Is JIRA hipaa compliant?

Is it compliant to store HIPAA data provided by my customers in JIRA?

5 answers

1 accepted

Comments Closed
My question about the BAA stemmed from the fact that Business Associates need to take into account the software they use to provide services where PHI might be communicated. Microsoft has agreed to sign a BAA for any providers using there software such as MS 365 and therefore is HIPAA compliant (meeting other standards such as encryption as well). Google has declined to sign BAAs and therefore is not complaint. I wanted to know where Atlassian stood on this. Thanks.
Daniel Wester Community Champion Sep 10, 2013

Your best bet is probably to email sales@atlassian.com and ask them through that channel.

1 vote
That is not something we can know. What is HIPAA for a start? (Yes, I do actually know, but a lot of people here will see an unknown acronym and not bother to read any further. I certainly do that, I just happen to know from experience). The answer depends on what the act currently requires of your organisation, how you plan to implement it, whether you are using your own install, hosting, managed services, what you are integrating it with, what your access control plans are. Jira can meet the rules as I've seen them, but it might not for what you want to do. I'm afraid the answer is that you'll have to investigate this for yourself, although it may be worth talking to Atlassian partners, as I know several of them have done assessments like this before

This. As there's no such thing as HIPAA certifications, compliance comes from your specific business rules and configuration. In addition to your configuration, the global support and operations teams at Atlassian will have access to your data per https://www.atlassian.com/hosted/security

I am really trying to determine if I can use JIRA for support for our customers. Some issues reported by customers involves PHI, such as on 8/1/13 Jane Doe had a A&D service and it was not approved correctly. This would be considered HIPAA data, and my question is, is JIRA OnDemand

That is roughly what I'm getting at - you'll need to go through your requirements and investigate whether Jira can match them. We can't give you a simple yes or no because we don't know what your entire set of requirements might be.

Even then, looking at the case you've just presented, the answer is only "probably", because it depends on how you decide to configure it. It'll certainly track all the data you enter and update, but whether it's compliant with your interpretation of the hipaa rules is still up to you.

Thanks for the replies, I have 2 follow up questions:

1) Will Atlassian sign a Business Associate Agreement (or have a standard they will sign as Microsoft does for MS 365 and other products)?

2) If I use JIRA installed does anyone else(that I do not grant access to) have access to my data?

1) You'll need to ask Atlassian. If there's any work involved in doing that, then I suspect the answer is "no", because they expect you, as the user, to handle local legal requirements, not them. No harm in asking, I'd simply email "sales at atlassian dot com".

2) No. It'll be your system on your hardware with your data. You can set up any protections you need internally.

Minor exception on point 2 - if you use the UI to ask Atlassian for support, it will copy *system* information over to them, but none of your data.

Ok, I feel obliged to chime in because there is a lot of incorrect information in this thread. (Disclaimer: I am not a lawyer)

"That is not something we can know. ... The answer depends on what the act currently requires of your organisation, how you plan to implement it, whether you are using your own install, hosting, managed services, what you are integrating it with, what your access control plans are."

Wrong. HIPAA is crystal-clear on what is required to be compliant. The confusion here may arise from the fact that HIPAA does not specify what technical safeguards must be implemented... it's primarly administrative. Use http://www.hhs.gov/ocr/privacy/index.html as a starting point for understanding HIPAA.

"As there's no such thing as HIPAA certifications, compliance comes from your specific business rules and configuration."

There is no certification, correct, but compliance involves all parties that handle PHI. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.

"In addition to your configuration, the global support and operations teams at Atlassian will have access to your data"

Atlassian may not realize it, but regardless of their interpretation of the law, terms of use, or other customer agreements, they are liable for a breach if their employees access any identifiable health information protected under HIPAA. You can find more information on that here: http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php.

Depending on the severity of any breach, HHS can enforce a penalty of up to $1.5MM. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html.

Q: Will Atlassian sign a Business Associate Agreement?
A: If there's any work involved in doing that, then I suspect the answer is "no", because they expect you, as the user, to handle local legal requirements, not them.

Wrong. As explained here, http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php, Atlassian is responsible for HIPAA compliance if they handle protected health information under any circumstance. If they operate in the U.S., they are responsible for handling these legal requirements.

Q: If I use JIRA installed does anyone else(that I do not grant access to) have access to my data?
A: No. It'll be your system on your hardware with your data. You can set up any protections you need internally.

This is the best answer here. If you want to use JIRA and maintain compliance then install it on your own servers.

Before we even get to HIPAA for the application - let's take a step back. The data center needs to be HIPAA compliant - including the servers it's hosted in. As said by Andrew, there are clear certifications for this and proof can be provided. That's step 1. Next is to look at the application/environment.

Andrew - these links to not resolve, can you please update you post?

Actually, Andrew, I believe you might have been looking for this information - http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

As Atlassian is not a covered entity, and will not be engaging as a "Business Associate", they are not responsible for this information.

Also note "HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant."

0 vote
That is not something we can know. What is HIPAA for a start? (Yes, I do actually know, but a lot of people here will see an unknown acronym and not bother to read any further. I certainly do that, I just happen to know from experience). The answer depends on what the act currently requires of your organisation, how you plan to implement it, whether you are using your own install, hosting, managed services, what you are integrating it with, what your access control plans are. Jira can meet the rules as I've seen them, but it might not for what you want to do. I'm afraid the answer is that you'll have to investigate this for yourself, although it may be worth talking to Atlassian partners, as I know several of them have done assessments like this before

HIPAA is not the only regulatory set of requirements that software and services that Atlassian provides will need to deal with. Rather than send thousands of compliance questions to Atlassian's sales force (whom I'm assuming are not legal and regulatory experts on how Atlassian's products and services are utilized in various different industries), why not take the bull by the horns, and proactively provide the certifications and assurance for these customers that they've all been begging for? I work for one of those Fortune 100 companies who has not endorsed the use of your developement products because we continually receive these types of evasive answers from Atlassian. The problem is... your products are some of the best we've seen... we simply cannot risk using unassured, non-certified software products or services in one of the largest payment systems on the planet.

One thing that can help you be HIPAA compliant is making sure that sensitive data is not stored in places where it shouldn't and that access to it is properly audited. For this you can use our recently released PII Protector for JIRA add-on. It monitors sensitive PII like credit card numbers, social security numbers, addresses, etc. stored in Atlassian JIRA, reports it, provides admins with a convenient UI to manage it, to audit access to it, and optionally to hide or to erase it.

How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published 29m ago in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

8 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you