Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,361,124
Community Members
 
Community Events
168
Community Groups

Jira Cloud & HIPAA Compliance

Thomas B Rising Star Aug 07, 2019

Hello everyone!

I've followed the changes and upcoming of Atlassian over the past 3 years. All the changes are super exciting. The business I work for is in the Medical Claims industry (one line of business) and we use Jira Server across multiple departments. We are looking forward to Jira Cloud becoming HIPAA Compliant! The most exciting part of our business will be to have the ability to access Jira outside of our network and mobile, we are confined to our network for the time being. I'm sure there are groups of other users who are excited that these changes are 'in the works' and are ready to migrate to the cloud.

28 comments

Brad Atlassian Team Aug 07, 2019

Thanks @Thomas B ! We're working on HIPAA compliance for Jira Cloud - keep an eye on https://www.atlassian.com/trust/compliance for the latest official updates.

Like # people like this

any update to this or any ETA When we could expect the Jira Cloud to be HIPAA Compliant ??

Like # people like this

@Brad  Any updated timeline for HIPAA compliance for JIRA cloud?

Brad Atlassian Team Feb 06, 2020

hey @Martin Hanna no updated timeline at the moment; out of curiosity - are you looking for a particular strategy to be in place? For example, HIPAA controls mapping, SOC2 +, or perhaps HITRUST certification? Is there a preference?

@Brad
Ideally we would like Jira to provide a HIPAA BAA 

Like # people like this

Any update on this? we are looking same here. We are using Jira Service Desk Cloud edition, and want to be HIPAA compliant. @Brad

Like Phillip Hocking likes this

+1 joining the question here, @Brad 

Where is this going?

An ETA, updates, roadmap insights may be able to help the entire community as there's a need for that and no official updates from the Atlassian team anywhere I could find.

Thanks ahead

Like # people like this
Brad Atlassian Team Jun 12, 2020

Tagging in @Filiberto Selvas from the Atlassian Team on this thread - I know that we are working on our strategy and roadmap for HIPAA amongst other endeavors and we'll work to be as transparent as we can be. Certainly happy to know that there is interest in HIPAA and appreciate the comments here.

Like # people like this

Thanks for the quick response.

There's definitely interest, and unfortunately as opposed to functionality gaps / enhancement requests - compliance might have a bigger impact on our needs than lack of functionality.

That's why I'll speak for myself and can only assume other community members feel the same - I really need to know where this is heading and given this has been communicated as 'in progress' for a while - I'm hoping to hear good news.

Thanks again

Like Jason Michaud likes this

We are moving forward with purchasing both Jira server version AND GitHub locally to get past the HIPAA compliance cloud holdup.  I am hoping the the two integrate nicely like they do in the cloud...

HIPPA has been in place for several years and companies get fined when they have Personal Health Information available and easily accessed in JIRA. I for one do not want my company fined due to the inability of JIRA software to provide this piece. It hinders software development companies in a major way. It can cost people their jobs and in my book this is not a good thing. I am frustrated with constantly hearing Atlassian is working on it - when do you stop playing around with 'working on it' to actually working on it and having it available. With all the developers at Atlassian, it is disheartening to know that in Aug 2019 you were working on it and here it is 6 months later and still not delivered. Come on guys...can we please get this done?

Like # people like this

It would be nice to have an ETA from Atlassian here.

Like # people like this

Hi @Brad 

We are a government insurance group as well and are looking for a Jira HIPAA BAA.  Are there any new developments (ETA) on when this will be available?

Thank you,

Craig

Like Martin Hanna likes this

I would like to see JIRA supports HIPAA. Thanks!

Like # people like this

Any potential update on this? We are looking at Jira and Zendesk to move our support team to in the next few months but HIPAA is mandatory. We have our dev team in Jira cloud already.

I'll add my voice to the need for HIPAA BAA support for Jira/Confluence Cloud. We are also looking to move our support team to Jira Service Desk in the next few months but HIPAA is mandatory. We have our dev team in Jira cloud already.

