HugoScore hugoscore.org

Full review

MAIA CAIHL draft report

Evidence-linked HugoScore draft report for a health AI tool that affects patients.

Back to profile Markdown source

HugoScore CAIHL Draft Report: MAIA

Status: Draft for human review Last reviewed: 2026-06-26 Review method: Deep public-source review of the MAIA live app, About, Privacy, User Guide, FAQ, welcome text, GitHub repository, README, environment/hosting documentation, account lifecycle documentation, repository metadata, and FDA Clinical Decision Support Software guidance. No hands-on account creation, real-PHI upload, code audit, security audit, DigitalOcean account review, legal/regulatory review, clinical review, or outcome validation. Service: MAIA (Medical AI Assistant) Vendor: Adrian Gropper, MD / independent open-source project URL: https://maia.agropper.xyz/ Category: Patient-controlled health records AI

Summary

MAIA is an open-source Medical AI Assistant that helps a patient or caregiver create a private AI agent and knowledge base from their health records. The demo asks users to copy records into a local MAIA folder, create a DigitalOcean-hosted private AI and knowledge base, verify AI-generated current medications and a patient summary, chat with their records, optionally invite physicians or consultants through deep links, and optionally use public AIs such as Claude or ChatGPT with user-visible sharing and a privacy filter.

From a CAIHL perspective, MAIA is strongly patient-directed. The patient chooses the tool, supplies records, controls which files are indexed, can edit and verify summaries and medication lists, can remove cloud resources, and can self-host from open source code. The central agency value is that it gives patients a practical AI layer over their own longitudinal records, rather than forcing them to rely only on institution-held portals or public AI uploads.

The main cautions are material. The public demo privacy note says the demo host could access user records and chats, even though users are pseudonymous and the maintainer states he has no reason to inspect them. Full privacy from the maintainer requires running an independent copy with the user's own DigitalOcean account. The architecture is cloud-heavy, technically demanding, and partly dependent on DigitalOcean agents, knowledge bases, Spaces, CouchDB, OpenSearch, and optional public AI providers, with a single DigitalOcean API token serving as the master secret from which admin credentials are derived. Public evidence did not show independent security review, HIPAA/BAA posture, clinical validation, accessibility testing, or patient outcome evaluation. MAIA's FAQ also states it is decision-support software outside FDA regulation; HugoScore treats that as a maintainer claim under review rather than established fact (see Key Unknowns).

Evidence Reviewed

CAIHL Profile

  • Who does this AI serve? Patient-directed and caregiver-directed. MAIA is designed for the patient, family, caregiver, or invited consultant working from the patient's collected records.
  • Can patients tell AI is involved? Yes. The welcome flow, user guide, and README explicitly describe private AI, public AI, AI-generated medications, AI-generated patient summaries, and AI-imperfection warnings.
  • Can patients meaningfully choose? Yes, with hosting, cost, and technical caveats. Use is voluntary, open source, and self-hostable, but the easiest demo route requires trusting the demo host and DigitalOcean-backed cloud infrastructure.
  • Can patients correct or challenge what the AI produces? Partial to yes. MAIA requires user verification for current medications and the patient summary, supports editing, file inclusion/exclusion, source-linked PDF review, and cloud deletion/restore. Correction of source clinical records still depends on the originating provider, and no independent QA workflow was found.
  • Does it help patients understand or act? Yes. MAIA helps patients assemble records, build searchable record context, reconcile medications, summarize history, keep a diary, pseudonymize chats before public-AI sharing, and share deep links with physicians or consultants.

Agency Interpretation

MAIA is a strong fit for HugoScore because it directly addresses the CAIHL question of who controls health AI. It tries to move health-record AI from institution-controlled systems and public-AI uploads toward a patient-controlled private agent. The strongest agency features are user-selected record indexing, local backup and restore, editable and verified medications and summary, source links back to PDFs, deep-link sharing controls, and open-source self-hosting.

The strongest constraint is trust transfer. In the demo, the patient is not only trusting the code; they are trusting the demo operator, DigitalOcean infrastructure, and any public AI provider they choose to involve. MAIA is unusually candid about that trust model. The privacy page says the demo host could access records and chats, and the README says whoever pays for or provisions the hosting may control access to the data. That transparency is agency-enhancing, but it also means the public demo should not be treated as a fully patient-private environment.

MAIA's patient agency posture should therefore be read as "strongly agency-expanding when self-hosted or personally provisioned; more qualified in the public demo." The tool's benefits are clearest for patients and caregivers with records, time, technical support, browser access, and enough privacy literacy to manage cloud resources and AI sharing.

Key Unknowns

  • Whether MAIA has had an independent security audit, privacy audit, or penetration test.
  • Whether MAIA deployments can or should operate under HIPAA, a BAA, or another formal health-data protection arrangement.
  • Whether DigitalOcean model, storage, and inference data handling is explained to end users at the point of setup.
  • Whether public AI sharing through Claude, ChatGPT, or other providers is governed by provider-specific training, retention, and privacy settings that users understand.
  • Whether MAIA's categorical FDA claim holds. The FAQ states MAIA is decision-support software outside FDA regulation, citing the 21st Century Cures Act and the FDA Clinical Decision Support guidance. This should be treated as a maintainer claim under review, not established fact. The 21 U.S.C. 360j(o) non-device CDS exemption is health-care-provider-directed, and FDA's CDS guidance keeps software that makes recommendations to patients or caregivers within the device definition, so a patient-facing tool does not clearly fall under the exemption. FDA also issued an updated CDS guidance in January 2026. HugoScore does not conclude MAIA is a regulated device; it declines to repeat the categorical claim without independent legal and regulatory review.
  • Whether MAIA's medication extraction, patient-summary generation, and record retrieval are clinically accurate across record types, languages, disabilities, and complex conditions.
  • Whether low-literacy, mobile-only, non-English, disabled, older, or no-technical-support users can use MAIA safely.
  • Whether deep-link guests reliably understand what they can access and what responsibilities they have when querying a patient's private AI.
  • Whether deletion, dormant mode, backup, and restore flows have been tested against data loss, unauthorized access, and user confusion.

Publication Recommendation

Ready for human review as a source-backed draft profile. Publish as a patient-directed health records AI/private-agent project, not as a verified clinical tool. Confidence should remain medium until security/privacy review, clinical accuracy evidence, regulatory posture, accessibility, and user testing are independently assessed.