Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira Cloud & HIPAA Compliance

Thomas B Community Leader Aug 07, 2019

Hello everyone!

I've followed the changes and upcoming of Atlassian over the past 3 years. All the changes are super exciting. The business I work for is in the Medical Claims industry (one line of business) and we use Jira Server across multiple departments. We are looking forward to Jira Cloud becoming HIPAA Compliant! The most exciting part of our business will be to have the ability to access Jira outside of our network and mobile, we are confined to our network for the time being. I'm sure there are groups of other users who are excited that these changes are 'in the works' and are ready to migrate to the cloud.

21 comments

Brad Atlassian Team Aug 07, 2019

Thanks @Thomas B ! We're working on HIPAA compliance for Jira Cloud - keep an eye on https://www.atlassian.com/trust/compliance for the latest official updates.

Like # people like this

any update to this or any ETA When we could expect the Jira Cloud to be HIPAA Compliant ??

Like # people like this

@Brad  Any updated timeline for HIPAA compliance for JIRA cloud?

Brad Atlassian Team Feb 06, 2020

hey @Martin Hanna no updated timeline at the moment; out of curiosity - are you looking for a particular strategy to be in place? For example, HIPAA controls mapping, SOC2 +, or perhaps HITRUST certification? Is there a preference?

@Brad
Ideally we would like Jira to provide a HIPAA BAA 

Like # people like this

Any update on this? we are looking same here. We are using Jira Service Desk Cloud edition, and want to be HIPAA compliant. @Brad

Like Phillip Hocking likes this

+1 joining the question here, @Brad 

Where is this going?

An ETA, updates, roadmap insights may be able to help the entire community as there's a need for that and no official updates from the Atlassian team anywhere I could find.

Thanks ahead

Like # people like this
Brad Atlassian Team Jun 12, 2020

Tagging in @Filiberto Selvas from the Atlassian Team on this thread - I know that we are working on our strategy and roadmap for HIPAA amongst other endeavors and we'll work to be as transparent as we can be. Certainly happy to know that there is interest in HIPAA and appreciate the comments here.

Like # people like this

Thanks for the quick response.

There's definitely interest, and unfortunately as opposed to functionality gaps / enhancement requests - compliance might have a bigger impact on our needs than lack of functionality.

That's why I'll speak for myself and can only assume other community members feel the same - I really need to know where this is heading and given this has been communicated as 'in progress' for a while - I'm hoping to hear good news.

Thanks again

Like Jason Michaud likes this

We are moving forward with purchasing both Jira server version AND GitHub locally to get past the HIPAA compliance cloud holdup.  I am hoping the the two integrate nicely like they do in the cloud...

HIPPA has been in place for several years and companies get fined when they have Personal Health Information available and easily accessed in JIRA. I for one do not want my company fined due to the inability of JIRA software to provide this piece. It hinders software development companies in a major way. It can cost people their jobs and in my book this is not a good thing. I am frustrated with constantly hearing Atlassian is working on it - when do you stop playing around with 'working on it' to actually working on it and having it available. With all the developers at Atlassian, it is disheartening to know that in Aug 2019 you were working on it and here it is 6 months later and still not delivered. Come on guys...can we please get this done?

Like # people like this

It would be nice to have an ETA from Atlassian here.

Like # people like this

Hi @Brad 

We are a government insurance group as well and are looking for a Jira HIPAA BAA.  Are there any new developments (ETA) on when this will be available?

Thank you,

Craig

Like Martin Hanna likes this

I would like to see JIRA supports HIPAA. Thanks!

Like # people like this

Any potential update on this? We are looking at Jira and Zendesk to move our support team to in the next few months but HIPAA is mandatory. We have our dev team in Jira cloud already.

I'll add my voice to the need for HIPAA BAA support for Jira/Confluence Cloud. We are also looking to move our support team to Jira Service Desk in the next few months but HIPAA is mandatory. We have our dev team in Jira cloud already.

Like Jason Michaud likes this

We also need a BAA for HIPAA compliance!

We are in the same boat. We'd love to move our support team into Jira, but we can't do that without HIPAA compliance. 

@Brad Any update on this? We are using Jira Cloud edition, and want to be HIPAA compliant.

Atlassian, can you please give an update. WHEN? Barring some response, we have to start looking for other solutions as it is a hassle to always work around this limitation.

Like Jason Michaud likes this

Hello everybody, 

My name is Filiberto Selvas, I am a product manager in the Atlassian Enterprise Cloud team, I recently became 100% focused on regulated industries. 

