HIPAA-Adjacent Secure Messaging for Healthcare
HIPAA's Security Rule (45 CFR §164.312) requires covered entities to safeguard electronic Protected Health Information (ePHI) in transit — access controls, transmission security, audit controls. Standard encrypted messaging protects message bodies but exposes thecommunication graph: which provider messaged which patient, when a lab result was delivered, which specialist a primary referred to. In healthcare that graph is itself ePHI. It can reveal diagnoses (a patient's oncologist contacted frequently), provider relationships (referral patterns), and patient conditions (who is receiving lab results and for what). Tessera protects both the message and the metadata.
The problem: communication metadata is ePHI
The HHS guidance on "de-identification" (§164.514) acknowledges that derived data can identify an individual — and communication patterns are notoriously re-identifiable. A messaging server that logs provider↔patient and provider↔provider traffic holds a graph from which diagnoses, treatment timelines, and care relationships are inferrable. Encrypting the body does not remove that exposure; it merely narrows it to the routing layer, which is itself a regulated system component under §164.308.
Three common flows each carry metadata risk:
| Flow | Example | Metadata risk |
|---|---|---|
| Provider ↔ provider | Specialist referral, case discussion | Reveals referral patterns, specialty relationships |
| Provider → patient | Appointment, follow-up instructions | Reveals patient is under care for a condition |
| Lab → provider | Result delivery | Reveals which provider ordered which test, for whom |
How Tessera helps
Tessera's three privacy mechanisms map onto the properties a covered entity needs for compliant messaging:
- ZK authentication → access controls. A Schnorr / Fiat–Shamir proof under a blinded pseudonym authenticates the sender cryptographically. No shared password, no replayable token; the recipient's verifier accepts or rejects in ~13 ms.
- AES-GCM payload encryption → transmission security. The proof and payload travel inside an AES-GCM ciphertext; the transport never sees plaintext.
- Metadata privacy → narrower ePHI surface. Blinded pseudonyms and bucketed broadcast mean the relay does not hold a sender↔recipient graph. What the relay cannot store, it cannot breach.
- (ε,δ)-DP cover traffic → quantifiable privacy. The cover-traffic budget is a tunable, auditable parameter a security risk analysis (§164.308(a)(1)) can cite.
Architecture
Recommended deployment: the covered entity (or its business associate, under a BAA) self-hosts relay nodes inside its trust boundary. Each provider and patient holds a long-term keypair; enrolment is pairwise (provider↔patient, provider↔provider, lab↔provider). Messages route to recipient buckets; the recipient pulls.
Provider (long-term key) Patient / second provider (verifier key)
──────────────────── ────────────────────────────────
shared_seed from enrolment shared_seed from enrolment
│
1. BlindedSender.pseudonym() → Y' (fresh, unlinkable)
2. ZKProver.prove(message) → π (Schnorr FS)
3. SecureEncryption.encrypt() → AES-GCM ciphertext
4. broadcast → patient bucket (relay sees bucket, not recipient)
│
5. pull from bucket
6. decrypt → (π, message)
7. BlindedVerifier.verify(π, Y', message)
→ accept: verified provider
→ reject: forged / unknown
Compliance mapping (§164.312)
Architectural mapping — not legal advice; a covered entity's security risk analysis must confirm applicability.
| Section | Requirement | Tessera mechanism |
|---|---|---|
§164.312(a)(1) | Access controls | Schnorr ZK proof authenticates the sender; the recipient verifier accepts or rejects — no shared password, no token replay |
§164.312(a)(2)(iii) | Automatic logoff | Session-bound blinded pseudonyms: each delivery uses a fresh session_id, so stale sessions cannot authenticate |
§164.312(b) | Audit controls | Recipient-side audit log records verified deliveries; relay logs show only bucket-level activity, not identities |
§164.312(e)(1) | Transmission security | AES-GCM authenticated encryption for payload + proof; metadata privacy hides sender↔recipient over the wire |
§164.308(a)(1) | Security management process | Self-hosted relays inside the covered entity trust boundary; no external processor holds identifiable metadata |
Code example
from tessera.sdk import Sender, Verifier
from tessera.crypto.blinding import BlindedSender, BlindedVerifier
from tessera.crypto import SecureEncryption
# enrolment: provider + patient share a seed (in person, or via EHR portal)
shared_seed = os.urandom(32)
# provider sends a follow-up instruction
provider = Sender(secret_key=b"...provider long-term sk...")
bs = BlindedSender(provider.public_key, shared_seed, session_id="visit-7421")
y_prime = bs.pseudonym()
proof = bs.prove(b"Continue metformin 500mg BID; recheck HbA1c in 3 months.")
ct = SecureEncryption.encrypt(proof, b"Continue metformin ...", patient_pubkey)
# routed over self-hosted relay inside the health system VPC
relay.broadcast(bucket=compute_bucket(patient_fingerprint), ciphertext=ct)
# patient's device verifies
bv = BlindedVerifier(
Verifier(expected_pubkey=provider.public_key),
shared_seed, session_id="visit-7421",
)
assert bv.verify(proof, y_prime, b"Continue metformin 500mg BID ...") is True
Frequently asked questions
Is Tessera 'HIPAA-compliant'?
No software component is HIPAA-compliant in isolation — compliance is a property of a covered entity's overall program (risk analysis, BAAs, safeguards, training, breach response). Tessera provides architectural safeguards aligned to specific §164.312 requirements (access controls, transmission security, audit controls) and narrows the ePHI surface by eliminating the communication graph from relay storage. Use it as a technical safeguard within a HIPAA program, not a substitute for one.
Does metadata privacy interfere with audit logging requirements?
No. Audit logs live on the recipient side, which sees the verified sender identity (the blinded pseudonym resolves under the shared seed). Relay-side logs record bucket-level activity only — sufficient for operational telemetry without exposing individual communication pairs. This separation is itself a privacy benefit: a breached relay log cannot reveal who messaged whom.