Jira and Confluence are now HIPAA-compliant

An Atlassian data privacy milestone: Jira Cloud and Confluence Cloud are now HIPAA-compliant. Atlassian recently published a guide to HIPAA compliance. Together with this knowledge, our instructions, and in just five easy steps, you'll make HIPAA compliance a breeze.

Get started now!

What is HIPAA?

HIPAA is the acronym of: Health Insurance Portability and Accountability Act, a U.S. federal law that has been in place since 1996. It was established to protect the medical records and Protected Health Information (PHI) of U.S. citizens. The original purpose of the law was to protect the data of employees who change jobs from disclosure. Limits on disclosure of health records without patient consent are intended to ensure trust, confidentiality, and integrity throughout the medical space. The introduction of national standards for the processing of electronic Protected Health Information (ePHI) should also contribute to better data protection and cost savings.

When and to whom does HIPAA apply?

While HIPAA was written to protect individuals in the U.S., these protections also come into effect when the data processing company is NOT located in the United States. Once your company stores or processes data of U.S. citizens, you must ensure HIPAA compliance. Whether you are located in Europe, Asia, or anywhere else in the world, it doesn’t matter.

HIPAA-compliance should therefore be ensured if you process health data from the United States AND fall under one of the following categories:

• Health care providers ( doctors, clinics, hospitals, pharmacies).

• Health plans (insurance companies, government programs such as Medicare)

• Health care clearinghouses (billing services and community health systems for organizing health data)

What data is protected under HIPAA?

Health information that is protected under HIPAA includes an individual’s name, address, medical record number, and other Personally Identifiable Information (PII),  as well as an individual’s physical or mental health condition, nursing care that an individual is receiving.

What are the penalties for HIPAA non-compliance?

A HIPAA violation can result in maximum fines of up to $1.5 million per year. A person who “knowingly” acquires and discloses health information can face criminal charges of up to one year in prison.

Of course, you don’t want to risk that.

But what does all this have to do with Atlassian?

What is the connection between Jira/Confluence Cloud and HIPAA?

Many healthcare organizations and hospitals use platforms like Jira and Confluence Cloud to manage their daily tasks, projects, and data. This allows them to store and access all the Protected Health Information (PHI) they need quickly and easily. Which means they collect an exorbitant amount of sensitive data about their patients, putting them at risk of violating HIPAA regulations.

For a long time, Jira and Confluence Cloud were not HIPAA-compliant  – now, Atlassian’s announcement changes everything. An external auditor has conducted an intensive assessment of the following Atlassian products and found them to be compliant with HIPAA regulations:

• Jira Software Cloud

• Confluence Cloud

• Jira Service Management

The HIPAA Implementation Guide

To make Jira, JSM, and Confluence HIPAA-compliant with absolute certainty and avoid any penalties, you should perform specific configurations on your Atlassian account, as Atlassian describes in their implementation guide.

Summarized for you, here are the five simple steps you can take to make Confluence and Jira HIPAA-compliant:

• Organizations that need to comply with HIPAA policies should purchase an Enterprise Plan

• Sign a Business Associate Agreement (BAA) with Atlassian

  1. This is a contractual agreement stating that HIPAA requirements will be met

• Ensure that all third-party applications integrated with Jira and Confluence Cloud are running in a HIPAA-compliant manner

  1. The BAA covers only the corresponding Atlassian products

• Ensure that you do not store PHI in any of the following fields:

  • Confluence

    • Space keys

    • Space name

    • Page title

  • Jira Software

    • Configuration data:

      • issues

      • project name

      • project key

      • workflow schemes

• Others

  • Surveys

  • Customer feedback

• Disable all email and push notifications in product settings

Conclusion: HIPAA compliance made easy

Thanks to Atlassian’s update, HIPAA compliance in healthcare has never been easier – even for cloud products! Still, compliance doesn’t just fall into your lap. However, by following the HIPAA implementation guide and our tips, you’ll be on the safe side.