HIPAA Posture

Nurse Charting Pro is designed from the ground up to protect electronic Protected Health Information (ePHI) through an on-device-first, encryption-first architecture, with narrow and explicit conditions for the paths that leave the device. We describe what we do and don't do in plain terms, including where a Business Associate Agreement is required.

Our Approach: Eliminate Risk at the Architecture Level

Most healthcare apps try to secure PHI after collecting it on a server. We took a different approach: chart data lives only on your device, encrypted with AES-256, and the encryption key is destroyed at end of shift. There is no central PHI database to breach and no server-side patient store. This architecture implements the technical safeguards required by the HIPAA Security Rule (45 Code of Federal Regulations (CFR) §164.312); a complete HIPAA program also requires administrative and physical safeguards owned by your facility as the covered entity, plus an executed Business Associate Agreement before any PHI flows under our BA relationship.

HIPAA Rules We Address

Privacy Rule

45 CFR Part 160 and Part 164, Subparts A and E. We minimize data collection, never sell PHI, and give nurses full control over when data is shared or destroyed.

Security Rule

45 CFR Part 164, Subpart C. AES-256 encryption at rest, TLS 1.3 in transit, and platform-native access controls implement the technical safeguard requirements (§164.312). Administrative and physical safeguards (§§164.308, 164.310) are shared with the covered entity.

Breach Notification Rule

45 CFR Part 164, Subpart D. Our local-storage-first design materially reduces breach surface by avoiding a centralized patient-record database. In the event of a security incident affecting facility PHI, we follow the HIPAA Breach Notification timelines and notify covered entities so they can meet their state and federal notification clocks.

Technical Safeguards

AES-256 Encryption at Rest

All patient data is encrypted with AES-256-CBC before it touches disk. Encryption keys are generated per device and stored in the iOS Keychain or Android Keystore. Keys are never exported and never backed up to the cloud.

Local Storage, Explicit Transmission Paths

Patient charts are stored locally on the device, not in a Nurse Charting Pro cloud database or server-side patient record system. Protected Health Information (PHI) is not sent to analytics or crash reports. The narrow transmission paths that do exist — AI narrative generation and optional Electronic Health Record (EHR) forwarding — are described below.

End-of-Shift Crypto-Shredding

When you end your shift, the app overwrites all PHI storage keys with random data, deletes them from storage, and destroys the encryption key from the secure enclave. Even forensic recovery of disk remnants yields only ciphertext with no key.

No Cloud Backups of PHI

App data is excluded from iCloud backup on iOS. On Android, backup is disabled at the manifest level. Patient data exists only on the device during the active shift.

Server-side AI Proxy

AI narrative requests transit over Transport Layer Security (TLS) 1.3 to a server-side proxy we operate, which validates your subscription and forwards to OpenAI. The OpenAI API key never ships in the app bundle. The chart data model has no fields for patient name, Medical Record Number (MRN), or date of birth, but free-text fields you type are forwarded verbatim. Our written guidance tells users to avoid patient names, MRNs, dates of birth, room or bed numbers, addresses, phone numbers, exact dates, and similar identifiers in AI-bound free text unless an approved facility deployment permits that workflow. We do not represent these transmissions as HIPAA-de-identified under 45 Code of Federal Regulations (CFR) §164.514. For facility deployments, this content is treated as PHI and is protected by an executed Business Associate Agreement with the facility plus our OpenAI API BAA + Zero Data Retention (ZDR) configuration.

EHR Transmission Controls

Optional EHR integration uses SMART on FHIR with OAuth 2.0 + PKCE. Data flows from your device to the EHR, using our secure proxy as a conduit for token exchange and request forwarding where required. The proxy does not store or log request bodies or PHI.

HIPAA Program Scope

We are transparent about which parts of a complete HIPAA program are owned by Nurse Charting Pro, which are owned by the deploying covered entity, and which are still maturing as we move from a consumer app into facility deployments.

Business Associate Agreements: We are BAA-ready. A signed BAA between Nurse Charting Pro and your facility is required before any PHI flows under our business-associate relationship. Upstream subprocessor BAAs (OpenAI, Vercel HIPAA) are executed and verified before the first PHI transmission for each facility deployment.
Incident response: If we discover a security incident affecting facility PHI, we notify the affected covered entity in time for the covered entity to meet its own state and federal breach-notification clocks (see Breach Notification below).
Architecture transparency: Our security architecture is documented publicly in docs/SECURITY.md and on our security page, including the appendix audit of the narrative-generation transmission path.
Covered-entity responsibilities: Workforce training, sanction policies, contingency planning, and physical safeguards are organizational HIPAA Security Rule requirements (45 CFR §§164.308, 164.310) owned by your facility as the covered entity, not by an application vendor.
Maturing controls: Items such as a SOC 2 Type II report, a written enterprise-grade risk analysis under §164.308(a)(1), and named Privacy/Security Officers are part of our facility-deployment readiness program. We will not represent these as in place until they are documented and available for your security team to review. Contact security@nursechartingpro.com for current status.

