Hi,
I understand that HIPAA compliance for temporal cloud is in the roadmap but no ETA yet(Slack)
Since we have to be HIPAA compliant and we are evaluating Temporal, we may mostly run it on-premise.
But I was wondering if the following steps though manual and error prone can mitigate the lack of HIPAA compliance on Temporal Cloud:
-
I understand workflow definitions store input and output arguments. But if we don’t pass PHI in these arguments, then it won’t be stored in the Temporal Cluster. We could technically pass ids to refer to customers which is fine as per HIPAA
-
use of custom Data Converters to encrypt the data. If we use this for every workflow/activity function, then we should be good? Are there cases, where we can’t apply data converters? What is a Data Converter? | Temporal Documentation
Open Questions:
- In the 101 course, it says, we learn about the
ctx workflow.Context
argument. For Python, does this context object store state about a particular worker and send it to the Temporal Cluster? If so, would it contain intermediate worker state which contains PHI. This seems like some advanced stuff but I have seen Sentry store ‘breadcrumbs’ about the application(which can be turned off) where we leaked PHI sometime in the past for e.g text’ to the workflow. So I thought I’ll ask - I’ve only done the 101 course. What am I missing about mitigating the lack of HIPAA compliance in temporal cloud