Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

FY23 HIPAA Compliance

January 4, 2023

January 4, 2023

Overview

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law developed by the U.S. Department of Health and Human Services and was established in 1996. It was enacted to protect sensitive patient health information from being disclosed without patient consent or their knowledge. HIPAA establishes privacy, security and breach notification rules for the storage, processing, and transmission of health information. The data that is governed under this legislation is referred to as ePHI (electronic Protected Health Information).

The HIPAA Security Rule specifically focuses on the safeguarding of ePHI through the implementation of administrative, physical, and technical safeguards. Compliance is mandated to all organizations defined by HIPAA as a covered entity or business associate. Atlassian, as a business associate, is required to:

  • Ensure the confidentiality, integrity, and availability of all ePHI that is created, received, maintained or transmitted,

  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information,

  • Protect against reasonably anticipated unauthorized uses or disclosures of ePHI, and

  • Ensure compliance by the workforce.

What Atlassian products comply with HIPAA rules?

Atlassian is proud to announce that the following products have been assessed by an external auditor as meeting HIPAA safeguards and requirements:

  • Jira Software Cloud

  • Confluence Cloud

  • Jira Service Management

 

For more information, please visit the Compliance Resource Center.

Comment
Watch
Like # people like this
2890 views

12 comments

Comment

Log in or Sign up to comment
Pawan Kohli
Pawan Kohli January 4, 2023

Hi @Hema Vadodaria , would you please share a bit more details on JSM Cloud and HIPAA compliance.  Are there any features that existing customers need to verify?

Thanks,
Pawan.

Like
ckennedy
ckennedy January 4, 2023

What tiers of each of these products will HIPAA compliance be available?

Like
Amy Knapp
Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 4, 2023

Hi @Pawan Kohli & @ckennedy for details about implementation needs, tiers, and products covered to meet HIPAA requirements, please see: https://support.atlassian.com/security-and-access-policies/docs/the-hipaa-implementation-guide/https://www.atlassian.com/trust/compliance/resources/hipaa/requirements

Like
Metin Savignano
Metin Savignano January 5, 2023

I was wondering how Atlassian solved the HIPAA requirement to encrypt PHI in email communication, because as creators of the S/Notify Email Encryption app for Data Center, we have been trying to convince Atlassian into providing an API that would allow us implement email encryption for their Cloud offerings, too, but sadly haven't seen any interest there.

Now I see how Atlassian solved this problem: "you’ll need to turn off all email and push notifications in the product settings." (In step 4 of How to configure your Atlassian account to meet HIPAA requirements.)

In my opinion, this requirement deprives Atlassian products of one of their most useful features. Optional email encryption would offer a much better alternative. 

Still hoping for Atlassian to enable us to provide a solution!

Like
Filiberto Selvas
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2023

@Pawan Kohli , @ckennedy @Metin Savignano 

Some of the questions already answered above, but to confirm: 

 

Hope that helps! 

Like # people like this
Metin Savignano
Metin Savignano January 6, 2023

@Filiberto Selvas , thanks for the info!

I've seen the plan for "redacted" notifications. Still wondering how exactly this will work, and also why a seemingly complex solution was chosen while a straight-forward one already exists?

Edit:

I've remembered a description of the "redaction" feature here, saying:

By turning on safe notifications, this will hide data including ‘Issue summary’, ‘Issue description’, ‘Comment’, and 'Attachment” from the corresponding notification emails that your customers will receive.

As far as I understand it, this essentially means that effectively all information is removed, and more or less only a link to the issue is sent. Is that correct?

If so, this means that it's an improvement over not getting notified at all, yet the user would have to click the link in each notification to see the new comment added or understand the context?

To be honest, I think, this approach unnecessarily limits existing functionality. Also, other requirements, like somehow taking care of not putting PHI in issue titles or page names, could turn out to be difficult for customers to safely observe. 

May I amend that anyone, who would prefer to see email encryption at least as alternative option for HIPAA compliant notifications, could vote for JSDCLOUD-8850: Implement API for S/MIME Support, so Atlassian may consider to add this to their framework.

Like
Filiberto Selvas
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 6, 2023

Thank you for your suggestions @Metin Savignano 

To be clear, not all information is removed. but anything that can contain protected health information is removed. 

Filiberto Selvas 

Like
ckennedy
ckennedy February 17, 2023

@Filiberto Selvas I noticed in the implementation guide that only Jira Software, Jira Service Desk, and Confluence are available for HIPAA. Are there plans to include Work Management or other products in the future. If so, is there a timeline?

Like
Nate Whitehead
Nate Whitehead April 30, 2023

You call out the products Jira Software Cloud, Confluence Cloud, and Jira Service Management as being HIPAA compliant - what's the status on the newer products - Atlas, Product Discovery, and old, e.g. OpsGenie? Can you list out which products are underway or not yet approved?

Like
Filiberto Selvas
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 25, 2023

@ckennedy and @Nate Whitehead , 

There is currently no roadmap plans for HIPAA compliance of other products, but we are tracking customer desire for those. Can you list specifically which ones are more critical for you? 

Here the Compliance Roadmap: https://www.atlassian.com/wac/roadmap/cloud?category=compliance& 

Like
ckennedy
ckennedy May 25, 2023

@Filiberto Selvas the products I'm most interested right now are Jira Work Management (Is that included with HIPAA under Jira Software?), Product Discovery, and Jira Align.

Like
Filiberto Selvas
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 27, 2023

Please see the related updates at the bottom of this post: https://community.atlassian.com/t5/Trust-Security-articles/Expand-what-s-possible-with-HIPAA/ba-p/2250357 

Like
Hema Vadodaria

Hema Vadodaria

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

7 total posts

View profile
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events