We are already 50% deployed for expansion of eligibility, aim to be 100% by the end of next week. The capability is a self service processes handled by Org Admins through the products administrative interfaces. You can license the products through the normal channels, and then self service. More information coming soon in an update I will make to this post, hopefully later today.
@Filiberto Selvas This is great news! I attempted to sign the BAA and unfortunately hit a snag. Support ticket is filed - just thought I'd give you a heads up.
Atlassian HIPAA offerings are only available for active subscriptions of eligible cloud products. Because of the inherent risks and costs that Atlassian incurs when offering HIPAA we decided to not make it available for free offerings, such as trials.
You can test the functionality and capabilities of the Atlassian Cloud offerings through trials without entering any PHI. You can also establish an active subscription of an eligible product, establish a BAA to ensure protection of data, and then migrate the PHI data into it.
We are running into challenges because the Atlassian BAA language requires a BAA with all 'relevant' third-party plugins. We've asked Atlassian for guidance on their definition of relevant but haven't heard back. This is critical as (1) this language was not in the BAA of our previous hosting provider and (2) most plugin vendors are small shops and not comfortable signing a BAA.
Can we get some clarity or guidance to help us reach HIPAA compliance? This is a showstopper for us.
The term “relevant” is not one that is defined by Atlassian. This is because it is up to our customers to decide which third-party plugins and apps they will use, how they will use them, and what data they share with them. Which third-party vendors are considered relevant will be specific to each of our customers and is not a decision that Atlassian can make on behalf of our customers. You are completely right in stating that not all third party vendors in our marketplace will offer a HIPAA compliant solution, but it will be up to you to determine how your use of these plugins/apps will impact your obligations under HIPAA, if at all.
Any updates on expanding HIPAA compliance with Jira Work Management? It just seems like a logical next step, as more teams use JWM for their daily work.
@Filiberto Selvas and community - do you have any guidance for people who managed their Jira interactions primarily through email notifications? While we're very happy to see that the sensitive fields like comments are no longer sent in email notifications - the notifications page in the Jira web application is a bit lacking according to feedback I'm getting. So we don't have a great alternate apart from opening every jira ticket. This can be challenging for folks who are managing multiple projects, releases etc.
I agree that it is very inconvenient, unfortunately it is a binary decision as we can't sign a BAA with the vendor that Atlassian uses for notifications (they don't offer it), so we simply can not pass sensitive data to that vendor.
We have customers that have implemented integrations with Microsoft Teams, and they report it works well for them. Please be aware that for any 3rd party integrations it will be for you to ensure HIPAA compliance.
37 comments