Like Jason Michaud likes this

We also need a BAA for HIPAA compliance!

We are in the same boat. We'd love to move our support team into Jira, but we can't do that without HIPAA compliance. 

@Brad Any update on this? We are using Jira Cloud edition, and want to be HIPAA compliant.

Atlassian, can you please give an update. WHEN? Barring some response, we have to start looking for other solutions as it is a hassle to always work around this limitation.

Like Jason Michaud likes this

Hello everybody, 

My name is Filiberto Selvas, I am a product manager in the Atlassian Enterprise Cloud team, I recently became 100% focused on regulated industries. 

I can't give you an specific timeline yet, there is a public roadmap update in progress and I will point that out as soon as it is published.  But I can share what we are doing: 

  • In the mid term we are planning a selective edge BYOK encryption capability, if your use case requires to capture PHI in only a few fields - attachments then this can be a compensation control, we would never see that data as it is encrypted before it reaches us.  If you are interested on providing input reach to fselvas at atlassian dot com. 
  • We are already working on all the security and access controls required to satisfy the HIPAA law as well as regulations such as FedRAMP, this is a continuation of the SOC 2 work we did in the recent past. 
  • We have kicked of work on the legal side, as you probably know we can't sign a BAA agreement with our customers until we have similar agreements in place with our own vendors, this is expected to be the long pole of the whole effort. 
  • We are looking into our service and support processes and tools, and how these may need to be changed given the potential of PHI handling. 

I will give you a straight answer on timeline as soon as the updated roadmap is published, but I wanted to make sure you knew there is indeed work in progress in this space. 

I hope this helps 

Like # people like this

I think you must make better estimations for us (your clients). More than three years stating same (you are working on..) doesnt' look good.

I can only say I agree Fernando, and offer you to add more details as soon as I can. Hopefully what I have stated above indicates clearly we are really working on this 

Like Brian Reavey likes this

Yes, it indicates you are really working on this.

No, it's not satisfying as a blank 'WIP' statement without clear dates/roadmap is less than what I (and the community apparently) expects from a $1.6B company like Atlassian.

Like David Jones likes this

Also greatly interested in a BAA agreement.  I would love to convert our Server Atlassian Stack over to Cloud, but need to know that if someone accidentally entered PHI into a description field, for instance, we would be covered - legally - and would have the opportunity to remove said PHI from the issues in question.

Any additional updates you can give on the roadmap would be greatly appreciated.

Like Jason Michaud likes this

HIPPA and HITRUST compliance is a MUST HAVE for all Health Care companies. Without Atlassian taking that leap, we are stuck working in data center instance forever.

BAA is part of the scope we are tackling, please see the 3rd bullet in my post above for more details on this. 

To clarify, we have healthcare customers using our Cloud products, this is restricted for use cases where PHI is not in the mix and they consider the risk of PHI slipping minimal or non existent, I understand that the risk appetite varies across companies and industries. 

Hi Filiberto

Thank you for a quick reply. Yes, Our compliance is strict about having BAA in place. So we are just waiting for Atlassian to support it. 

Hoping you guys will make it happen sooner than later 😁.

We also are in need of a HIPAA compliant SaaS offering for Atlassian products. Switching to Data Center editions of the products we are using after discontinuing Server Edition is going to be an enormous cost compared to your per-seat licensing model. Please advise.

Like Filiberto Selvas likes this

@Phillip Hocking ,  we have HIPAA compliance in our roadmap for Jira and Confluence: https://www.atlassian.com/roadmap/cloud?category=compliance&selectedProduct=.   

WOuld you be willing to discuss details of your use case?  I can schedule a call 

@Filiberto Selvas I would love to set up a call, phillip.hocking@excelsiorwellness.org and (509) 559-3128. I look forward to hearing from you!

Roadmap has been published, please let us know of any questions: https://www.atlassian.com/roadmap/cloud?enterprise=compliance 

Like # people like this

Filiberto,

Thank you for posting the road map, but according to your document HIPAA Compliance isn't slated until 2023.  With Atlassian's latest update on 10/16/20 that the server products are being phased out starting 2021, with support being pulled on server products Feb 2024 don't you think you're cutting things a bit close for the number of people posting here including myself who are a covered entity and chose the server products to safeguard our data due to the lack of BAA?

