▸ THE NETWORK

Built so the records stay with the patient.

§ 01 — The Architecture

Three layers. One principle.

POHSN is a consent network — not a database. The architecture is built around a single rule: the patient holds the record. Everything else is the system that makes that workable.

The Walletholds the patient's records, encrypted, in the patient's custody. Keys never leave the patient's device.
The Tapis the provider's authenticated endpoint. Records are decrypted on demand for the duration of a granted session, then released. Nothing is stored.
The consent networkis the cryptographic ledger that records every grant — what was shared, with whom, when, and on what terms. The grants live on the network. The records never do.

POHSN runs the network. The network is yours.

▸ THE PROTOCOL

The grant is the protocol.

Permissions on the network. Records in custody. The line between is the architecture.

§ 02 — The Consent Network

Records don't move. Permissions do.

A consent grant is a signed agreement between a patient and a provider — created on the patient's device, recorded on the consent network, and time-bound to the terms the patient set. Until that grant exists, the record stays where it lives. Encrypted. Untouched. The patient's.

Patient
Wallet
signs
Consent
Network
reads
Provider
Tap
decrypts
Scoped
Records
▸ ON THE NETWORK OFF THE NETWORK ◂

When a grant is created, four things happen:

01 · THE PATIENT SIGNS

The Wallet generates a grant — scope, recipient, duration, terms — and signs it with the patient's key.

The key never leaves the device.

02 · THE GRANT IS RECORDED

The signed grant is written to the consent network — a cryptographic ledger that exists independently of any single provider, system, or vendor.

Verifiable. Time-stamped. Tamper-evident.

03 · THE TAP READS

At the point of care, the Tap pulls the grant from the network.

Verifies the signature. Checks the scope. Confirms the grant is still valid.

04 · RECORDS DECRYPT ON DEMAND

The Tap derives a session key from the grant and decrypts the scoped records — for the length of that session only.

When the session ends, the key is gone. The records release back to encrypted custody.

The ledger is cryptographically secured and tamper-evident — but the technical choice isn't the point. Patient control is.

What's on the network is the permission. What's off the network is the record. That distinction is the architecture.

▸ THE APP

Your records. Your consent. One app.

The smallest piece of the architecture. The most important.

§ 03 — The Wallet

Software-only. Patient-first. Always with you.

The POHSN Wallet is where patients hold their records — encrypted, in their custody, never on a vendor's server. It's the front door to the consent network and the only place a grant can be created or revoked.

The patient experience is built around three actions:

01 · RECEIVE

Records arrive in the Wallet from any participating clinic, hospital, or care setting.

The patient owns the moment they're added — no portal logins, no waiting for someone to fax, no chasing down forms.

02 · GRANT

When a new provider needs access, the patient signs a grant from the Wallet — scope, duration, terms.

Most grants take seconds. Every grant is the patient's to write.

03 · REVOKE

Any grant can be revoked, anytime, for any reason.

Revocation is immediate and absolute. The provider's access ends at the next read.

Everything else in the architecture exists to make this one app trustworthy.

Your phone. Your records. Your call.

▸ THE DEVICE

The Tap is the gate. Everything passes through it.

Hardware-attested. Decrypt on demand. Stores nothing.

§ 04 — The Tap

Software networks fail at the front door. POHSN starts there.

The POHSN Tap is the provider's authenticated endpoint to the consent network. It sits at the point of care — exam rooms, intake desks, ICUs — and and it is the gate every provider-side read passes through.

Every Tap is provisioned with a cryptographic identity tied to its practice. When a patient grants access, the Tap that reads the grant is verifiable. When a grant expires, the Tap that holds the session can no longer decrypt. When a Tap is lost or stolen, its identity is revoked from the network, and every future read fails.

Three principles govern the device:

01 · HARDWARE-ATTESTED

The Tap proves its identity to the network before it can read anything.

Software endpoints can be spoofed. Hardware endpoints are issued, provisioned, and revocable.

02 · DECRYPT ON DEMAND

The Tap stores no patient records.

It decrypts the scoped records for the duration of an active session and releases them when the session ends. A stolen Tap is a piece of hardware. Nothing more.

03 · ONE DEVICE, ONE IDENTITY

Every Tap is unique on the network. Every read is attributable. Every session is auditable.

Provider compliance teams get a clean ledger; bad actors get nowhere.

The Tap exists so the network's promises stay real at the point of care.

Records flow when the patient says so. Through the gate. Nowhere else.

▸ THE Workstation

The Tap opens the gate. The Workstation is where the work happens.

Where the provider works - and the record finds its way home.

