they're making all privacy risks and concerns the doctors' problems. After all, they're the ones violating the law when they use this product.
I honestly have no idea how these products are even developed. Does nobody think about any laws at all? This is something I really hate about the current state of "hustle" development.
Our product is GDPR compliant.
What I don't understand from those, and statements made by your team in this thread, is how some claims can be compatible.
- That the product is GDPR compliant.
- That you don't store the PII or health data.
- Yet all data is stored at Google servers.
- Also, you reserve the right to re-use said data. (Which, since this is for R&D purposes, should probably qualify you for the need to ask the CNIL for an authorization as "health data repository"? [0])
- That none of the data is sent outside the EU or to additional 3rd parties.
- Yet it uses a fine-tuned "GPT-3" (a term that to the best of my knowledge exclusively refers to Microsoft/OpenAI's US-based API service, not to on-prem GPT-like LLMs like GPT-J or GPT-NeoX).
All in all, I can feel the enthusiasm but it does feel like this thread would have been so much more reassuring with some proactive comments about the privacy/health data issues, rather than have everyone voice the obvious concern with no prepared answers.
[0] https://www.cnil.fr/fr/la-cnil-adopte-un-referentiel-sur-les...
I hope this link will clarify our position.
Here are additional answers related to your points. - We do use Google Cloud to host our backend in EU or in the US but also the data for the Care Platform product. For the Copilot product, we don't host any data. They are hosted locally on the practitioner browser. - Our T&C reserves the right to re-use data in the event we will store the data in future versions of Nabla Copilot. In any case, the reuse of data, even health data, is allowed by GDPR for the improvement of the service provided if the data controller (practitioner) authorizes us and if they have informed the patient. - We did not say that "none of the data is sent outside the EU". Actually we say the opposite in the Copilot APD Annexe 1. We specifically mention Google and OpenAI and we comply with GDPR with a data protection agreement with both these companies.
Maybe its just the doc offices i've been to, but i think this would actually just increase the patient churn in a hospital. There's no way a doc is going to increase their patient time by the 40% saved if the hospital can toss them in front of another patient.
This is different, in that this service requires that a third party pay attention to the content of your discussion in order to work. That's significantly more intrusive.
Then you simply cannot use modern healthcare. Unless you're doctor is cash-pay, off the cuff, they're _legally_ using third-parties to perform their services.
----
If your doctor/healthcare provider is a covered entity, they're bound by HIPAA. That means they're free to establish relationships with Business Associates that are part of delivering healthcare. Those Business Associates must also be HIPAA compliant.
In any case HIPAA will protect you. Your provider will have a business associate contract with them, so they're subject to huge fines if they violate that.
This is a demo. In real life this'll be wrapped with a whole lot of legal contracts.
> in any case, HIPAA will protect you
It protects you insofar as it disincentives honest actors from doing sketchy things with your data. It's punishment for orgs, not protection for patients, like how laws against murder punishes the murderer rather than protecting the victim.
The best thing a patient can do to protect their privacy is to be actively avoid of medical practitioners that, for example, use tools like this which send your private medical consultation transcripts to God-knows-where.
They can be held accountable, but it's unclear how much specialized training or experience they actually have. They could have had a 6-month course, an online course, etc.
And of course you're assuming their EMR is actually secure. In a small office you can usually find the passwords you need stuck to the monitor or under the keyboard.