Is Atlassian really expecting those bound by HIPAA to wait and hope there is no slip in the timeline for HIPAA compliance in 2023 which could impact those running server products?  Depending on when Atlassian completes the compliance portion and BAA guidelines, you're leaving us 12mo to convert to Cloud.  And if we don't convert to cloud within that window and Atlassian pulls support it essentially puts those organizations in violation of HIPAA due to using an unsupported software and putting all of us at risk of being fined by HHS.

If Atlassian would make their cloud environment available to the healthcare industry it would be a welcome change.  Right now I'm not sure I'm comfortable waiting until the 11th hour to know if you going to hit your goal as Atlassian "has been working on it" for quite some time.  

Like # people like this

Completely agree with Kyle. The sole reason we're on server is because we can achieve HIPAA/HITRUST compliance within our own VPC. Hard to believe Atlassian already has a transition plan AWAY from server without a concrete plan to handle healthcare entities that need BAA, HIPPA, and HITRUST in place day one.

The whole "we think the cloud is where the world is going" is great, but Atlassian clearly doesn't yet understand the motivation for folks who AREN'T on cloud to understand why they aren't on cloud in the first place.

Start listening to your customers. We need concrete ETAs to when Atlassian and it's $51B market capitalization is ready to sign BAAs like the rest of the SAAS world. 

Like # people like this

Watching this thread as well. We will be impacted by this change if the Cloud products are not 100% HIPAA compliant. If end of support for the Servers products is 2/2/24 and 2023 is when Atlassian will provide an attestation of compliance with requirements dictated by HIPAA. But when in 2023? We need ample time to make decisions and submit budget proposals before FISCAL year which also takes time. Leaving a year or less window which is a guess, is not acceptable.

Like # people like this

In the same situation as the posts above - we have our systems local because of HIPAA/HITRUST compliance - our client contracts require Healthcare BAA's and these certifications -- it's not just something nice to have.  For Atlassian not to have a clear road map for Healthcare companies, to charge more for staying on-premise while Atlassian works out its road map (which feels like a punishment) and to trust that they'll have this worked out by 2023-2024 is not something I can just hope and rely will work out.  Anyone else in the same boat as those who have posted need to put pressure on Atlassian to be a better partner in this situation.  Without a clear direction by Q1-2021 I will feel no choice but to evaluate other options and would suspect others in this situation will do the same.

Like # people like this

Thank you for all the comments, 

  • I understand why the long time seems concerning, we are doing our best to stick to it and even bring it earlier if possible, but we also want to be transparent and share the estimation as we see it.  The technical and operations side is not the blocker here, the products will satisfy the proper controls earlier than that. 
  • We are working on capabilities that we see as "compensating controls", and depending on the risk appetite for your companies as well as the use case may allow you to move to Cloud even before HIPAA attestation is achieved, example is the "Selective edge BYOK encryption" you can see at the bottom of this page https://www.atlassian.com/roadmap/cloud?enterprise=security which is meant to allow customers to encrypt key sensitive fields/pages with keys under their management before any system / person at Atlassian could ever see it. 
  • Last but not least there is an ongoing investment on migration:  tools, services provided by Atlassian and by our partners.  We aim to make this faster, easier, safer as the time goes by. 

I know my points above do not address 100% of your concerns, but please be assured that we considered you a very important set of our customers and we are working hard to make our Cloud products work for you. 

Just so I have this clear....you're refusing to sign BAA's for HIPAA compliance, yet you're now discontinuing server licensing which is currently the only way for companies to maintain HIPAA compliance and security while using your product? You're forcing us to move to the cloud without also providing HIPAA required agreements. So tell me why we shouldn't be moving to another vendor now, one who understands HIPAA and provides BAA signing?

