Versions Compared

Version Old Version 1 New Version 2
Changes made by

Andy Brook [Plugin People]

Andy Brook [Plugin People]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As we see it, enabling HIPPA is done at the Atlassian Product (Jira/Confluence) level in order to apply “protection” to specific typed/identified/tagged data holding entities like Jira Custom Fields, limiting search and (I we expect) remote access from apps like JEMHC.

...

We are not HIPPA certified

As yet we have no specific HIPPA compliance that would enable us to sign a BAA.

HIPPA Impact for Enterprise Mail Handler for Jira Cloud

Being HIPPA certified has challenges for us as an Email processor /sender, we need PII (Email Addresses) for core functionality. We don’t specifically ‘know’ what data you store, so can’t specifically ‘redact’. We are not HIPPA certified at this point. The following would be seen as the ‘technical measures’ our app has that could be applied for HIPPA compliance.

The JSM notification templates we use include a limited subset of fields that notifications include, so overall JEMHC meausres in place that support HIPPA could be viewed as:

  • We limit what field we send in notifications (not all changed fields would be sent), you can add more fields specifically.

  • You can enable/disable inline images and attachments to be sent (at all)

  • You can enable/disable email-user support (that stores email addresses in custom fields where no portal user / Jira user is desired), Email Addresses are PII, are a HIPPA data category, for HIPPA compliance, you’d probably have to not use this feature

  • You can enable/disable attachment of the raw Email to the issue, again for HIPPA compliance you’d probably have to not use this feature.

  • If an inbound mail is not processed, a ‘fwd’ mail is sent to the Profile > Forward Users, linking to the Audit record involved. If you have disabled auditing the full mail is attached to avoid data loss. The full mail obviously contains IP addresses, recipient addresses, full content etc.

  • If you flag a mail for support in auditing, an issue is created in our support system referring the audit record. Only such flagged mails (its processing Report, your Profile) are available to all our support staff via a back-office app, through which data downloads can occur, such data is burned when support tickets are closed out.

Edge Cases

  • Webhook containing data about issue events (that drive JEMHC notifications) are kept for a short time, but still are available to System administrators, can be ‘saved’ as Preview Contexts for Template Set previews.

  • Auditing retains copies of Inbound and Outbound mail for 30days, this is available to System administrators. You can opt-out of auditing but make it hard for you to diagnose processing problems, and will prevent you from performing simple recovery actions (eg Jira user not allowed to comment) and will impact our ability to help with problems you may encounter.

Further Information

If you need more, feel free to log a support ticket with us:

...