Versions Compared

Version Old Version 2 New Version 3
Changes made by

Andy Brook [Plugin People]

Andy Brook [Plugin People]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/ page. There you will find about how you sign a Atlassian Business Associate Agreement (BAA) with Atlassian and how you would configure the Atlassian Products to safeguard data that Atlassian hold.

Marketplace Apps

...

HIPPA support

Marketplace apps are not in scope for the Atlassian signed BAA. Our cloud app JEMHC has no concept of HIPPA data and categorizations that you make on the Atlassian Product, we don’t extract/store data ourselves, the bare minimum information is stored (i.e. email addresses/personal names) for inbound/outbound auditing purposes. JEMHC is a tool, you can use it to extract data from the ‘source’ email content and store in your Jira instance in those pre-defined HIPPA fields.

...

As we see it, enabling HIPPA is done at the Atlassian Product (Jira/Confluence) level in order to apply “protection” to specific typed/identified/tagged data holding entities like Jira Custom Fields, limiting search and (I we expect) remote access from apps like JEMHC.

...

HIPPA

...

compliance

As yet we have no specific HIPPA compliance that would enable us to sign a BAA.. We are currently on a SOC2 compliance journey.

HIPPA Impact for Enterprise Mail Handler for Jira Cloud

...

Being HIPPA certified has challenges for us as an Email processor /sender, we need PII (Email Addresses) for core functionality. We don’t specifically ‘know’ what data you store, so can’t specifically ‘redact’. We are not HIPPA certified at this point. The following would be seen as the ‘technical measures’ our app has that could be applied for HIPPA compliance.

...

  • Webhook containing data about issue events (that drive JEMHC notifications) are kept for a short time, but still are available to System administrators, can be ‘saved’ as Preview Contexts for Template Set previews.

  • Auditing retains copies of Inbound and Outbound mail for 30days, this is available to System administrators. You can opt-out of auditing but make it hard for you to diagnose processing problems, and will prevent you from performing simple recovery actions (eg Jira user not allowed to comment) and will impact our ability to help with problems you may encounter.

Business Associate Agreement

TBD

Further Information

If you need more, feel free to log a support ticket with us:

...