We are at a phase transition in healthcare. Health Compass is built for the phase that is beginning.

The metaphor

There is a concept in the sciences known as a phase transition. It describes the threshold at which an otherwise stable system suddenly rearranges itself into a completely different stable pattern. Water freezes. Not gradually — at a precise threshold, the molecular structure reorganizes and something categorically different exists where something else was before.

The same phenomenon governs the lifecycle of stars: our Sun has been in its main sequence for five billion years, and one day that equilibrium will fail and the Sun will become something entirely unlike what it has been — not a gradual decline but a reorganization into a different state.

We are at such a threshold with artificial intelligence and healthcare.

The phase we are leaving

For more than half a century, medical knowledge has been organized around a structural scarcity: understanding of the body and its diseases lived inside the trained minds of clinicians, accessible to patients only through the narrow bottleneck of the clinical encounter. Medical records were owned by institutions. Explanation was expensive and therefore rationed. Decisions flowed from information asymmetry so extreme that "paternalistic" was a structural description, not an accusation.

Every product built for healthcare in the last two decades carries these assumptions.

The forcing function

Large language models now reason about medical questions at a level approaching that of trained clinicians, continuously, at near-zero marginal cost. The cost of high-quality medical explanation has collapsed. The synthesis of research literature, treatment guidelines, and an individual patient's situation — once the most expensive product of medicine — can now happen in seconds.

This is not an incremental improvement. It is a change in what is possible for a patient to do outside of a clinical encounter. The forcing function is real, and it does not ask permission.

The phase we are entering

On the other side of this transition, patients arrive at clinical encounters already informed. Chronic disease management shifts substantially to the patient-plus-AI pair, with clinicians as an escalation layer for the judgment calls AI cannot responsibly make.

A second, subtler thing happens. Patients begin saying things to AI that they would never say to a clinician, because the AI holds no institutional or social stake in the disclosure. Fear of being judged for substance use, shame about an STI concern, worry about reproductive health under a legal climate that may criminalize it, grief about a mental health crisis — these disclosures begin to flow toward the tool that does not flinch.

This makes the question of who else can read those disclosures the central ethical question of the new phase.

What follows

A product native to the new phase cannot carry the assumptions of the old one. It cannot be institution-centered. It cannot treat patient data as a byproduct of its own operation. It cannot promise confidentiality through policy while retaining the technical ability to read what it stores.

A product native to the new phase must satisfy four commitments:

1. The patient owns their health information. Not "has access to it" — owns it, with cryptographic keys, on infrastructure separate from any institution.
2. An AI that works for the patient works for the patient alone. Its reasoning, its memory, and its allegiance are not shared with employers, insurers, or vendors.
3. The most sensitive categories are protected by architecture, not by promise. HIV status, substance use, mental health, reproductive health, domestic violence — these are encrypted under keys the patient alone controls. Health Compass is unable, in a cryptographic sense, to read them.
4. These properties are verifiable. Open source code, published cryptographic design, independent audit, warrant canary. Don't trust our statement; verify the claim.

What we build

Every piece of patient content lives in one of three tiers. The tier determines who can read it, enforced by mathematics rather than by policy.

• Aggregate. De-identified population signal, k-anonymized before exposure to any paying sponsor. Cohort sizes small enough to identify an individual are suppressed.
• Personal. The working surface of care: symptoms, medications, appointments, non-stigmatized conditions. Encrypted at rest, accessible to Health Compass to deliver service, never to the sponsoring organization without explicit patient authorization.
• Confidential Vault. HIV and STI, substance use, mental health, reproductive health, domestic violence, and anything the patient marks as private. Encrypted in the patient's browser under keys derived from the patient's own hardware-bound credentials. Health Compass and its infrastructure hold only ciphertext. We are structurally unable to decrypt it.

Structural separation

The ciphertext for the Confidential Vault is held by a separately incorporated entity, the Patient Data Trust, whose fiduciary duty runs to patients rather than to Health Compass shareholders. Health Compass operates the application; the Trust holds the data. No single legal process can compel both the ciphertext and the keys to the same actor.

