Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can I determine if marketplace apps are HIPAA compliant? BYOK?

Rob Horan
Rob Horan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 1, 2025

Hello,

I've read  HIPAA implementation post and the Implementation guide and there's no clear process for reviewing apps in advance of adopting or migrating to the cloud.

The only guidance I saw was "Ensure that all third-party applications integrated with Jira and Confluence Cloud are running in a HIPAA-compliant manner"

How does one do that?  The security pages for app listings in the marketplace doesn't call out HIPAA (or BYOK) compliance.

There is an instructional page for tagging apps but that requires you to be in the cloud.

I am looking to assess in advance of adopting cloud.

Answer
Watch
Like Lindsay Bolan likes this
150 views

2 answers

1 accepted

3 votes
Answer accepted
Walter Buggenhout
Walter Buggenhout
Community Champion
May 1, 2025

Hi @Rob Horan,

As a starting point, check the marketplace listing page for the app and pay specific attention to the Privacy and Security tab out there.

If the information you find there is not conclusive, contact the app vendor for additional details. They should be able to help you out.

Hope this helps! 

View More Comments
Rob Horan
Rob Horan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 1, 2025

I have looked on these pages but the tab is not very clear. 

What in particular indicates compliance/non-compliance?

Assume I am documenting a process - I go to the app, open the tab and then review the info.  What is the compliance criteria?

Like
Walter Buggenhout
Walter Buggenhout
Community Champion
May 1, 2025

Simply put: if I don't see HIPAA complyance or BYOK mentioned there and I want an assessment, I raise a request with the vendor. It will probably be the fastest way to get a trustworthy answer.

Like Calvin likes this
Walter Buggenhout
Walter Buggenhout
Community Champion
May 1, 2025

And on a side note: if you are assessing apps prior to cloud migration, it is a very good idea to involve app vendors for the apps you're planning to migrate early on, since they can point out things to keep in mind during the migration. Many apps nowadays offer an automated migration path, but in many cases there's manual steps you'll need to consider prior to or post migration in order to get everything over smoothly when you're ready to migrate in production.

Like
Rob Horan
Rob Horan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 1, 2025

So there's no way to look at the info presented in the tab and get enough information to make a yes/no determination?

Thank you for getting back so quickly!

Like
Reply
0 votes
Lindsay Bolan
Lindsay Bolan
Contributor
May 21, 2025

I'm running a HIPAA-compliant Atlassian Cloud instance right now, and we have just started to look into add-ons. The Summary of the HIPAA Security Rule page is a guide for what to look for generally, but it does not provide specific specs or architecture recommendations. It may be helpful to compare Atlassian's compliance breakdown to the marketplace vendors' answers in the security questionnaire (or if they have any security/compliance documentation on their website.)

I'm not in cybersecurity or directly involved with my university's risk assessment process, but I know that certain certifications/attestations are often cited in our HIPAA risk assessments, such as SOC 2 and ISO/IEC, and that they also focus on where our data is stored and how it is treated in transit.

Considering that a BAA with third party vendors is required to follow Atlassian's HIPAA implementation guide, it would be nice if they would add that to the security questionnaire to save us all some time.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security