Business Associate Agreement for JEMHC

This page is not final, is here as a work in progress for discussion

Business Associate Agreement for Enterprise Mail Handler for Jira Cloud (JEMHC)

References

See https://www.ecfr.gov/current/title-45 for navigable Title 45 regulations.

Known Issues

(1) JEMHC Auditing

An area of contention in JEMHC is the Auditing feature that currently exposes ALL inbound/outbound mail (content, images, attachments) to instance admins. Project admins can access the same type of data scoped to their specific project.

Disabling Auditing

JEMHC Auditing can be disabled entirely to address this with re-enablement only possible by going through The Plugin People support for tracking.

Impact

If Auditing is disabled:

  • data loss can be an outcome

  • recovery (re-execution of the mail through JEMHC) due to problems with Jira/JEMHC configuration is not possible as there is no copy of the incoming mail

  • it will not be possible to determine whether a mail was ever received or sent

  • no auditing can impair the ability of Business Associate to provide support (at all) for some scenarios.

Future work

We plan to provide a limited Auditing feature to provide a mid way point on useful functionality in Auditing by retain dates/sender/recipients/subject but increasing privacy by not storing email content. (https://thepluginpeople.atlassian.net/browse/JEMHC-4084 ).

Definitions

Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions.

Catch-all definition:

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific definitions:

(a) Business Associate.  “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean The Plugin People Ltd.

(b) Covered Entity.  “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean you, the Customer.

(c) HIPAA Rules.  “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

(d) JEMHC. Enterprise Mail Handler for Jira Cloud app developed by The Plugin People Ltd.

(e) Data Controller (ref) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The “Covered Entity” is the Data Controller of their data in normal day to day usage of JEMHC.

(f) Data Processor (ref) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The “Business Associate” is the Data Processor on a day to day basis, acting on configuration made by the Data Controller.

(1) Obligations and Activities of Business Associate

Business Associate agrees to:

(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;

(c) Report to Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

[The parties may wish to add additional specificity regarding the breach notification obligations of the Business Associate, such as a stricter time-frame for the Business Associate to report a potential breach to the Covered Entity and/or whether the Business Associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the Covered Entity.]

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;

(e) Make available protected health information in a designated record set to the “Covered Entity” as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;

[The parties may wish to add additional specificity regarding how the Business Associate will respond to a request for access that the Business Associate receives directly from the individual (such as whether and in what time and manner a Business Associate is to provide the requested access or whether the Business Associate will forward the individual’s request to the Covered Entity to fulfil) and the time-frame for the Business Associate to provide the information to the Covered Entity.]

(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;

[The parties may wish to add additional specificity regarding how the Business Associate will respond to a request for amendment that the Business Associate receives directly from the individual (such as whether and in what time and manner a Business Associate is to act on the request for amendment or whether the Business Associate will forward the individual’s request to the Covered Entity) and the time-frame for the Business Associate to incorporate any amendments to the information in the designated record set.]

(g) Maintain and make available the information required to provide an accounting of disclosures to the “Covered Entity” as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;

[The parties may wish to add additional specificity regarding how the Business Associate will respond to a request for an accounting of disclosures that the Business Associate receives directly from the individual (such as whether and in what time and manner the Business Associate is to provide the accounting of disclosures to the individual or whether the Business Associate will forward the request to the Covered Entity) and the time-frame for the Business Associate to provide information to the Covered Entity.]

(h)  To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and

(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

(2) Permitted Uses and Disclosures by Business Associate

(a) Business Associate may only use or disclose protected health information (PHI) as necessary to perform the services set forth in the Enterprise Mail Handler for Cloud (JEMHC) Data Processing Agreement (DPA) that is automatically aggregated through the Cloud Software Product EULA (see Product specific Addendums). A full list of processing activities see Records of processing activities (ROPA, GDPR Article 30).

The Covered Entity is solely responsible for asserting any content supplied to the Business Associate for the purposes of gaining support is free of PHI before supplying to Business Associate for support purposes. Where source emails contain PHI, it is the responsibility of the Covered Entity to create appropriate test data that can used to replicate a described problem in order for the Business Associate to provide support. Failure to provide data that then replicate a reported problem may result in an inability for support to solve problems and in such cases shall not constitute failure on the part of the Business Associate.

