Skip to content

HIPAA-Adjacent Secure Messaging for Healthcare

HIPAA's Security Rule (45 CFR §164.312) requires covered entities to safeguard electronic Protected Health Information (ePHI) in transit — access controls, transmission security, audit controls. Standard encrypted messaging protects message bodies but exposes thecommunication graph: which provider messaged which patient, when a lab result was delivered, which specialist a primary referred to. In healthcare that graph is itself ePHI. It can reveal diagnoses (a patient's oncologist contacted frequently), provider relationships (referral patterns), and patient conditions (who is receiving lab results and for what). Tessera protects both the message and the metadata.

The problem: communication metadata is ePHI

The HHS guidance on "de-identification" (§164.514) acknowledges that derived data can identify an individual — and communication patterns are notoriously re-identifiable. A messaging server that logs provider↔patient and provider↔provider traffic holds a graph from which diagnoses, treatment timelines, and care relationships are inferrable. Encrypting the body does not remove that exposure; it merely narrows it to the routing layer, which is itself a regulated system component under §164.308.

Three common flows each carry metadata risk:

FlowExampleMetadata risk
Provider ↔ providerSpecialist referral, case discussionReveals referral patterns, specialty relationships
Provider → patientAppointment, follow-up instructionsReveals patient is under care for a condition
Lab → providerResult deliveryReveals which provider ordered which test, for whom

How Tessera helps

Tessera's three privacy mechanisms map onto the properties a covered entity needs for compliant messaging:

  • ZK authentication → access controls. A Schnorr / Fiat–Shamir proof under a blinded pseudonym authenticates the sender cryptographically. No shared password, no replayable token; the recipient's verifier accepts or rejects in ~13 ms.
  • AES-GCM payload encryption → transmission security. The proof and payload travel inside an AES-GCM ciphertext; the transport never sees plaintext.
  • Metadata privacy → narrower ePHI surface. Blinded pseudonyms and bucketed broadcast mean the relay does not hold a sender↔recipient graph. What the relay cannot store, it cannot breach.
  • (ε,δ)-DP cover traffic → quantifiable privacy. The cover-traffic budget is a tunable, auditable parameter a security risk analysis (§164.308(a)(1)) can cite.

Architecture

Recommended deployment: the covered entity (or its business associate, under a BAA) self-hosts relay nodes inside its trust boundary. Each provider and patient holds a long-term keypair; enrolment is pairwise (provider↔patient, provider↔provider, lab↔provider). Messages route to recipient buckets; the recipient pulls.

Provider (long-term key)          Patient / second provider (verifier key)
────────────────────             ────────────────────────────────
shared_seed from enrolment        shared_seed from enrolment
  │
  1. BlindedSender.pseudonym()    → Y' (fresh, unlinkable)
  2. ZKProver.prove(message)       → π (Schnorr FS)
  3. SecureEncryption.encrypt()   → AES-GCM ciphertext
  4. broadcast → patient bucket   (relay sees bucket, not recipient)
                                  │
                                  5. pull from bucket
                                  6. decrypt → (π, message)
                                  7. BlindedVerifier.verify(π, Y', message)
                                     → accept: verified provider
                                     → reject: forged / unknown

Compliance mapping (§164.312)

Architectural mapping — not legal advice; a covered entity's security risk analysis must confirm applicability.

SectionRequirementTessera mechanism
§164.312(a)(1)Access controlsSchnorr ZK proof authenticates the sender; the recipient verifier accepts or rejects — no shared password, no token replay
§164.312(a)(2)(iii)Automatic logoffSession-bound blinded pseudonyms: each delivery uses a fresh session_id, so stale sessions cannot authenticate
§164.312(b)Audit controlsRecipient-side audit log records verified deliveries; relay logs show only bucket-level activity, not identities
§164.312(e)(1)Transmission securityAES-GCM authenticated encryption for payload + proof; metadata privacy hides sender↔recipient over the wire
§164.308(a)(1)Security management processSelf-hosted relays inside the covered entity trust boundary; no external processor holds identifiable metadata

Code example

from tessera.sdk import Sender, Verifier
from tessera.crypto.blinding import BlindedSender, BlindedVerifier
from tessera.crypto import SecureEncryption

# enrolment: provider + patient share a seed (in person, or via EHR portal)
shared_seed = os.urandom(32)

# provider sends a follow-up instruction
provider = Sender(secret_key=b"...provider long-term sk...")
bs = BlindedSender(provider.public_key, shared_seed, session_id="visit-7421")
y_prime = bs.pseudonym()
proof   = bs.prove(b"Continue metformin 500mg BID; recheck HbA1c in 3 months.")
ct      = SecureEncryption.encrypt(proof, b"Continue metformin ...", patient_pubkey)

# routed over self-hosted relay inside the health system VPC
relay.broadcast(bucket=compute_bucket(patient_fingerprint), ciphertext=ct)

# patient's device verifies
bv = BlindedVerifier(
    Verifier(expected_pubkey=provider.public_key),
    shared_seed, session_id="visit-7421",
)
assert bv.verify(proof, y_prime, b"Continue metformin 500mg BID ...") is True

Frequently asked questions

Is Tessera 'HIPAA-compliant'?

No software component is HIPAA-compliant in isolation — compliance is a property of a covered entity's overall program (risk analysis, BAAs, safeguards, training, breach response). Tessera provides architectural safeguards aligned to specific §164.312 requirements (access controls, transmission security, audit controls) and narrows the ePHI surface by eliminating the communication graph from relay storage. Use it as a technical safeguard within a HIPAA program, not a substitute for one.

Does metadata privacy interfere with audit logging requirements?

No. Audit logs live on the recipient side, which sees the verified sender identity (the blinded pseudonym resolves under the shared seed). Relay-side logs record bucket-level activity only — sufficient for operational telemetry without exposing individual communication pairs. This separation is itself a privacy benefit: a breached relay log cannot reveal who messaged whom.

Protect healthcare communication metadata

Self-host Tessera relays and align metadata privacy with §164.312 safeguards.

pip install tessera