Compliance by architecture

What federal and state law treat as extra-protected categories aligns structurally with the Confidential Vault. 42 CFR Part 2 for substance use disorder data. California Health and Safety Code §120980 and equivalents for HIV status. Post-Dobbs reproductive shield laws. HIPAA psychotherapy notes. Washington's My Health My Data Act. The vault's default of non-disclosure matches what the law requires. A medical group or health system that partners with Health Compass inherits a platform whose sensitive-category handling is compliant not by vigilance but by construction.

Business model aligned with the architecture

Health Compass is free to patients. It is paid for by self-insured employers, medical groups, ACOs, and health plans — organizations with a compliance function and a stake in member and patient outcomes. Never by individual physicians; that arrangement invites referral-kickback analysis by its shape alone.

Employers receive aggregate dashboards. They never receive identifiable employee health data, and they never receive anything derived from the Confidential Vault — not aggregate counts, not existence signals, not metadata. This is contractual, with material-breach consequences, and it is architecturally enforced besides.

Verifiability

The cryptographic core is open source. Build artifacts are reproducible. SHA-384 hashes of every deployed patient bundle are published to a transparency log. A warrant canary is updated with each transparency report; its absence signals legal process we cannot disclose. An independent cryptographic audit precedes the activation of the Confidential Vault and is repeated annually. A bug bounty rewards researchers who find flaws. The security plan and threat model are public documents.

Our principles

Underneath the architecture, the product is still a health advisor for patients. These principles govern how it behaves:

1. Put the patient first. The system begins with the person's lived experience, not clinical abstractions.
2. Pay attention continuously. Symptoms, changes, questions, and observations are captured over time so important patterns are not lost.
3. Bridge fragmented information. Help connect data across visits, specialists, and records when the system itself does not.
4. Support human expertise. AI helps patients and clinicians think more clearly. It does not pretend to replace judgment.
5. Respect limits. No AI is a doctor. Human expertise is better than artificial intelligence and likely always will be.
6. Reduce burden where possible. The right tool does more of the bookkeeping and organizing work so patients and providers can focus on care.

What we do not yet promise

Honesty is part of the architecture. Several limits of the Phase 1 system are worth naming explicitly.

• AI reasoning currently passes through the Claude cloud. Anthropic is a business associate with a BAA, but their infrastructure sees the prompt. This is not yet end-to-end private reasoning. When attested confidential-compute inference becomes available for Claude — Apple's Private Cloud Compute and its equivalents are the relevant pattern — Confidential Vault reasoning migrates to that path. Until then, we disclose this limit clearly and do not market more than we deliver.
• Browser execution is weaker than native. Phase 1 ships as a Progressive Web App. Strict Content Security Policy, Subresource Integrity, and reproducible builds mitigate but do not eliminate the weaker code-integrity guarantee of the browser runtime. Native iOS and Android follow in a later phase.
• Compelled patient device unlock is outside our threat model. If a court or a physical threat causes a patient to unlock their own device, the architecture is defeated at that endpoint. We cannot protect against that, and we say so.

This list is not reassurance. It is what honesty looks like in a domain where most products say less than they should.

Why this matters

When the water freezes, the molecules that were free to flow are locked into place. When a star leaves its main sequence, the equilibrium that supported its life ends. When a technological substrate reorganizes an information economy, the products that carried the old equilibrium's assumptions into the new phase are left stranded in a world that no longer fits them.

Every competitor in this space is building for the phase that is ending. Health Compass is built for the phase that is beginning. The architecture is not a feature list; it is a bet that the new phase will demand patient sovereignty over information, and that the first product to build to that demand honestly will become the reference for what health technology in the new phase looks like.

We are not pretending the transition is complete. We are not pretending the product is finished. We are claiming that we understand which phase we are building for, and we are building to match.

The invitation

If you are a patient living with complexity, a family member carrying hidden coordination work, a physician who sees how often important context gets lost, or an organization that would rather pay for a health platform that earns the trust of the people using it than for another product that tells them to trust it — we want to hear from you.

Join the waitlist