A few prototypes · privacy and drift on a transparent PBM · for SmithRx
I'd love to start with a short call to hear what you're actually wrestling with right now. But you're probably swamped, so I did some homework first: a few small prototypes built only from SmithRx's public framing of its platform, to show the kind of work I've done before, applied to a problem a pass-through PBM is structurally exposed to. They're rough sketches on synthetic and public-shaped numbers, not your data and not a finished product, just a faster way to show what working together could look like than a blank-page call. Nothing here is a real SmithRx figure; every screen says so.
Your whole position is trust through a number people can verify: 100% pass-through, the savings you report each year. That number rests on models that route to lowest net cost, clear prior auth, and adjudicate claims, and on prescription data for close to a million lives flowing through Connect 360 to partners like Cost Plus and Amazon Pharmacy. My hunch is that a couple of things can drift quietly under that, and that a one-time review doesn't catch them. I can't prove it from the outside; the prototypes sketch the method, and a real engagement is how you'd check it against your own pipeline.
Every Connect-360 hop can carry inferred-diagnosis PHI further than the contract assumed. The PII-prevalence reader sketches a sampling read that measures how much high-sensitivity data each hop actually carries, with a confidence interval, for roughly 1% of building a classifier first.
If the lowest-net-cost routing slips, the savings number degrades silently, because it lives on a dashboard, not a pager. The drift-SEV console sketches putting that metric on the same on-call footing as latency, so a drift pages someone with a runbook instead of eroding the number in the dark.
That is a member denied a needed drug, and it's the surface now in court at the medical-claims insurers (an analogy, not a PBM precedent). The console fires a SEV-1 on a synthetic subgroup-parity gap. It's the slice closest to my clinical-NLP fairness work.
Your team probably could. What an internal team structurally can't do is audit its own pipeline as an outside examiner: in an FTC-watched, HIPAA-covered, transparency-branded business, a cited, independent read of where PHI piles up and where a metric drifts is worth more precisely because I don't own the result. Add speed, and a track record in exactly this slice. That's the value, not raw capability.
The honest bound: these run on synthetic data and say so on every screen. Wiring them to your real numbers is the follow-on engagement, not a claim I'm making here. And if your hops are already minimized and your metrics already page someone, the read will say so.
A fixed-scope diagnostic, four to six weeks, run on a synthetic pipeline shaped like yours, ending in a data-readiness memo that scopes the real internal read. IP transfers; no platform, no subscription, nothing to host.
Fixed-scope, indicative ranges; final scope set after a call. A standing monitoring retainer exists only if the diagnostic proves a recurring queue; it's never the default and it isn't a platform fee.
One 30-minute call to tell me what's keeping you up: routing, the PHI egress, the prior-auth surface, or something I haven't guessed. If it's useful, I'll walk a sketch live and show where inferred-PII piles up and who'd get paged on a drift. If your shop is already clean on both, I'll happily say so and we'll have spent half an hour well.
The prototypes, live: smithrx-read.pages.dev · Book it: jeffpinto.com/engage · Method: the PII-prevalence note and metric-SEV
Jeff Pinto runs a small, independent data and AI advisory practice (jeffpinto.com). Thirty years across AI data and privacy, health tech, marketing analytics, renewables, logistics, and broadcasting; the last seven in ML and AI. Hands-on at Meta, Uber, and IBM, plus six startups (one turnaround, three acquisitions). Two MScs: computer science (Toronto) and engineering (Loughborough). Engagements are fixed-scope, four to twelve weeks, no platform and no subscription; whatever gets built, the IP transfers to you.
The slice that fits SmithRx: my UofT/CAMH thesis was privacy-preserving NLP on OCR'd psychiatric records, where I compressed a subgroup parity gap from about 35% to roughly 1% with no accuracy loss; that is the same small-corpus, regulated-decision fairness work a prior-auth model that can't be allowed to drift toward over-denial needs, and it pairs with the published PII-prevalence read built for exactly this PHI-egress problem.
Sources: SmithRx Business Wire and company blog (member lives, savings, Connect 360, pass-through model; company-reported) · FTC PBM interim reports 1 and 2; FTC GoodRx Health Breach action ($1.5M) · HIPAA Security Rule NPRM, Federal Register 2025-01-06 · Change Healthcare breach, HIPAA Journal (192.7M individuals). Full workup with confidence tags in workbook.md. All prototype numbers are synthetic and labeled on screen.