HIPAA-Compliant Structural-Metadata-Only Architecture
HIPAA-Compliant Structural-Metadata-Only Architecture
Tessara is designed for healthcare organizations that need rigorous FHIR API conformance monitoring without exposing Protected Health Information (PHI). Our local-first, structural-metadata-only architecture ensures that zero patient data is ever collected, stored, or transmitted.
1. Metadata-Only Architecture
Traditional compliance tools ingest API payloads — creating significant HIPAA liability. Tessara eliminates this risk entirely by never accessing patient data.
1.1 Structural Metadata Only
Tessara probes a FHIR API’s /metadata endpoint to retrieve its CapabilityStatement — a structural document that describes what resources and operations the API supports. This document contains no patient data.
- What Tessara reads: Resource types, supported profiles, search parameters, interaction capabilities, FHIR version declarations
- What Tessara never accesses: Patient records, clinical data, claims, coverage details, or any PHI-bearing endpoints
- How it works: The CapabilityStatement is parsed into a Structural Contract Model (SCM) — a patent-defined 10-field metadata structure — and compared against the regulatory specification baseline
1.2 Irreversible Structural Fingerprinting
SCM trees are hashed into Merkle root digests using SHA-256 with RFC 8785 JCS canonical serialization. These hashes represent structural shape only — it is mathematically impossible to derive any patient information from them.
1.3 What “metadata-only” means in practice
The architecture stores structural hashes and signed verdicts locally. We do not handle PHI, claims data, or PII; we do handle (and persist) structural metadata + signed conformance evidence. “Metadata-only” is the accurate description; the prior “zero-data” framing was an overclaim and has been retired.
2. Deployment Model
Tessara is a single Go binary with a single dependency: a local SQLite database for evidence chain storage. There are no cloud components, no external services, and no network egress beyond the target FHIR API being monitored.
2.1 Local-First Deployment
- Self-contained: The
tessaraCLI runs on any Linux, macOS, or Windows machine - No cloud dependency: All processing happens locally — no data leaves the deployment environment
- No external database: Evidence chains are stored in a local SQLite file
- No BAA required: Because Tessara never processes PHI, a Business Associate Agreement is typically unnecessary
2.2 Probing Model
Tessara performs active HTTP probing of the FHIR API’s metadata endpoint. This is the same public endpoint that any FHIR client uses for capability discovery — it serves structural information, not patient data.
3. Audit Evidence Chains
For HIPAA compliance officers, proving conformance status without exposing patient information is critical. Tessara’s evidence chain provides exactly this.
- Immutable Integrity: Each compliance verdict is signed with Ed25519 digital signatures and linked via SHA-256 to the preceding verdict
- Non-Repudiation: The evidence chain shows that a FHIR API was conformant (or non-conformant) at a specific timestamp, with cryptographic proof that the record has not been altered
- Tamper Detection: Any modification to the historical audit trail breaks the hash chain, making tampering immediately detectable
- No PHI in evidence: Verdicts contain structural metadata hashes, drift finding categories, and scores — never patient data
4. HIPAA Compliance Summary
| Control | Tessara Implementation |
|---|---|
| PHI Access | None. Tessara reads only the /metadata CapabilityStatement |
| Data Storage | Structural hashes + compliance verdicts in local SQLite only |
| Data Transmission | HTTP GET to target API’s metadata endpoint. No outbound data |
| Encryption | Ed25519 signatures on all verdicts. TLS for API communication |
| Access Control | API key + JWT authentication for the dashboard API |
| Audit Trail | Hash-linked, Ed25519-signed evidence chain with tamper detection |
Conclusion for Compliance Officers
Tessara is not a data processor. It is a structural compliance monitor that reads publicly available API capability declarations, compares them against regulatory specifications, and produces cryptographically signed conformance evidence. No PHI is ever accessed, processed, or stored.
To request a detailed security whitepaper, contact hello@tessara.us.