Like Jason Michaud likes this

@Filiberto Selvas Also, I should point out, that no covered entity that wants to avoid extinction will have a "risk appetite" that would let them move to "Cloud even before HIPAA attestation is achieved"...the BYOK you speak of is NOT sufficient to avoid a BAA. Even with BYOK as you call it, Atlassian is STILL considered a Business Associate even if it doesn't have the encryption key. So putting effort there won't solve the problem: https://www.hhs.gov/hipaa/for-professionals/faq/2076/if-a-csp-stores-only-encrypted-ephi-and-does-not-have-a-decryption-key-is-it-a-hipaa-business-associate/index.html

Like Harold Wong likes this

@Filiberto Selvas This is a good, simplified overview of Cloud Service Providers with regard to their relationship to covered entities and their status under HIPAA: https://www.cleardata.com/blog/hhs-guidance-hipaa-cloud-computing/#:~:text=The%20Cloud%20Service%20Provider%20(CSP,itself%20is%20a%20business%20associate.

@Filiberto Selvas - With the announcement that we need to move our products to the cloud this HIPAA compliance has become a major issue for us as well as many of your other clients. It surprises me that Atlassian would have discontinued server products before having this HIPAA compliance certification. This seems particularly short-sighted to make it a requirement to go to the cloud solution before providing a way to satisfy a very common compliance requirement. 

As an organization that is self-insured we must work with providers that are HIPAA compliant which might have access to our data. I truly hope Atlassian rectifies this soon as it is disappointing to say the least. Compensating controls are not good enough, we need the compliance in place to satisfy our auditors.

This is a legal issue, guys. Microsoft offers a downloadable BAA for use for Office365 to its millions of customers. This is the level Atlassian needs to be operating at, and fast. The issue for us (and I suspect others) isn't so much that we think Atlassian lacks the technical controls, but they're unwilling to assume any liability in the form a BAA.

Our client relationships and compliance obligations require our vendors to produce BAAs when they're handling PHI. In a VPC, the data never leaves our environment and we're able to satisfy those requirements using the server product.

We can't yet move to a public cloud like Atlassian's because our regulating entities and customers need assurances that their data is being handled in ways consistent with proper controls of PHI. To date, Atlassian is unwilling to provide a BAA.

Since I posted last, Atlassian's stock has increased by $1.5B in market capitalization. Checking back in the forums, this question has been asked at LEAST through 2013 - or nearly for 7 years with inaction by Atlassian's management team. We have BAAs from MUCH smaller companies that don't have the resources of Atlassian.

What stings me is the fanfare by which Atlassian is celebrating this migration to the cloud while dragging it's feet on bare essentials for folks who have supported (at a tremendous cost) it's server products for years.

Hire a few lawyers and knock this out over a weekend.

Like # people like this

That's right, with Legal review and companies submitting their own BAA for Atlassian to review/sign the process to get an executed BAA would take months...

@Filiberto Selvas ,

We are the open-source license. Will the BAA be available for entities like ours free of charge or will we be charged for it? 
Thank you!

Dina

Hi Dina, we are yet to decide on the packaging of it, and in what Cloud Plans will it be offered 

Like Dina Goncharenko likes this

@Filiberto Selvas ,

We will need to know by beginning of February 2023 (the latest) so we can figure out our budget. Thank you!

Dina

Like # people like this

@Filiberto Selvas 

We currently using three instances of Jira: Prod, Test, and Dev. Could you provide some input on whether or not we will be able to do the same in Cloud (open source licensing + BAA).

Thank You!

Dina

Hello @Dina Goncharenko ,  this will depend on the packaging and per our exchange above that is still in progress.  As a n example: currently our Enterprise Plan allows to create as many instances as you need, in addition to that allows to create a SandBox instance for every production instance.   On our Premium Plan also includes Sandbox.

@Filiberto Selvas 

Hello Filiberto, 

Is there an update about any costs associated with the BAA for open source?

Thank you!

Dina

@Filiberto Selvas 

 

Hello Filiberto, 

I really need to know the cost for the Enterprise Plan for Open Source Community. I have contacted the licensing team a few weeks ago but can't seem to get an answer to my question. Can you connect me with someone who can answer my question? We are getting really anxious.

