FY23 HIPAA Compliance

January 4, 2023

Overview

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law developed by the U.S. Department of Health and Human Services and was established in 1996. It was enacted to protect sensitive patient health information from being disclosed without patient consent or their knowledge. HIPAA establishes privacy, security and breach notification rules for the storage, processing, and transmission of health information. The data that is governed under this legislation is referred to as ePHI (electronic Protected Health Information).

The HIPAA Security Rule specifically focuses on the safeguarding of ePHI through the implementation of administrative, physical, and technical safeguards. Compliance is mandated to all organizations defined by HIPAA as a covered entity or business associate. Atlassian, as a business associate, is required to:

  • Ensure the confidentiality, integrity, and availability of all ePHI that is created, received, maintained or transmitted,

  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information,

  • Protect against reasonably anticipated unauthorized uses or disclosures of ePHI, and

  • Ensure compliance by the workforce.

What Atlassian products comply with HIPAA rules?

Atlassian is proud to announce that the following products have been assessed by an external auditor as meeting HIPAA safeguards and requirements:

  • Jira Software Cloud

  • Confluence Cloud

  • Jira Service Management

 

For more information, please visit the Compliance Resource Center.

12 comments

Comment

Log in or Sign up to comment
Pawan Kohli
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 4, 2023

Hi @Hema Vadodaria , would you please share a bit more details on JSM Cloud and HIPAA compliance.  Are there any features that existing customers need to verify?

Thanks,
Pawan.

ckennedy January 4, 2023

What tiers of each of these products will HIPAA compliance be available?

Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 4, 2023

Hi @Pawan Kohli & @ckennedy for details about implementation needs, tiers, and products covered to meet HIPAA requirements, please see: https://support.atlassian.com/security-and-access-policies/docs/the-hipaa-implementation-guide/https://www.atlassian.com/trust/compliance/resources/hipaa/requirements

Metin Savignano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 5, 2023

I was wondering how Atlassian solved the HIPAA requirement to encrypt PHI in email communication, because as creators of the S/Notify Email Encryption app for Data Center, we have been trying to convince Atlassian into providing an API that would allow us implement email encryption for their Cloud offerings, too, but sadly haven't seen any interest there.

Now I see how Atlassian solved this problem: "you’ll need to turn off all email and push notifications in the product settings." (In step 4 of How to configure your Atlassian account to meet HIPAA requirements.)

In my opinion, this requirement deprives Atlassian products of one of their most useful features. Optional email encryption would offer a much better alternative. 

Still hoping for Atlassian to enable us to provide a solution!

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2023

@Pawan Kohli , @ckennedy @Metin Savignano 

Some of the questions already answered above, but to confirm: 

 

Hope that helps! 

Like # people like this
Metin Savignano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 6, 2023

@Filiberto Selvas , thanks for the info!

I've seen the plan for "redacted" notifications. Still wondering how exactly this will work, and also why a seemingly complex solution was chosen while a straight-forward one already exists?

Edit:

I've remembered a description of the "redaction" feature here, saying:

By turning on safe notifications, this will hide data including ‘Issue summary’, ‘Issue description’, ‘Comment’, and 'Attachment” from the corresponding notification emails that your customers will receive.

As far as I understand it, this essentially means that effectively all information is removed, and more or less only a link to the issue is sent. Is that correct?

If so, this means that it's an improvement over not getting notified at all, yet the user would have to click the link in each notification to see the new comment added or understand the context?

To be honest, I think, this approach unnecessarily limits existing functionality. Also, other requirements, like somehow taking care of not putting PHI in issue titles or page names, could turn out to be difficult for customers to safely observe. 

May I amend that anyone, who would prefer to see email encryption at least as alternative option for HIPAA compliant notifications, could vote for JSDCLOUD-8850: Implement API for S/MIME Support, so Atlassian may consider to add this to their framework.

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 6, 2023

Thank you for your suggestions @Metin Savignano 

To be clear, not all information is removed. but anything that can contain protected health information is removed. 

Filiberto Selvas 

ckennedy February 17, 2023

@Filiberto Selvas I noticed in the implementation guide that only Jira Software, Jira Service Desk, and Confluence are available for HIPAA. Are there plans to include Work Management or other products in the future. If so, is there a timeline?

Nate Whitehead
Contributor
April 30, 2023

You call out the products Jira Software Cloud, Confluence Cloud, and Jira Service Management as being HIPAA compliant - what's the status on the newer products - Atlas, Product Discovery, and old, e.g. OpsGenie? Can you list out which products are underway or not yet approved?

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 25, 2023

@ckennedy and @Nate Whitehead , 

There is currently no roadmap plans for HIPAA compliance of other products, but we are tracking customer desire for those. Can you list specifically which ones are more critical for you? 

Here the Compliance Roadmap: https://www.atlassian.com/wac/roadmap/cloud?category=compliance& 

ckennedy May 25, 2023

@Filiberto Selvas the products I'm most interested right now are Jira Work Management (Is that included with HIPAA under Jira Software?), Product Discovery, and Jira Align.

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 27, 2023
TAGS
AUG Leaders

Atlassian Community Events