I can't give you an specific timeline yet, there is a public roadmap update in progress and I will point that out as soon as it is published.  But I can share what we are doing: 

  • In the mid term we are planning a selective edge BYOK encryption capability, if your use case requires to capture PHI in only a few fields - attachments then this can be a compensation control, we would never see that data as it is encrypted before it reaches us.  If you are interested on providing input reach to fselvas at atlassian dot com. 
  • We are already working on all the security and access controls required to satisfy the HIPAA law as well as regulations such as FedRAMP, this is a continuation of the SOC 2 work we did in the recent past. 
  • We have kicked of work on the legal side, as you probably know we can't sign a BAA agreement with our customers until we have similar agreements in place with our own vendors, this is expected to be the long pole of the whole effort. 
  • We are looking into our service and support processes and tools, and how these may need to be changed given the potential of PHI handling. 

I will give you a straight answer on timeline as soon as the updated roadmap is published, but I wanted to make sure you knew there is indeed work in progress in this space. 

I hope this helps 

Like # people like this

I think you must make better estimations for us (your clients). More than three years stating same (you are working on..) doesnt' look good.

I can only say I agree Fernando, and offer you to add more details as soon as I can. Hopefully what I have stated above indicates clearly we are really working on this 

Like Brian Reavey likes this

Yes, it indicates you are really working on this.

No, it's not satisfying as a blank 'WIP' statement without clear dates/roadmap is less than what I (and the community apparently) expects from a $1.6B company like Atlassian.

Like David Jones likes this

Also greatly interested in a BAA agreement.  I would love to convert our Server Atlassian Stack over to Cloud, but need to know that if someone accidentally entered PHI into a description field, for instance, we would be covered - legally - and would have the opportunity to remove said PHI from the issues in question.

Any additional updates you can give on the roadmap would be greatly appreciated.

Like Jason Michaud likes this

HIPPA and HITRUST compliance is a MUST HAVE for all Health Care companies. Without Atlassian taking that leap, we are stuck working in data center instance forever.

BAA is part of the scope we are tackling, please see the 3rd bullet in my post above for more details on this. 

To clarify, we have healthcare customers using our Cloud products, this is restricted for use cases where PHI is not in the mix and they consider the risk of PHI slipping minimal or non existent, I understand that the risk appetite varies across companies and industries. 

Hi Filiberto

Thank you for a quick reply. Yes, Our compliance is strict about having BAA in place. So we are just waiting for Atlassian to support it. 

Hoping you guys will make it happen sooner than later 😁.

We also are in need of a HIPAA compliant SaaS offering for Atlassian products. Switching to Data Center editions of the products we are using after discontinuing Server Edition is going to be an enormous cost compared to your per-seat licensing model. Please advise.

Like Filiberto Selvas likes this

@Phillip Hocking ,  we have HIPAA compliance in our roadmap for Jira and Confluence: https://www.atlassian.com/roadmap/cloud?category=compliance&selectedProduct=.   

WOuld you be willing to discuss details of your use case?  I can schedule a call 

@Filiberto Selvas I would love to set up a call, phillip.hocking@excelsiorwellness.org and (509) 559-3128. I look forward to hearing from you!

Roadmap has been published, please let us know of any questions: https://www.atlassian.com/roadmap/cloud?enterprise=compliance 

Like # people like this

Filiberto,

Thank you for posting the road map, but according to your document HIPAA Compliance isn't slated until 2023.  With Atlassian's latest update on 10/16/20 that the server products are being phased out starting 2021, with support being pulled on server products Feb 2024 don't you think you're cutting things a bit close for the number of people posting here including myself who are a covered entity and chose the server products to safeguard our data due to the lack of BAA?

Is Atlassian really expecting those bound by HIPAA to wait and hope there is no slip in the timeline for HIPAA compliance in 2023 which could impact those running server products?  Depending on when Atlassian completes the compliance portion and BAA guidelines, you're leaving us 12mo to convert to Cloud.  And if we don't convert to cloud within that window and Atlassian pulls support it essentially puts those organizations in violation of HIPAA due to using an unsupported software and putting all of us at risk of being fined by HHS.

If Atlassian would make their cloud environment available to the healthcare industry it would be a welcome change.  Right now I'm not sure I'm comfortable waiting until the 11th hour to know if you going to hit your goal as Atlassian "has been working on it" for quite some time.  

