Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Jira and Confluence are now HIPAA-compliant

An Atlassian data privacy milestone: Jira Cloud and Confluence Cloud are now HIPAA-compliant. Atlassian recently published a guide to HIPAA compliance. Together with this knowledge, our instructions, and in just five easy steps, you'll make HIPAA compliance a breeze.

Get started now!

What is HIPAA?

HIPAA is the acronym of: Health Insurance Portability and Accountability Act, a U.S. federal law that has been in place since 1996. It was established to protect the medical records and Protected Health Information (PHI) of U.S. citizens. The original purpose of the law was to protect the data of employees who change jobs from disclosure. Limits on disclosure of health records without patient consent are intended to ensure trust, confidentiality, and integrity throughout the medical space. The introduction of national standards for the processing of electronic Protected Health Information (ePHI) should also contribute to better data protection and cost savings.

When and to whom does HIPAA apply?

While HIPAA was written to protect individuals in the U.S., these protections also come into effect when the data processing company is NOT located in the United States. Once your company stores or processes data of U.S. citizens, you must ensure HIPAA compliance. Whether you are located in Europe, Asia, or anywhere else in the world, it doesn’t matter.

HIPAA-compliance should therefore be ensured if you process health data from the United States AND fall under one of the following categories:

  • Health care providers ( doctors, clinics, hospitals, pharmacies).

  • Health plans (insurance companies, government programs such as Medicare)

  • Health care clearinghouses (billing services and community health systems for organizing health data)

What data is protected under HIPAA?

Health information that is protected under HIPAA includes an individual’s name, address, medical record number, and other Personally Identifiable Information (PII),  as well as an individual’s physical or mental health condition, nursing care that an individual is receiving.

What are the penalties for HIPAA non-compliance?

A HIPAA violation can result in maximum fines of up to $1.5 million per year. A person who “knowingly” acquires and discloses health information can face criminal charges of up to one year in prison.

Of course, you don’t want to risk that.

But what does all this have to do with Atlassian?

What is the connection between Jira/Confluence Cloud and HIPAA?

Many healthcare organizations and hospitals use platforms like Jira and Confluence Cloud to manage their daily tasks, projects, and data. This allows them to store and access all the Protected Health Information (PHI) they need quickly and easily. Which means they collect an exorbitant amount of sensitive data about their patients, putting them at risk of violating HIPAA regulations.

For a long time, Jira and Confluence Cloud were not HIPAA-compliant  – now, Atlassian’s announcement changes everything. An external auditor has conducted an intensive assessment of the following Atlassian products and found them to be compliant with HIPAA regulations:

  • Jira Software Cloud

  • Confluence Cloud

  • Jira Service Management

The HIPAA Implementation Guide

To make Jira, JSM, and Confluence HIPAA-compliant with absolute certainty and avoid any penalties, you should perform specific configurations on your Atlassian account, as Atlassian describes in their implementation guide.

Summarized for you, here are the five simple steps you can take to make Confluence and Jira HIPAA-compliant:

  • Organizations that need to comply with HIPAA policies should purchase an Enterprise Plan

  • Sign a Business Associate Agreement (BAA) with Atlassian

    1. This is a contractual agreement stating that HIPAA requirements will be met

  • Ensure that all third-party applications integrated with Jira and Confluence Cloud are running in a HIPAA-compliant manner

    1. The BAA covers only the corresponding Atlassian products

  • Ensure that you do not store PHI in any of the following fields:

    • Confluence

      • Space keys

      • Space name

      • Page title

    • Jira Software

      • Configuration data:

        • issues

        • project name

        • project key

        • workflow schemes

  • Others

    • Surveys

    • Customer feedback

  • Disable all email and push notifications in product settings

Conclusion: HIPAA compliance made easy

Thanks to Atlassian’s update, HIPAA compliance in healthcare has never been easier – even for cloud products! Still, compliance doesn’t just fall into your lap. However, by following the HIPAA implementation guide and our tips, you’ll be on the safe side.

7 comments

Comment

Log in or Sign up to comment
Jordan Fuller February 17, 2023

Does this cover Jira Work Management?

Like George Michelson likes this
John Graham April 25, 2023

Hello,

Thank you for the above information, it is very helpful. It all makes sense except I am not sure where I could store information if I can't use any of the following items to store information:

Configuration data:

  • issues
  • project name
  • project key
  • workflow

Aren't issues in particular the way you store any tasks, bugs, etc. related to questions and needs? 

I appreciate any help you can provide. 

Like # people like this
Tina Zaleski April 25, 2023

Echoing John's question above.  

Can you please clarify if Issues store PHI in a HIPAA compliant way?

Like # people like this
Dana Reddick May 22, 2023

Echoing the above questions for clarity -- it's only the configuration data in Jira that can't contain PHI? Issue description, comments, attachments *can* contain PHI?

Like Todd Paulsen likes this
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 27, 2023
Juan Zamudio
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 15, 2024

Everyone's questions above can be answered via this article.

Like Ryan Jones likes this
Ryan Jones
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 20, 2024

Are there any additional costs from Jira/Atlassian or any 3rd party to activate the Jira HIPAA compliance controls? 

I understand the Jira HIPAA compliant features are only available for the paid Jira plans

We can sign BAAs for Standard, Premium, and Enterprise plans for Jira Software, Jira Service Management, and Confluence. Free and trial plans are not eligible to sign BAAs.

TAGS
AUG Leaders

Atlassian Community Events