(b) For inbound mail, Business Associate when processing data is unaware of whether such mail contain PHI or not, all mail is treated the same. The Business Associate is expected to process this mail within the expected processing configuration defined by the Covered Entity.

With JEMHC Auditing enabled, raw mail (message/rfc822) content is encrypted (Server-side encryption with Amazon S3 managed encryption keys (SSE-S3)) prior to storage. Customer with concerns over such storage (at all) are free to disable JEMHC Auditing entirely, however, the lack of Auditing will remove the ability of the Covered entity to trace mail in/out, to diagnose routing and processing problems, and will prevent Business Associates from being able to solve some problems in support.

(c) Outbound mail is driven by Jira Webhook events that Jira sends for all issue changes to all installed cloud apps that register for processing same, such webhooks contain complete issue state (customfields, description, comments etc). These Webhooks are received over SSL and queued for processing, such data is encrypted (Server-side encryption with Amazon S3 managed encryption keys (SSE-S3) prior to storage. On dequeue, the Webhook is tested to see if it is from a Jira Project that is scoped by JEMHC Notification configuration made by the Covered entity, only Webhooks matching Notification referred Project being retained. The Webhooks are visible in JEMHC for 1h and are purged from underlying storage by policy after 7d.

Covered Entity is responsible for configuring (1) what Projects generate JEMHC notifications (2) what Audience receives notifications (3) what fields are included in notifications (4) whether attachments (including images) are enabled (can be limited by type and size). As per incoming mail, JEMHC Auditing of outgoing mail retains copies of the content sent (text/html) as well as attachments, that are available through auditing, exposing all such data to the System Admin (Project Admins are able to see such data scoped to the local project).

JEMHC Auditing doesn’t affect Webhook storage, its a required feature for outbound notifications. If the storage or use of Webhooks on encrypted at rest storage is deemed unsafe, the only option is to not use JEMHC for notifications.

(d) Covered Entity may use the JEMHC Auditing feature to ‘convert Events to Preview Context’ to allow template editing to reflect ‘actual’ data. Such Preview Context configuration is encrypted prior to storage in the database, that itself has underlying storage being encrypted at rest.

(e) Business Associate Security Policy refers controls are in place to limit access to underlying customer data and makes no use of customer other than to satisfy functional requirements of JEMHC.

(f) Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164, except for the specific uses and disclosures set forth below.

(g) Business Associate may use protected health information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

(3) Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

There is no requirement for Covered Entity to inform Business Associate of changes, as they are the Data Controller responsible for the configuration and use of data by JEMHC.

(4) Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164.

(5) Term and Termination

(a) Term. The Term of this Agreement shall be effective as of [ ] (MMM / DD / YYYY), and shall terminate on the date Covered Entity terminates their Atlassian Marketplace license for using JEMHC, or for cause as authorized in paragraph (b) of this Section, whichever is sooner. 

(b) Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.  In such a case Covered Entity must immediately unlicense JEMHC and uninstall the App, then communicate to support that a ‘purge’ of all held configuration data, including audit mail data. Purge is irrevocable.

(c) Obligations of Business Associate Upon Termination.

Upon termination of this Agreement for any reason, the Covered Entity shall unlicense JEMHC and remove it from their Jira platform. Business Associate shall, subject to set purge time-frames (see ‘Data Retention’ Data Storage ) destroy all protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form.  Business Associate shall retain no copies of the protected health information.

Upon termination of this Agreement for any reason, Business Associate, with respect to protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

  1. Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

  2. Destroy the remaining protected health information that the Business Associate still maintains in any form;

  3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Business Associate retains the protected health information;

  4. Not use or disclose the protected health information retained by Business Associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at “Permitted Uses and Disclosures By Business Associate” above, that applied prior to termination; and

  5. Destroy the protected health information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

(d) Survival.  The obligations of Business Associate under this Section shall survive the termination of this Agreement.

(6) Miscellaneous

(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

(c) Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.