1Password is an end-to-end encryption platform leaving AgileBits with no ability to view or decrypt patient records or any other data stored in 1Password. As a result, AgileBits is not defined as a Business Associate pursuant to HIPAA and thus is not subject to a Business Associate Agreement.
Confidentiality refers to protecting ePHI from unintended or unauthorized disclosure.
1Password satisfies the Confidentiality requirement through the use of strong and layered encryption while the data is at rest, either on the AgileBits servers or a user device, as well as while the data is being transmitted. At-rest encryption is performed using the Advanced Encryption Standard (NIST FIPS 197) using 256-bit symmetric cryptographic keys. The 256-bit symmetric keys are generated by your device using cryptographically appropriate pseudorandom number generators. All symmetric keys are encrypted using a public / private key pair and AgileBits is never in possession of the private key required to decrypt any of the symmetric encryption keys.
Integrity refers to protection against unauthorized, unintended or malicious modification of ePHI.
1Password satisfies the Integrity requirement through the use of strong encryption, access controls for vaults, Role-Based Access Controls for team administration, and secure storage based on the Amazon Web Services platform. AgileBits performs periodic security scans of the server infrastructure to detect possible tampering. AgileBits also makes use of periodic third-party security evaluations, including risk assessment of the server infrastructure and configuration, and penetration testing through various bug bounty programs.
Availability refers to access to ePHI data when and where it is needed.
1Password satisfies the Availability requirement through the use of high-availability hosted services. Amazon Web Services consist of multiple availability zones (groupings of systems and resources with a single geographical region) as well as multiple geographical regions. In the event that an availability zone were to suffer a loss of availability, AgileBits would be able to create new server instances in another availability zone within the same region. Adherence to best practices, which includes authorizing multiple devices and secure storage of the Emergency Kit, will ensure that accidental loss of ePHI availability does not occur. Developing disaster recovery and business continuity plans will ensure that reasonably foreseeable events do not result in long-term loss of availability to ePHI.
1Password Security Design White Paper describes how threats to Confidentiality, Integrity and Availability are addressed.