Thank you!

Dina

I've been waiting 5 years already, what's 3 more years.

I hope you do not leave us all high and dry, because of the nature of software dev this may easily be pushed back 3 more years and at that point most of us here would have already move to another platform. 

Looks to me like Atlassian doesn't matter our businesses. I am almost to pay 13.5K/year for the datacenter version; i don't like that idea! Does anybody know about any good product we can use for Ticketing and Project Management instead? I am really tired of heard same thing for years!

Hello everybody, thank you for your feedback, we are doing our best to accelerate our delivery of HIPAA compliance, on that respect: would you be willing to have a phone conversation with me?  The objective of that call is to gather information that will be used to decide if we can reasonably "constrain the scope" of which fields in Atlassian products are used to handle PHI...  if we can do that it is possible we could move faster. If you are willing to devote 30 minutes for a call please drop me a not at fselvas at altassian dot com and we can define a time / day that is convenient for you. 

Thank you in advance 

Like # people like this

It's not really a field level issue. It's a larger product level issue. The nature of your products is such that a covered entity might store PHI data in internal comment fields or customer facing comments, or in a description field, or in attachments, or in custom fields, etc. The flexibility of your product is why it is used. Trying to limit PHI to specific fields would be dangerous I think. And I expect you'll alienate more users than help by showing that you are unable to make the product itself compliant but merely the use of a field or two.

Basically, per the privacy rule, covered entities that want to use your cloud software require satisfactory assurances from you (its business associate) that the business associate (Atlassian) will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

What's more, business associates can be held liable to similar repercussions as covered entities can under HIPAA regulations should PHI become compromised in a healthcare data breach (the fines can get pricey fast).

In other words, Atlassian needs to make sure their cloud software is secure enough that they have confidence that they won't be hacked or have an employee leak PHI, or in any other way become compromised. In other words, Atlassian would need to adhere to Subpart C of 45 CFR Part 164 (https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C), among others.

But, surely you already know this. A sample BAA is here (https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html).

A timeline/promise on this would be really helpful as likely right now you have a lot of businesses wondering whether or not to reup your product. In fact, we were looking at purchasing a new Server license for Service Desk but are now looking into alternative HIPAA compliant software with similar functionality since there's no clear path forward with Atlassian at this point.

I am curious what the reason is behind not allowing on-prem installs going forward? I would think you'd want to promise to continue to support this until you can provide HIPAA compliance.

Like # people like this

Hello and thank you for your post, 

Yes, we understand the points you make, and there are no concerns about our ability to make our Cloud offerings safe and provide those assurances.  We have timeline already: https://www.atlassian.com/roadmap/cloud?category=compliance but there are a lot of requests to accelerate this timeline, as you can see in the thread above. 

Is in that context that I am evaluating the potential to be more prescriptive and constrain the conditions under which we offer assurances of compliance with the HIPAA law. This is not a novel approach in the industry, Twilio follows this model: https://www.twilio.com/hipaa and Slack too: https://slack.com/resources/why-use-slack/hipaa-compliant-collaboration-with-slack.  The reason why I am requesting input is to ensure that we can define constrains that are reasonable and could work for the majority of our customers. 

Hope this makes sense 

Filiberto Selvas 

Like Brian Reavey likes this

@Filiberto Selvas: Starting with Jira Service Desk would be most helpful for us because this is the one product that info is added to by external users who we cannot control. We have internal policies not to add any PHI to Jira by our internal team (still not ideal), but there is no way to limit an external user from adding PHI in service desk. The end-users of Service Desk are not our employees and therefore cannot be bound by our internal policies.

Like Filiberto Selvas likes this

Those companies referenced can invoke hipaa conduit exemption since they transmit phi while jira stores it so that wont work. 

Right now many things can be considered PHI and therefore leaking/exposing it would/could result in a fine. Including email addresses which is a major problem since that is how reporters/assignees are tagged. 

