Security Architecture
Nurse Charting Pro protects PHI by not centralizing it. Patient data is encrypted on the nurse's device, never uploaded to a cloud database, and cryptographically destroyed at end of shift. There is no central PHI repository to breach.
This page describes the technical architecture as it actually ships today. For the AI narrative-generation transmission path specifically, see the public summary of our 2026-04-23 transmission-path audit. For the data-handling counterpart, see our Privacy Policy.
Local-Only PHI
Every chart entry — assessments, vitals, observations, narratives — is stored on the nurse's device. We do not operate a server-side database of patient records.
- No cloud database of charts. No server-side copies of narratives. No PHI in our backups, because there are no PHI-bearing backups to take.
- No accounts, no logins, no user sessions, and no passwords. The app does not authenticate the nurse; access to PHI is governed by the device's own lock screen and by on-device encryption.
- No data centers handling PHI for this app. The Vercel proxy used for narrative generation (described in Network architecture below) is implemented so our application code does not write request bodies to logs or storage, and no Vercel log drains or third-party log integrations are configured for the project. For facility deployments, the Vercel HIPAA add-on (BAA-eligible) covers this contractually.
Because there is no centralized PHI store, there is no bulk-breach-notification surface in the way a cloud-hosted EHR has.
Encryption at Rest
All PHI written to device storage is encrypted by the app before it reaches AsyncStorage. This is application-level encryption — separate from, and additional to, the operating system's own at-rest encryption.
- Algorithm: AES-256-CBC with a freshly generated 128-bit initialization vector (IV) per encryption operation.
- Key size: 256 bits, generated on first launch by the platform cryptographic random source.
- Storage layer: Encrypted ciphertext is written to AsyncStorage. The Redux store, narratives, room assignments, and app settings all flow through the same encrypted-storage service.
Implementation: src/services/storage/EncryptedStorageService.ts using the react-native-aes-crypto and react-native-keychain libraries.
Key Management — Keychain & Keystore
The AES-256 encryption key lives in the device's platform-native secure storage and never leaves the device.
| Platform | Storage mechanism |
|---|---|
| iOS | Keychain Services with kSecAttrAccessibleWhenUnlockedThisDeviceOnly — the key is only readable while the device is unlocked, is not synced to iCloud, and is not included in encrypted iTunes/Finder backups. |
| Android | Android Keystore, hardware-backed where the device supports it (most modern devices include a TEE or StrongBox-class secure element). |
- Keys are generated on the device and never exported from secure storage.
- Keys are device-bound — they are not backed up to the cloud and cannot be moved to another device.
- We do not operate hardware security modules (HSMs) or a key-escrow service. There is nothing on our side to compromise to recover a destroyed key.
End-of-Shift Crypto-Shredding
When the nurse taps End Shift, the app destroys the encryption key — making any encrypted data remnants on disk mathematically unrecoverable. This is the data destruction model: not deletion, cryptographic erasure.
- Overwrite — all PHI storage keys are overwritten with random data.
- Delete — the storage keys are removed from AsyncStorage.
- Key destruction — the AES-256 encryption key is destroyed in Keychain/Keystore via
resetGenericPassword. - State reset — the Redux store is dispatched to its initial state.
- Re-initialization — a fresh encryption key is generated for the next shift.
This approach is consistent with NIST SP 800-88 guidance on media sanitization via cryptographic erase. There is no key rotation schedule because the key only ever holds for one shift.
Backup Prevention
We block PHI from leaking through OS-level backup mechanisms.
- iOS: app data is excluded from iCloud backup and marked with
NSFileProtectionComplete, so it is encrypted on disk by the OS while the device is locked. - Android: the manifest sets
android:allowBackup="false"andandroid:fullBackupContent="false"to opt the app out of Google Drive's automatic backup of app data.
Network Architecture
The app does not maintain a connection to a PHI backend. Two narrow opt-in flows touch the network on the nurse's explicit request — both described below.
AI narrative generation (Vercel proxy)
When the nurse taps Generate Note, the structured chart data and any free-text content are sent over TLS 1.3 to a Vercel Edge Function at nursechartingpro.com/api/generate. The proxy validates the subscription against RevenueCat, forwards the request to OpenAI under OpenAI's API data-handling terms, and streams the generated narrative back. The narrative is stored encrypted on the device.
The proxy does not store the request body and does not log PHI. This was confirmed by a static + empirical audit on 2026-04-23 (summarized at /docs/security/audit): every console.* call on the request path was reviewed; only metadata (request type, model, and an 8-character anonymous customer ID prefix) is logged. A 24-hour sample of production runtime logs contained no body content. No log drains or third-party log integrations are configured for the project.