§ 04 — The Tap

Software networks fail at the front door. POHSN starts there.

The POHSN Tap is the provider's authenticated endpoint to the consent network. It sits at the point of care — exam rooms, intake desks, ICUs — and and it is the gate every provider-side read passes through.

Every Tap is provisioned with a cryptographic identity tied to its practice. When a patient grants access, the Tap that reads the grant is verifiable. When a grant expires, the Tap that holds the session can no longer decrypt. When a Tap is lost or stolen, its identity is revoked from the network, and every future read fails.

Three principles govern the device:

01 · HARDWARE-ATTESTED

The Tap proves its identity to the network before it can read anything.

Software endpoints can be spoofed. Hardware endpoints are issued, provisioned, and revocable.

02 · DECRYPT ON DEMAND

The Tap stores no patient records.

It decrypts the scoped records for the duration of an active session and releases them when the session ends. A stolen Tap is a piece of hardware. Nothing more.

03 · ONE DEVICE, ONE IDENTITY

Every Tap is unique on the network. Every read is attributable. Every session is auditable.

Provider compliance teams get a clean ledger; bad actors get nowhere.

The Tap exists so the network's promises stay real at the point of care.

Records flow when the patient says so. Through the gate. Nowhere else.

▸ THE POSTURE

The safest data is data we don't hold.

POHSN's smallest commitment is the most important: hold less.

§ 05 — Security & Trust

Every breach starts with what a company chose to keep.

Most health-data systems are built on accumulation. Records flow in, sit in centralized stores, get indexed, queried, copied, and eventually leaked. The size of the breach is a function of the size of the holdings.

POHSN is built on the opposite premise. The less POHSN holds, the less is exposed.

▸ WHAT POHSN HOLDS
01

The consent ledger.

Signed grants, timestamps, scope, revocations. Metadata about permissions — not the records themselves.

02

The Tap identity layer.

Cryptographic identities for provisioned devices. Issuance, attestation, revocation. No PHI.

03

The Wallet codebase and consent network protocol.

The software that makes the architecture run. Open to audit. Closed to data accumulation.

◂ WHAT POHSN DOES NOT HOLD
01

Patient medical records.

They live encrypted in patient custody. POHSN cannot read them — not in transit, not at rest, not under subpoena.

02

Decryption keys.

The patient holds the keys. Multi-factor recovery, no master key on POHSN's side.

03

Aggregated PHI databases.

None exist. There is no central store to query, no warehouse to breach, no backup to leak.

04

Provider EHR data.

The Tap reads the grant. The Tap does not pull or store any provider-side patient data.

What POHSN doesn't hold can't be breached. What patients hold can't be taken without their signature.

HIPAA-compliant by architecture. BAA scope tightened by design. Audit trails on every grant and every read.

Break-glass software access exists for ER and urgent care scenarios. Every emergency read is logged, flagged, and audited.

POHSN runs the network. The network is yours.

▸ THE ROADMAP

Built for Phase 1. Designed for what comes next.

The architecture is intentionally extensible. The principle never moves.

§ 06 — The Roadmap

What launches in Q1 2027 is the foundation. The network is designed to keep going.

POHSN's architecture is intentionally extensible. Phase 1 establishes the consent network, the Wallet, and the Tap — the three layers that make patient-held records workable at the point of care. What comes after builds on that foundation without changing the principle: the patient holds the record.

▸ PHASE 1

Launch.

Q1 2027

The full consent architecture goes live.

  • The Wallet ships to patients on iOS and Android
  • The Tap deploys to early partner clinics
  • The consent network opens to grants from day one
  • The desktop access path opens for emergency access and continuity

Every promise this page makes is real in Phase 1.

▸ PHASE 2

The intelligence layer.

Post-launch

The network is designed to support an intelligence layer in future phases — one that operates within the patient's consent, on scoped data, for the patient's benefit.

▸ ARCHITECTURE FIRST. SPECIFICS LATER.

What Phase 1 ships is the architecture POHSN's been describing. What Phase 2 adds is built on the same principle.

Phase 1 is the floor. Everything after is built on it.

▸ THE INVITE

Two doors. One network.

Providers and investors arrive at the same place — by different paths.

§ 07 — The Invite

You've read the architecture. Here's where the conversation starts.

The Product page is for the people who do the work — providers deploying POHSN at the point of care, investors funding the patient layer, partners building alongside.

Two audiences. One next step.

The Contact page splits the path: a form for providers requesting a demo, a form for investors opening a conversation. Both go through the same door. Both reach the same team.

Open the door → ▸ Routes to /contact

Records belong to patients. The network exists to honor that.

▸ END OF PRODUCT