What We Don't Do

We do not store PHI on our servers or in any cloud database.
We do not sell, rent, or share patient data with third parties for marketing.
We do not include PHI in analytics, crash reports, or logs.
We do not represent narrative-generation transmissions as HIPAA-de-identified under 45 CFR §164.514. For facility deployments, this content is treated as PHI and protected by BAA + Zero Data Retention with our AI subprocessor.
We do not back up patient data to iCloud or Google Drive.
We do not retain PHI after a nurse ends their shift.

Breach Notification

In the event of a security incident involving facility ePHI, we will notify affected covered entities as soon as practicable and no later than 10 days from discovery — well inside the 60-day federal outer limit under 45 CFR §164.410, and tight enough to give covered entities the time they need to meet their own state breach-notification clocks (commonly 30 calendar days in California, Florida, and Washington). Our incident response process includes:

Immediate containment and investigation of the incident
Written notification to affected covered entities describing the nature of the breach, the types of information involved, and recommended mitigation steps
Cooperation with covered entities on individual and HHS notifications as required
Post-incident review and remediation to prevent recurrence

To report a security concern, contact security@nursechartingpro.com. We respond to all security inquiries within 2 business days.

Data Handling Practices

Minimum Necessary Standard: The app collects only the clinical data required to generate nursing documentation. No extraneous patient information is requested or stored.
Data Ownership: Your facility owns all clinical documentation created using Nurse Charting Pro. We claim no rights to patient data or generated narratives.
Automatic Deletion: All PHI is destroyed via crypto-shredding when a nurse ends their shift. There is no data to delete on termination because nothing persists beyond the active session.
No Secondary Use: Patient data is never used for marketing, research, analytics, or model training. Clinical content sent for narrative generation is protected by BAA + Zero Data Retention configuration with our AI subprocessor and is not retained beyond the request or used to train models.

Third-Party Services

Provider	Purpose	PHI Access
OpenAI	AI narrative generation	For facility deployments: PHI processed under OpenAI API BAA + Zero Data Retention; not used for model training and not retained after the request. No persistent server-side store on our side. For consumer use: no facility PHI is transmitted prior to BAA execution.
Vercel	Marketing website hosting, API proxy	Hosts the API proxy. The proxy validates subscriptions and forwards narrative requests. Our application code does not write request bodies to logs or storage, and no Vercel log drains or third-party log integrations are configured for the project (both verified by the 2026-04-23 audit recorded in docs/SECURITY.md). For facility deployments, the Vercel HIPAA add-on (BAA-eligible) is required before PHI flows.
RevenueCat	Subscription management	No PHI. Handles only anonymous app user IDs and purchase receipts.
Mixpanel	Product analytics	No PHI. Receives only anonymous usage events. The architecture invariant is that no patient data is transmitted to analytics.
AppsFlyer	Install attribution (optional)	No PHI. Tracks only anonymous install events for ad campaign measurement. No BAA in place as no PHI is transmitted.
Epic / Oracle Health	Optional EHR integration (SMART on FHIR)	Nurse-initiated only. Narratives flow to the EHR via a secure conduit. Our proxy handles token exchange and request forwarding without persistently storing or logging request bodies.

For consumer/individual use of the app, our architecture keeps PHI local to the device and these services operate outside the scope of PHI handling. For facility deployments, OpenAI and Vercel handle narrative-generation content under their respective HIPAA BAAs and (for OpenAI) Zero Data Retention configuration; the remaining services do not receive PHI.

Shared Responsibility

When a facility deploys Nurse Charting Pro under a Business Associate Agreement, HIPAA compliance is a shared responsibility between Nurse Charting Pro (acting as a business associate to the facility) and the facility (as a covered entity). Our app provides technical safeguards on the device tier and contractual safeguards through the BAA chain. Your facility is responsible for:

Ensuring nurses use the app on secured, authorized devices
Maintaining organizational HIPAA policies and workforce training
Controlling who has access to the app within your workforce
Reviewing and executing a Business Associate Agreement with us before any PHI flows under our BA relationship

Request a Business Associate Agreement

We are BAA-ready for facility deployments. A signed Business Associate Agreement between Nurse Charting Pro and your facility is required before PHI flows under our BA relationship. Contact us to start the process.

Compliance Contact

Privacy inquiries: privacy@nursechartingpro.com
Security incidents: security@nursechartingpro.com
BAA requests: Contact form

We respond to all compliance and security inquiries within 2 business days.

Last updated: April 30, 2026