If you are using JIRA mail/email handlers to create comments from mails between HR and managers, you can use this plugin to setup two email handlers with comment visibility:

https://marketplace.atlassian.com/plugins/biz.beag.jira.mailer

In your first handler, you will set the comment visibility to HR only, then processing an email box called "review@mycompany.com".

In your second handler, you will set the comment visibility to public, and processing email for "approval@mycompany.com".

During HR review, they will send email to "review@mycompay.com" with JIRA reference in the title, which in turn will become an private comment. Once it's approved, they can send an approval email to "apporavl@mycompany.com" which will become a visible comment for the requester.

How JIRA would do this is through comment visibility, however, managers would be required to pick an appropriate comment visibility level ( http://confluence.atlassian.com/display/JIRA/Commenting+on+an+Issue ). Naturally, this expectation may be a little difficult to impose, and in a HR environment, 'informtation leakage' to the issue creator due to a careless comment addition that did not have an appropriate issue security set would be possible.

First improvement to this situation is to write a Post Function to automatically set issue comment security before notifications are triggered, I did something like this before (https://studio.plugins.atlassian.com/wiki/display/JJPFL/Javahollic+Jira+Post+Function+Library ) but havent had time to update it recently.

You could approach this with a similar post function to set the issue secure 'tightly' for all comments, but once the issue has progressed to a particular stage in the issue workflow, that this restriction is lifted, which would achieve your goals. This functionality doest exist out of the box and isn't AFAIK implemetned, you'd need to get it developed.