Like # people like this

Completely agree with Kyle. The sole reason we're on server is because we can achieve HIPAA/HITRUST compliance within our own VPC. Hard to believe Atlassian already has a transition plan AWAY from server without a concrete plan to handle healthcare entities that need BAA, HIPPA, and HITRUST in place day one.

The whole "we think the cloud is where the world is going" is great, but Atlassian clearly doesn't yet understand the motivation for folks who AREN'T on cloud to understand why they aren't on cloud in the first place.

Start listening to your customers. We need concrete ETAs to when Atlassian and it's $51B market capitalization is ready to sign BAAs like the rest of the SAAS world. 

Like # people like this

Watching this thread as well. We will be impacted by this change if the Cloud products are not 100% HIPAA compliant. If end of support for the Servers products is 2/2/24 and 2023 is when Atlassian will provide an attestation of compliance with requirements dictated by HIPAA. But when in 2023? We need ample time to make decisions and submit budget proposals before FISCAL year which also takes time. Leaving a year or less window which is a guess, is not acceptable.

Like # people like this

In the same situation as the posts above - we have our systems local because of HIPAA/HITRUST compliance - our client contracts require Healthcare BAA's and these certifications -- it's not just something nice to have.  For Atlassian not to have a clear road map for Healthcare companies, to charge more for staying on-premise while Atlassian works out its road map (which feels like a punishment) and to trust that they'll have this worked out by 2023-2024 is not something I can just hope and rely will work out.  Anyone else in the same boat as those who have posted need to put pressure on Atlassian to be a better partner in this situation.  Without a clear direction by Q1-2021 I will feel no choice but to evaluate other options and would suspect others in this situation will do the same.

Like # people like this

Thank you for all the comments, 

  • I understand why the long time seems concerning, we are doing our best to stick to it and even bring it earlier if possible, but we also want to be transparent and share the estimation as we see it.  The technical and operations side is not the blocker here, the products will satisfy the proper controls earlier than that. 
  • We are working on capabilities that we see as "compensating controls", and depending on the risk appetite for your companies as well as the use case may allow you to move to Cloud even before HIPAA attestation is achieved, example is the "Selective edge BYOK encryption" you can see at the bottom of this page https://www.atlassian.com/roadmap/cloud?enterprise=security which is meant to allow customers to encrypt key sensitive fields/pages with keys under their management before any system / person at Atlassian could ever see it. 
  • Last but not least there is an ongoing investment on migration:  tools, services provided by Atlassian and by our partners.  We aim to make this faster, easier, safer as the time goes by. 

I know my points above do not address 100% of your concerns, but please be assured that we considered you a very important set of our customers and we are working hard to make our Cloud products work for you. 

Just so I have this clear....you're refusing to sign BAA's for HIPAA compliance, yet you're now discontinuing server licensing which is currently the only way for companies to maintain HIPAA compliance and security while using your product? You're forcing us to move to the cloud without also providing HIPAA required agreements. So tell me why we shouldn't be moving to another vendor now, one who understands HIPAA and provides BAA signing?

Like Jason Michaud likes this

@Filiberto Selvas Also, I should point out, that no covered entity that wants to avoid extinction will have a "risk appetite" that would let them move to "Cloud even before HIPAA attestation is achieved"...the BYOK you speak of is NOT sufficient to avoid a BAA. Even with BYOK as you call it, Atlassian is STILL considered a Business Associate even if it doesn't have the encryption key. So putting effort there won't solve the problem: https://www.hhs.gov/hipaa/for-professionals/faq/2076/if-a-csp-stores-only-encrypted-ephi-and-does-not-have-a-decryption-key-is-it-a-hipaa-business-associate/index.html

Like Harold Wong likes this

@Filiberto Selvas This is a good, simplified overview of Cloud Service Providers with regard to their relationship to covered entities and their status under HIPAA: https://www.cleardata.com/blog/hhs-guidance-hipaa-cloud-computing/#:~:text=The%20Cloud%20Service%20Provider%20(CSP,itself%20is%20a%20business%20associate.

@Filiberto Selvas - With the announcement that we need to move our products to the cloud this HIPAA compliance has become a major issue for us as well as many of your other clients. It surprises me that Atlassian would have discontinued server products before having this HIPAA compliance certification. This seems particularly short-sighted to make it a requirement to go to the cloud solution before providing a way to satisfy a very common compliance requirement. 

As an organization that is self-insured we must work with providers that are HIPAA compliant which might have access to our data. I truly hope Atlassian rectifies this soon as it is disappointing to say the least. Compensating controls are not good enough, we need the compliance in place to satisfy our auditors.

