Data privacy in healthcare: Are Jira and Confluence HIPAA-compliant?

Data privacy … right about now, some of you will roll with their eyes. Because data privacy has been a constant topic in business operation for a few years now. And for some, it’s like a red flag. But we believe: It does not have to be this way!

We’re sure that you’ve heard from big players like Google, British Airways and Marriott, which received multi-million fines in the recent years due to data protection violation in their respective country.

Every company wants to protect the data of employees and customers, but oftentimes they find themselves in front of hurdles, legal no-man’s land and supposedly complex tasks to become GDPR-compliant. Many organizations do not even know what data protection should look like for them and if data breaches already exist. This is especially the case, when modern tools like Jira and Confluence are being used by thousands of users with millions of data records.

Different countries decided on extensive rules for data protection. In Europe, it’s known under GDPR, in Germany under DSGVO, in the U.S. it’s called CCPA, in Brazil LGPD, to only mention a few. Explicitly for healthcare, the U.S. has passed a law called HIPAA. Companies working in healthcare, therefore, should check of their Jira and Confluence instance is HIPAA-compliant.

HIPAA (Health Insurance Portability and Accountability) was passed in 1996. It regulates the protection of patient data, also called PHI (Protected Health Information). They are comparable to PII (Personally identifiable information), but are related to health claims. They are the most sensitive data out there.

PHIs are:

• Credit card numbers

• Social security card numbers

• Health insurance numbers

• Bank account details

• Fingerprints, voice recordings and retinal prints

• Medical record numbers

• And many more

PHIs are related to past, current or future medical information, treatments or payments in healthcare.

Atlassian’s tools Jira and Confluence are being used by companies worldwide with many use cases. Some use it for internal purposes only, to plan projects, process campaigns and create content, other use it for customer requests, bookings etc.

While being used internally as well as externally, personal data is being stored at all times. Either from employees or customers.

A practical example in healthcare:

A customer has a request concerning his health insurance. He sends in an e-mail. In this e-mail he mentions his birthday, his insurance number and attaches a medical record by a doctor. This e-mail is used inside the insurance, to create a Jira ticket, which customer service is taking care of. The employee is able to access the database with all medical records and payments from this customer.

As you can see, a simple e-mail in healthcare can contain sensitive data from a patient. Breaches could lead to immense damage. This is why acts like HIPAA were passed.

Quick answer: no, Jira and Confluence never could be data privacy compliant, not for HIPAA or any other law. Atlassian is no subject to the HIPAA data protection act (Atlassian is not defined as a “covered entity”). But even if: You’re individual, company-wide Jira could be full of data breaches, for which only you’re responsible for. Every company also has its own data privacy rules, which are linked to lawful data privacy acts of the respective country. Tools like Jira and Confluence could never cover all of them. This is where data protection officers or administrators are being requested, who take care of ensuring data privacy for their instances.

How to ensure data privacy in Jira and Confluence?