Add another customer to the list of those concerned about HIPAA compliance. As mentioned earlier in the thread, nothing short of complete product compliance will be acceptable. The government isn't one for workarounds and stop gaps.

I appreciate the effort involved with speeding up your published timeline, however I believe there needs to be another alternative. Perhaps offering extended support to those entities who are bound by HIPAA regulations?

Our company uses the Atlassian line of products extensively, but that won't prevent us from discontinuing its use if it is a choice between finding a new product or being sanctioned by the Feds.

Following this thread! Excited to see HIPAA compliance on the roadmap. Just wanted to note that our company also requires a BAA from any vendor that houses our data that could potentially contain PHI. Please consider this as an option for qualified customers. We were in the cloud and migrated to Jira server and now we are looking at other options if the HIPAA feature doesnt include a BAA. Microsoft offers a BAA to their customers https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-hipaa-hitech?view=o365-worldwide#:~:text=Can%20my%20organization%20enter%20into,covers%20in%2Dscope%20Microsoft%20services.

Thank you @Corey Hughes , 100% agree that HIPAA compliance requires Atlassian to be in a position to sign BAA agreements 

Hello, if you are following this thread and are willing to have a call - email exchange I would appreciate if I can ask you about email notifications & PHI.  How have you seen other Cloud Providers deal with this and which of those approaches work best for you.  Please drop me a note at FSelvas at Astlassian dot Com 

 

Thank you! 

@Filiberto Selvas

It looks like this HIPAA compliant build is only encompassing Jira Software and Confluence, and NOT Jira Service Desk at this time. For healthcare orgs that want to use jira for support, Service Desk is probably a larger need, since that's where our end users create support desk tickets. 

 

Is there a plan for Jira to become HIPAA compliant for Service Desk as well? I don't see any timeline for that piece. It sounds like that's what a lot of folks on this thread are actually looking for. 

Basically, I'm just trying to say, if atlassian ends support for server SD; small healthcare orgs cannot afford data center, and cloud doesn't support SD HIPAA compliance....I'm afraid you're going to lose a great number of customers. 

Thank you for the post @Brook , you are correct current plans only encompass Jira and Confluence and not JSM.   I am working with the JSM team to agree on priority and roadmap. 

Question:  in your JSM implementation, do you allow your end customers to create accounts directly in it? 

Thanks Filiberto, I'm glad to hear there is a conversation happening and hope it happens relatively quickly. If not, many of your smaller organizations will need an extension on server support to ensure they can continue to use jira long term. 

 

We currently provision users from Azure AD and allow end customers to create accounts directly - but that is not a need. Our org specifically would happily give up end customer account creation to enable us to move to cloud and still be in compliance. 

 

Thanks!

Brooklyn

@Filiberto Selvas

As I am signing maintenance renewal agreements for Server versions of your software, I thought I'd check in. Is there any update on roadmap and prioritization of HIPAA compliance for JSM? Like many others, this is the key product where PHI can be entered and is outside of our control. 

Agreed - the last time I commented on this was June - it's now October. What's the plan? :) Thank you!

Brooklyn 

Apologies I missed the ping @Brooklyn Trumpy , and thank you for the prompt @Matthew King .   

Jira and Confluence - we are still on track to begin signing BAAs early 2022, don't take this as a commitment but likely February. 

JSM is still on the works, I can't offer you a solid timeline yet but I have been working on it with the JSM team on outlining the plan for it through the last couple weeks.  I will try to update you as soon as possible.

Like # people like this

Hey @Filiberto Selvas I'm in a similar boat to others here, I need JSM to get a BAA so we can move off self hosted to cloud or we will need to switch to another solution.  (which we do not want to do)

Even a rough timeline would be helpful for us. 

Like # people like this

Thank you @Dylan sawchuk 

We will share a timeline as soon as possible! 

@Brad with the server support and licenses going to the wayside, is there any news for the HITRUST HIPAA compliance?

