Patient-controlled health records AI

MAIA

MAIA is an open-source Medical AI Assistant that helps a patient or caregiver create a private AI agent and knowledge base from their own health records. It asks users to gather records locally, provision a private AI and knowledge base at DigitalOcean, verify AI-generated current medications and a patient summary, chat with their records, invite physicians or consultants through deep links, and optionally share selected chats with public AIs. The patient-agency upside is strong, but the public demo privacy note says the demo host could access records and chats; stronger privacy requires running an independent copy with the user's own DigitalOcean account.

Draft profile Read full report Open directory

Public-source research has been drafted; final human publication review and change-log detail are still required.

90 /100 toward patient-directed

Agency posture Strongly agency-expanding, with demo-host-trust, security-maturity, and technical-burden caveats

The question we ask Who does MAIA serve in this deployment?

Control Patient-chosen use, but vendor-controlled infrastructure

Agency read Likely to expand agency if it supports reflection, action, privacy, and safe boundaries.

Vendor: Adrian Gropper, MD / independent open-source project
Who it serves: Patient-directed, patient-controlled private health-record AI
Primary User: Patients, caregivers, family members, and patient-invited physicians or consultants
Control Model: Open-source and self-hostable; public demo hosted by Adrian Gropper on DigitalOcean, with stronger privacy requiring the user's own DigitalOcean account and code deployment
Patient Impact: Patient-held record collection, private AI agent and knowledge-base creation, AI-generated medication and patient-summary support, source-linked record review, patient diary, privacy-filtered public-AI sharing, and optional clinician/consultant deep-link access
Profile Status: Draft profile
Last Reviewed: Jun 26, 2026
Review Confidence: Medium draft, source-backed, open-source but not independently audited

Summary judgment · 90% toward patient-directed

Strongly agency-expanding, with demo-host-trust, security-maturity, and technical-burden caveats

MAIA is designed around patient-controlled records, private AI, editable summaries, source links, and optional self-hosting. The position reflects that strongly patient-directed design intent. The easiest path (the shared demo) is host-mediated, full privacy from the operator requires the user's own DigitalOcean account, and the code and single-master-token security model have not been independently audited.

Patient agency

How this tool changes agency

Expands agency when

MAIA supports record aggregation, AI search, medication reconciliation support, patient summaries, diary notes, references, pseudonymized public-AI sharing, and clinician or consultant deep links.

Limits agency when

Use is voluntary, open source, and self-hostable. Users choose which files enter the knowledge base and whether to share through deep links or public AI. The easiest public demo path still requires trust in the demo host, DigitalOcean resources, and any public AI provider the user chooses.

Patient-facing signals

Who does this AI serve?

Patient-directed / private-agent

Official materials describe a patient-controlled private AI over patient records, not a payer, provider, or institutional workflow. Clinicians and consultants can be invited, but the patient initiates and controls the sharing model.

Can patients tell AI is involved?

Yes

AI is explicit in the app, README, welcome text, private AI setup, public-AI options, AI-assisted medication extraction, AI-generated patient summaries, and the warning that AI is not perfect.

Can patients meaningfully choose?

Yes, with hosting and technical caveats

Can patients correct or challenge what the AI produces?

Partial to yes

MAIA asks users to edit and verify current medications and patient summaries, supports source-linked PDF review, and lets users add or remove files from the knowledge base. Correcting source medical records still depends on the originating provider, and no independent QA workflow was found.

Does it help patients understand or act?

Yes

MAIA supports record aggregation, AI search, medication reconciliation support, patient summaries, diary notes, references, pseudonymized public-AI sharing, and clinician or consultant deep links.

Text findings

Who is left out or burdened?

Technical, cost, language, device, and privacy-literacy burden

MAIA assumes access to digital records, a local folder, modern browser support, cloud/private-AI concepts, and comfort managing sensitive health data. A Chrome-class browser with the File System Access API is preferred; Safari and others fall back to a weaker file picker. Apple Health PDF export is the most convenient record source, which quietly advantages iPhone or iPad owners, and the documentation and interface are English-only as published. Public materials did not document multilingual support, accessibility review, or low-literacy testing.

What happens to patient data?

Patient-directed, but cloud-hosted and operator-dependent

The demo says records and chats are not shared unless the user shares via public AI or deep link, but the privacy note says the demo host could access records and chats. Architecture docs describe CouchDB, DigitalOcean Spaces, OpenSearch, per-user GenAI agents, knowledge bases, public-AI routing, local backups, deletion, dormant mode, and restore. A single DigitalOcean API token is the master secret from which admin credentials are derived, and whether DigitalOcean or any chosen public-AI provider trains on inference traffic is not disclosed by MAIA.

Are the clinical boundaries clear?

Partial

MAIA warns that AI is not perfect, requires user verification of current medications and patient summaries, and offers PDF source links. Its FAQ states MAIA is decision-support software outside FDA regulation, but that should be treated as a maintainer claim under review, not established fact: the 21 U.S.C. 360j(o) non-device CDS exemption is health-care-provider-directed, and FDA's CDS guidance keeps software that makes recommendations to patients or caregivers within the device definition, so a patient-facing tool does not clearly fall under the exemption. HugoScore does not conclude MAIA is a regulated device; it flags the categorical claim as unverified.

Who defined what good looks like?

Maintainer/community-defined and source-auditable, not independently validated

The project is open source and invites review, issues, forks, and community participation. Public evidence did not show formal patient-partnered evaluation, independent clinical validation, security audit, privacy audit, or accessibility testing.

Review method

Deep public-source review of the MAIA live app, About, Privacy, User Guide, FAQ, welcome text, GitHub repository, README, environment/hosting documentation, account lifecycle documentation, repository metadata, and FDA Clinical Decision Support Software guidance, plus an independent cross-check of the FDA non-device CDS criteria (21 U.S.C. 360j(o)) confirming the exemption is health-care-provider-directed; no hands-on account creation, real-PHI upload, code audit, security audit, DigitalOcean account review, legal/regulatory review, clinical review, or outcome validation.

Draft profile · Medium draft, source-backed, open-source but not independently audited