This. As there's no such thing as HIPAA certifications, compliance comes from your specific business rules and configuration. In addition to your configuration, the global support and operations teams at Atlassian will have access to your data per https://www.atlassian.com/hosted/security
I am really trying to determine if I can use JIRA for support for our customers. Some issues reported by customers involves PHI, such as on 8/1/13 Jane Doe had a A&D service and it was not approved correctly. This would be considered HIPAA data, and my question is, is JIRA OnDemand
That is roughly what I'm getting at - you'll need to go through your requirements and investigate whether Jira can match them. We can't give you a simple yes or no because we don't know what your entire set of requirements might be.
Even then, looking at the case you've just presented, the answer is only "probably", because it depends on how you decide to configure it. It'll certainly track all the data you enter and update, but whether it's compliant with your interpretation of the hipaa rules is still up to you.
Thanks for the replies, I have 2 follow up questions:
1) Will Atlassian sign a Business Associate Agreement (or have a standard they will sign as Microsoft does for MS 365 and other products)?
2) If I use JIRA installed does anyone else(that I do not grant access to) have access to my data?
1) You'll need to ask Atlassian. If there's any work involved in doing that, then I suspect the answer is "no", because they expect you, as the user, to handle local legal requirements, not them. No harm in asking, I'd simply email "sales at atlassian dot com".
2) No. It'll be your system on your hardware with your data. You can set up any protections you need internally.
Minor exception on point 2 - if you use the UI to ask Atlassian for support, it will copy *system* information over to them, but none of your data.
Ok, I feel obliged to chime in because there is a lot of incorrect information in this thread. (Disclaimer: I am not a lawyer)
"That is not something we can know. ... The answer depends on what the act currently requires of your organisation, how you plan to implement it, whether you are using your own install, hosting, managed services, what you are integrating it with, what your access control plans are."
Wrong. HIPAA is crystal-clear on what is required to be compliant. The confusion here may arise from the fact that HIPAA does not specify what technical safeguards must be implemented... it's primarly administrative. Use http://www.hhs.gov/ocr/privacy/index.html as a starting point for understanding HIPAA.
"As there's no such thing as HIPAA certifications, compliance comes from your specific business rules and configuration."
There is no certification, correct, but compliance involves all parties that handle PHI. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.
"In addition to your configuration, the global support and operations teams at Atlassian will have access to your data"
Depending on the severity of any breach, HHS can enforce a penalty of up to $1.5MM. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html.
Q: Will Atlassian sign a Business Associate Agreement?
A: If there's any work involved in doing that, then I suspect the answer is "no", because they expect you, as the user, to handle local legal requirements, not them.
Wrong. As explained here, http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php, Atlassian is responsible for HIPAA compliance if they handle protected health information under any circumstance. If they operate in the U.S., they are responsible for handling these legal requirements.
Q: If I use JIRA installed does anyone else(that I do not grant access to) have access to my data?
A: No. It'll be your system on your hardware with your data. You can set up any protections you need internally.
This is the best answer here. If you want to use JIRA and maintain compliance then install it on your own servers.
Before we even get to HIPAA for the application - let's take a step back. The data center needs to be HIPAA compliant - including the servers it's hosted in. As said by Andrew, there are clear certifications for this and proof can be provided. That's step 1. Next is to look at the application/environment.
Actually, Andrew, I believe you might have been looking for this information - http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
As Atlassian is not a covered entity, and will not be engaging as a "Business Associate", they are not responsible for this information.
Also note "HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant."
HIPAA is not the only regulatory set of requirements that software and services that Atlassian provides will need to deal with. Rather than send thousands of compliance questions to Atlassian's sales force (whom I'm assuming are not legal and regulatory experts on how Atlassian's products and services are utilized in various different industries), why not take the bull by the horns, and proactively provide the certifications and assurance for these customers that they've all been begging for? I work for one of those Fortune 100 companies who has not endorsed the use of your developement products because we continually receive these types of evasive answers from Atlassian. The problem is... your products are some of the best we've seen... we simply cannot risk using unassured, non-certified software products or services in one of the largest payment systems on the planet.
One thing that can help you be HIPAA compliant is making sure that sensitive data is not stored in places where it shouldn't and that access to it is properly audited. For this you can use our recently released PII Protector for JIRA add-on. It monitors sensitive PII like credit card numbers, social security numbers, addresses, etc. stored in Atlassian JIRA, reports it, provides admins with a convenient UI to manage it, to audit access to it, and optionally to hide or to erase it.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot