Monitoring is not understanding ended on a line I have not been able to drop: the patient is the only thread that runs through their own care, and the patient has no app. The integration job, seeing the whole patient across fragmented providers and noticing that the second stroke is a recurrence and not a fresh event, lands on the person least equipped to do it. So build the app. The moment you try, you hit the same wall as everywhere else: what funds it. I worked the clean version of that question on local trades. This is the hard version, and the difference is the lesson.
The argument in five lines
- The app is a store of data organized to surface patterns. It never advises. Advice is a separate layer attached to a real clinician.
- That firewall is the design: it keeps the store clear of medical-device rules and keeps the liability where the clinical judgment is.
- Ads are not an option. Targeting on diagnoses is the nightmare case and mostly illegal, so "if not ads, what?" is a hard constraint here, not a preference.
- Fund the core as a mutual: everyone has this problem, so tiny universal contributions make it cheap per head and cheaper as it grows. Family plans, free for those who cannot pay, and sponsored memberships from a city or insurer for the rest.
- Keep the dangerous money out of the core: medic and insurer money funds the separate advice layer and sponsors access, never the pattern store. The funding model is the governance model.
The app that should exist
The gap is not a missing feature in some EHR. It is the absence of a layer that belongs to the patient. Every provider has a system; the cardiologist sees the heart, the neurologist the brain, the pharmacy the script, and each closes its own case as a success. Nobody owns the integration, and the one person positioned to is sick, untrained, and without tools. The thing that should exist is a patient-controlled layer that pulls records together, keeps the whole-patient picture, and raises a hand when a symptom recurs under the same treatment. Not a new silo. An agency layer the patient owns and the providers feed.
And it has a hard line drawn through it. The app is a store of data, organized to surface patterns. It does not advise. It can show that a symptom has recurred three times under the same drug; it does not tell you what to do about that. Advice is a separate layer, attached to a real clinician, and funded separately. That separation is not a disclaimer, it is the architecture. It keeps the store clear of medical-device regulation, keeps the liability where the clinical judgment actually lives, and keeps the patient holding a tool that informs them rather than one that decides for them.
Ads are not just bad here, they are radioactive
In the trades version, advertising was the welfare-negative incumbent. In health it is off the table. Targeting a person on the basis of their diagnosis is the worst thing the surveillance model produces, and it is largely illegal: health data is special-category under GDPR and protected under HIPAA. That changes the funding question from a preference into a constraint.
Everywhere else, "if not ads, then what?" is a values question. In health it is a legal one. The answer cannot route through attention, which removes the cheap option and forces the hard one.
The rent does not disappear, it changes clothes. Instead of consumer ad-targeting it is EHR vendor lock-in, data brokering, and the quiet sale of de-identified records. The thing extracting value is the same shape as always. It just wears a compliance badge.
Why this is the harder case
Set the two examples side by side and the friction is obvious.
| Local trades | The patient's app | |
|---|---|---|
| Revenue line | Provider member fees, clean and recurring | No clean payer; the sickest can least afford to pay |
| Regulation | Light | Heavy (special-category data, possible medical-device rules), with a patient-access tailwind from the EHDS |
| Liability | Small claims if the plumber breaks a pipe | Contained by the firewall: the store surfaces facts, a clinician owns any advice and its liability |
| The hard part | Posting a listing | Getting data out of provider EHRs at all |
| As a target | A city's job board | The most valuable, most dangerous data store there is |
The member-fee model that made the trades co-op self-funding does not transfer. Charge the patient and you rebuild the access tier the subscription model always creates, except now the people priced out are the chronically ill, who are exactly the ones the recurrence problem is about. So the clean answer fails, and you have to find the payer somewhere else.
The payer hiding in the last article
It was there the whole time. Monitoring is not understanding made the case that the recurrence is the question nobody asks, the second stroke logged as a fresh event. The thing that article did not say out loud is that the missed recurrence is not free. Someone pays for the second stroke, the readmission, the avoidable ICU week.
Name who pays for the second stroke and you have found the actor whose interest in prevention is structural rather than charitable. That is who will sponsor access and fund the advice, even while the core stays a member-owned mutual.
Keeping the dangerous money out of the core
This is where the funding thesis usually bites its own example, and the design defuses it before governance even gets involved. Money that makes an app sustainable can quietly make it serve the wrong master: an app whose core is paid for by an insurer drifts toward optimizing the insurer's cost, with flag-to-deny, rationing, and surveillance. The defense is structural. The core, the pattern-surfacing store, is funded by its members as a mutual, so no insurer pays for it and none can own it.