This is a legal issue, guys. Microsoft offers a downloadable BAA for use for Office365 to its millions of customers. This is the level Atlassian needs to be operating at, and fast. The issue for us (and I suspect others) isn't so much that we think Atlassian lacks the technical controls, but they're unwilling to assume any liability in the form a BAA.

Our client relationships and compliance obligations require our vendors to produce BAAs when they're handling PHI. In a VPC, the data never leaves our environment and we're able to satisfy those requirements using the server product.

We can't yet move to a public cloud like Atlassian's because our regulating entities and customers need assurances that their data is being handled in ways consistent with proper controls of PHI. To date, Atlassian is unwilling to provide a BAA.

Since I posted last, Atlassian's stock has increased by $1.5B in market capitalization. Checking back in the forums, this question has been asked at LEAST through 2013 - or nearly for 7 years with inaction by Atlassian's management team. We have BAAs from MUCH smaller companies that don't have the resources of Atlassian.

What stings me is the fanfare by which Atlassian is celebrating this migration to the cloud while dragging it's feet on bare essentials for folks who have supported (at a tremendous cost) it's server products for years.

Hire a few lawyers and knock this out over a weekend.

Like # people like this

That's right, with Legal review and companies submitting their own BAA for Atlassian to review/sign the process to get an executed BAA would take months...

@Filiberto Selvas ,

We are the open-source license. Will the BAA be available for entities like ours free of charge or will we be charged for it? 
Thank you!

Dina

Hi Dina, we are yet to decide on the packaging of it, and in what Cloud Plans will it be offered 

Like Dina Goncharenko likes this

@Filiberto Selvas ,

We will need to know by beginning of February 2023 (the latest) so we can figure out our budget. Thank you!

Dina

Like # people like this

@Filiberto Selvas 

We currently using three instances of Jira: Prod, Test, and Dev. Could you provide some input on whether or not we will be able to do the same in Cloud (open source licensing + BAA).

Thank You!

Dina

Hello @Dina Goncharenko ,  this will depend on the packaging and per our exchange above that is still in progress.  As a n example: currently our Enterprise Plan allows to create as many instances as you need, in addition to that allows to create a SandBox instance for every production instance.   On our Premium Plan also includes Sandbox.

I've been waiting 5 years already, what's 3 more years.

I hope you do not leave us all high and dry, because of the nature of software dev this may easily be pushed back 3 more years and at that point most of us here would have already move to another platform. 

Looks to me like Atlassian doesn't matter our businesses. I am almost to pay 13.5K/year for the datacenter version; i don't like that idea! Does anybody know about any good product we can use for Ticketing and Project Management instead? I am really tired of heard same thing for years!

Hello everybody, thank you for your feedback, we are doing our best to accelerate our delivery of HIPAA compliance, on that respect: would you be willing to have a phone conversation with me?  The objective of that call is to gather information that will be used to decide if we can reasonably "constrain the scope" of which fields in Atlassian products are used to handle PHI...  if we can do that it is possible we could move faster. If you are willing to devote 30 minutes for a call please drop me a not at fselvas at altassian dot com and we can define a time / day that is convenient for you. 

Thank you in advance 

Like # people like this

It's not really a field level issue. It's a larger product level issue. The nature of your products is such that a covered entity might store PHI data in internal comment fields or customer facing comments, or in a description field, or in attachments, or in custom fields, etc. The flexibility of your product is why it is used. Trying to limit PHI to specific fields would be dangerous I think. And I expect you'll alienate more users than help by showing that you are unable to make the product itself compliant but merely the use of a field or two.

Basically, per the privacy rule, covered entities that want to use your cloud software require satisfactory assurances from you (its business associate) that the business associate (Atlassian) will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

What's more, business associates can be held liable to similar repercussions as covered entities can under HIPAA regulations should PHI become compromised in a healthcare data breach (the fines can get pricey fast).

In other words, Atlassian needs to make sure their cloud software is secure enough that they have confidence that they won't be hacked or have an employee leak PHI, or in any other way become compromised. In other words, Atlassian would need to adhere to Subpart C of 45 CFR Part 164 (https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C), among others.

But, surely you already know this. A sample BAA is here (https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html).

A timeline/promise on this would be really helpful as likely right now you have a lot of businesses wondering whether or not to reup your product. In fact, we were looking at purchasing a new Server license for Service Desk but are now looking into alternative HIPAA compliant software with similar functionality since there's no clear path forward with Atlassian at this point.