Honest disclosure: structured chart fields (chips, vitals, scores) are pre-enumerated and contain no patient identifiers by design — there are no fields for Medical Record Number (MRN), patient name, or date of birth. Free-text notes, however, transit to OpenAI verbatim. Our written product and facility guidance tells users to keep entries to the minimum necessary clinical content and not to enter direct identifiers (names, dates of birth, medical record numbers, room or bed numbers, addresses, phone numbers, exact dates, or similar identifiers) into AI-bound free-text fields unless an approved facility deployment permits that workflow. We do not represent these transmissions as HIPAA-de-identified under 45 CFR §164.514; for facility deployments they are treated as PHI and protected by a Business Associate Agreement and Zero Data Retention configuration. An automated client-side de-identification layer for free-text was scoped out in issue #737 (analysis: cannot reach 45 CFR §164.514(b) Safe Harbor for nursing free-text); the compliance posture for facility deployments rests on the upstream BAA chain instead. See the known-tolerances list in the audit summary for the full disclosure.
Send to EHR (SMART on FHIR)
Optional, off by default. When activated, the nurse authenticates against their EHR (Epic or Oracle Health / Cerner today) via the SMART on FHIR OAuth 2.0 authorization code flow with PKCE, run through the system browser. The narrative is then sent directly from the device to the chosen EHR as a FHIR DocumentReference.
- OAuth access and refresh tokens are held in memory only (Redux state). They are never persisted to disk and do not survive an app restart.
- Tokens are destroyed at end of shift along with the rest of the crypto-shredding sequence.
- The nurse's EHR username and password are never seen, stored, or transmitted by Nurse Charting Pro — authentication happens directly between the device and the EHR's identity provider.
Full data-flow detail is in the Privacy Policy under EHR Integrations (SMART on FHIR).
What is not on the network
- No background sync of charts to a cloud database.
- No PHI in analytics events. Mixpanel events on the narrative path carry only a hashed (FNV-1a) chart UUID plus structured metadata (chart type, app version).
- No PHI in crash reports.
What Is — and Is Not — Stored
Stored on the device (encrypted)
- Chart data — assessments, vitals, observations (Redux Persist, AES-256-CBC).
- Generated narratives (AsyncStorage, AES-256-CBC).
- Room assignments and app settings.
Not stored anywhere
- User credentials — there are no accounts, so there is nothing to store.
- Network tokens — RevenueCat uses an anonymous identifier; FHIR OAuth tokens are in memory only.
- External service API keys — the OpenAI API key lives on the Vercel proxy, never in the mobile bundle.
- MRN, patient name, date of birth — the chart data model has no fields for these and the app does not ask for them.
HIPAA Posture & Business Associate Agreements
Nurse Charting Pro is a software tool designed to support a HIPAA-aligned nursing workflow. The architecture implements technical safeguards relevant to the HIPAA Security Rule — at-rest encryption (45 CFR §164.312(a)(2)(iv)) and access control via the device's own lock screen — and avoids a centralized PHI store. A complete HIPAA program also requires administrative and physical safeguards owned by the deploying covered entity.
BAA stance
For consumer/individual use of the app — where the nurse uses NCP on a personal device and PHI does not flow into a facility's clinical record on our side — there is no centralized PHI store and no server-side processing of patient records.
For facility deployments, an executed Business Associate Agreement between Nurse Charting Pro and the facility is required before any PHI flows under our BA relationship. Our BAA covers the narrative-generation proxy path, including OpenAI as a downstream subprocessor under OpenAI's API BAA + Zero Data Retention configuration. We are BAA-ready for facility onboarding; our OpenAI API BAA is in execution as of April 2026 and ZDR is a separate per-account configuration step. Upstream subprocessor BAA execution and ZDR activation are confirmed in writing before the first PHI transmission for each facility deployment.
Honest scope notes
- Full HIPAA compliance for any deployment also requires organizational policies and procedures by the user's facility (training, sanction policies, contingency planning, physical safeguards) that go beyond an app's technical controls.
- We do not currently hold a SOC 2 Type II report. It is on the roadmap but is not represented as completed.
- We do not maintain server-side audit logs of patient data access, because there is no server-side patient data store to access.
Security questions or concerns?
For security questionnaire responses, BAA execution, or to request access to the full audit appendix, please reach out.
Contact us →Related Documentation
Privacy Policy →
What data the app collects, where it goes, and how the FHIR Send-to-EHR flow works.
User Guide →
End-to-end walkthrough of charting, narrative generation, and end-of-shift crypto-shredding.
Getting Started →
First-shift setup — installing the app and getting to your first AI narrative.
Configuration →
Settings the nurse can adjust on-device, including the optional patient-reference label.
FAQ →
Common questions on pricing, supported devices, and how end-of-shift wipe behaves.