Insurer and medic money is confined to two places where it does the least harm: the separate advice layer, where a clinical relationship is appropriate anyway, and the sponsorship of access for people who cannot pay, which funds a seat rather than steering the product. What is left is the residual risk that a sponsor leans on the thing it helps pay for, and that is what the governance guards are for.
| Guard | What it enforces |
|---|---|
| Patient supermajority | Anything clinical or data-sharing needs patient-member control, not payer or provider |
| Sustainability seat, not a steering one | The payer funds and gets aggregate outcome metrics, never identifiable data and never a product veto |
| Surface, do not police | The app flags and informs the patient; it does not deny care, ration, or report upstream |
| Capture is visible | Open governance docs, and a federation that can defederate a compromised instance |
What actually funds it: a mutual
The shape is the same layered, insulated stack as the trades model, but the core revenue is a mutual rather than a provider fee, and that changes everything. The insight is that everyone has this problem. Universal problems are what mutuals are for: a very small contribution from many people funds the commons, and because the cost is mostly fixed, the price per head falls as the membership grows.
A mutual earns back the one thing ads got right. Ads gave rich and poor the same product because a third party paid. A mutual gives rich and poor the same product because the many cover the few. Same universal access, no surveillance, no rent.
On the member side that is a few tiers, all kept deliberately cheap:
- A small individual contribution, low by design and trending lower as usage grows.
- A family plan: pay once, cover the household, since the integration problem runs in families anyway.
- Free for those who cannot afford it, cross-subsidized by paying members.
- Sponsored memberships, the "welfare family" idea, where a city or an insurer pays the contribution for people who cannot, the way a library card is funded for everyone.
| Layer | Funded by | Note |
|---|---|---|
| Interop & consent protocol | NLnet, Sovereign Tech Fund, Digital Europe / EHDS budgets | Patient-mediated exchange (FHIR), identity and consent. The EHDS access right is a tailwind. |
| Pattern-surfacing store (the core) | Mutual member contributions; family plans; cross-subsidy | Member-owned, free at the point of need, cheaper per head as it grows. |
| Access for those who can't pay | Sponsored memberships from a city or insurer | The sponsor funds a seat, never the product. |
| Advice layer (medic-linked) | Medics and/or insurers | A separate clinical layer, where clinical money and liability belong. |
| Stewardship | Foundation outside the operating jurisdiction plus R&D grants | Holds the consent protocol, copyleft so no one forks it closed. |
Federation matters even more here
A central store of everyone's health records is the worst object you can build: a catastrophic breach target and a capture magnet that insurers, the state, and advertisers all want. The federated design is not stylistic here, it is survival. Data stays patient-side or in a store the patient chooses, and the protocol only coordinates consented exchange. No global aggregation, which is the thing that concentrates power and corrupts. It is also the live tension inside the EHDS itself: even a well-meant central health-data space is a honeypot, and the defense is to keep the patient layer federated rather than pooled.
The honest constraints
- Regulation is real, and the firewall is the answer to most of it. Health data stays special-category, but because the store surfaces patterns and never advises, the medical-device burden falls on the separate clinical layer where it belongs. Hold that line and it stays a line.
- Providers benefit from lock-in, so getting data out is a fight even where the law grants access. Interop (FHIR adoption) is uneven and is the genuinely hard engineering.
- Liability cuts both ways: harm from a wrong flag, and harm from a missed one. Governance and scope have to be conservative.
- Cold start is easier per patient than the trades case, since one person aggregating their own records is useful on day one, but the provider-access fights are harder.
The takeaway
The trades example showed the funding model working cleanly. This one shows it under load, and under load the answer turns out to be two design moves, not one clever funder: a firewall that keeps the store from ever advising, and a mutual that keeps the core owned by its members. Get those right and the dangerous money can be let in at the edges, the advice layer and sponsored access, without taking the middle.
That is the whole argument from the trades piece, at the highest stakes it comes in: the funding model is the governance model. Nowhere is that truer than in the app the patient still does not have.
This is the hard companion to the local-trades funding piece, and the sequel to monitoring is not understanding. Worked through to stress-test the model, not to claim a plan. The point is that the model survives the harder case, and gets more honest when it does.