I am curious what the reason is behind not allowing on-prem installs going forward? I would think you'd want to promise to continue to support this until you can provide HIPAA compliance.

Like # people like this

Hello and thank you for your post, 

Yes, we understand the points you make, and there are no concerns about our ability to make our Cloud offerings safe and provide those assurances.  We have timeline already: https://www.atlassian.com/roadmap/cloud?category=compliance but there are a lot of requests to accelerate this timeline, as you can see in the thread above. 

Is in that context that I am evaluating the potential to be more prescriptive and constrain the conditions under which we offer assurances of compliance with the HIPAA law. This is not a novel approach in the industry, Twilio follows this model: https://www.twilio.com/hipaa and Slack too: https://slack.com/resources/why-use-slack/hipaa-compliant-collaboration-with-slack.  The reason why I am requesting input is to ensure that we can define constrains that are reasonable and could work for the majority of our customers. 

Hope this makes sense 

Filiberto Selvas 

Like Brian Reavey likes this

@Filiberto Selvas: Starting with Jira Service Desk would be most helpful for us because this is the one product that info is added to by external users who we cannot control. We have internal policies not to add any PHI to Jira by our internal team (still not ideal), but there is no way to limit an external user from adding PHI in service desk. The end-users of Service Desk are not our employees and therefore cannot be bound by our internal policies.

Like Filiberto Selvas likes this

Those companies referenced can invoke hipaa conduit exemption since they transmit phi while jira stores it so that wont work. 

Right now many things can be considered PHI and therefore leaking/exposing it would/could result in a fine. Including email addresses which is a major problem since that is how reporters/assignees are tagged. 

Add another customer to the list of those concerned about HIPAA compliance. As mentioned earlier in the thread, nothing short of complete product compliance will be acceptable. The government isn't one for workarounds and stop gaps.

I appreciate the effort involved with speeding up your published timeline, however I believe there needs to be another alternative. Perhaps offering extended support to those entities who are bound by HIPAA regulations?

Our company uses the Atlassian line of products extensively, but that won't prevent us from discontinuing its use if it is a choice between finding a new product or being sanctioned by the Feds.

Following this thread! Excited to see HIPAA compliance on the roadmap. Just wanted to note that our company also requires a BAA from any vendor that houses our data that could potentially contain PHI. Please consider this as an option for qualified customers. We were in the cloud and migrated to Jira server and now we are looking at other options if the HIPAA feature doesnt include a BAA. Microsoft offers a BAA to their customers https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-hipaa-hitech?view=o365-worldwide#:~:text=Can%20my%20organization%20enter%20into,covers%20in%2Dscope%20Microsoft%20services.

Thank you @Corey Hughes , 100% agree that HIPAA compliance requires Atlassian to be in a position to sign BAA agreements 

Hello, if you are following this thread and are willing to have a call - email exchange I would appreciate if I can ask you about email notifications & PHI.  How have you seen other Cloud Providers deal with this and which of those approaches work best for you.  Please drop me a note at FSelvas at Astlassian dot Com 

 

Thank you! 

@Filiberto Selvas

It looks like this HIPAA compliant build is only encompassing Jira Software and Confluence, and NOT Jira Service Desk at this time. For healthcare orgs that want to use jira for support, Service Desk is probably a larger need, since that's where our end users create support desk tickets. 

 

Is there a plan for Jira to become HIPAA compliant for Service Desk as well? I don't see any timeline for that piece. It sounds like that's what a lot of folks on this thread are actually looking for. 

Basically, I'm just trying to say, if atlassian ends support for server SD; small healthcare orgs cannot afford data center, and cloud doesn't support SD HIPAA compliance....I'm afraid you're going to lose a great number of customers. 

Thank you for the post @Brook , you are correct current plans only encompass Jira and Confluence and not JSM.   I am working with the JSM team to agree on priority and roadmap. 

Question:  in your JSM implementation, do you allow your end customers to create accounts directly in it? 

Thanks Filiberto, I'm glad to hear there is a conversation happening and hope it happens relatively quickly. If not, many of your smaller organizations will need an extension on server support to ensure they can continue to use jira long term. 

 

We currently provision users from Azure AD and allow end customers to create accounts directly - but that is not a need. Our org specifically would happily give up end customer account creation to enable us to move to cloud and still be in compliance. 

 

Thanks!

Brooklyn

Comment

Log in or Sign up to comment
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you