Hello @Vivo Bandito , 

Per our public roadmap we are set to offer HIPAA compliance for JSW and Confluence in Q1-Q2 of 2022 calendar year, it is looking more like Q1 so we should have news on this for you soon! 

https://www.atlassian.com/roadmap/cloud?category=compliance&

Like Vivo Bandito likes this

@Filiberto Selvas On the road map it's still showing as Future, not in "in the works" or "coming soon".  What does Future mean?  Previous comments you've said Q1-2022, others you said likely February.  Is Atlassian going to send out a large scale email when this is completed and/or a link to the BAA for our legal teams to review?  Also is this going to be a take it or leave it agreement or will there be some room for discussions on the language of the BAA?

Like Dina Goncharenko likes this

Hi @Kyle Hughes , fair call - we should have changed that to "on the works" last update (we have a quarterly cadence). 

* We are on track to sign BAAs as part of our Cloud Enterprise Edition for JSW and Confluence in February. 

* We will publish a timeline for JSM imminently, I expect to have it in the public roadmap in the next 2 weeks 

I hope this helps 

Like # people like this

Yesterday we announced that Atlassian is ready to sign BAA agreements for compliance with the HIPAA law provisions for the Enterprise Plan version of JSW and Confluence. More information here: https://www.atlassian.com/trust/compliance/resources/hipaa 

We will soon update our public roadmap to include a timeline for JSM HIPAA as well, ETA is at the end of calendar year 2022. 

Please let me know of any questions 

So this does NOT apply to the Standard or Premium level plans? Does this mean smaller companies requiring HIPAA compliance must purchase a license requiring at least 801 users?

Like Arthur Laramy likes this

Hello @Kevin Robbins , 

HIPAA compliance is a new offering for Atlassian, we are in the process of evaluating the need to expand the eligibility for signing BAAs for customers with smaller user tiers in the future. At launch, we’re only making HIPAA compliance available to customers purchasing the Enterprise Plan, If you’d like to share your specific use case and interest for that expansion, please add your input here: https://jira.atlassian.com/browse/CLOUD-11410

Filberto, our team made plans to stay with Atlassian based on the promise of HIPAA compliance to come. Not once was it HIPAA compliance.....if you are a large org (which we are not). This feels a bit bait & switch-y. Smaller organizations need HIPAA compliance just as much as the large ones do. 

Please reconsider offering this to all customers that were promised this functionality. 

Thank you, 

Brooklyn

Like # people like this

@Filiberto Selvas With all the past references to this roadmap after the announced cancellation of support for the Sever products. Its difficult not to view this as anything but a bait and switch.

@Filiberto Selvas During our discussions regarding HIPAA compliance, there was never once mention that it would only be available to those with over 800 users.  We currently have a 250 user license for on-prem server, but to force us to pay well beyond our means is absurd, and for our organization, we would be violating our fiduciary responsibility by purchasing Enterprise. 

As others have said already, Atlassian intentionally omitted this information and promised organizations that a BAA would be available to move to the cloud.  Personally I'm surprised you actually provided the BAA as early as you have but still our organization has wasted about a year and a half which we could've been migrating out systems off of Atlassian products knowing you wouldn't provide a BAA for our tier.

I would venture to guess JSM is going to fall within the same bucket where we need over 200 agents?  I don't know about anyone else, but my next FY budget is coming up and there will be line items to move our items off of Confluence, Jira and JSM.

Hello @Kyle Hughes , @Brooklyn Trumpy and @Arthur Laramy 

Please believe we are seriously looking at expanding the eligibility for signing BAAs for customers with smaller user tiers in the future. This is a new offering and space for Atlassian, we really want to make sure we are ready to scale before we expand this eligibility.  Please do your input to: https://jira.atlassian.com/browse/CLOUD-11410 if you can 

@Filiberto Selvas That's all well and good, but when will you provide a BAA to the Standard/Premium Tiers?  Atlassian is the one that told everyone they were eliminating the on-prem support and forcing people to move to the cloud BEFORE a BAA was even a thought.  Had you had the BAA available for enterprise at the same time as the announcement, with the promise it's coming to the lower tiers within a year or so, I could've lived with that.  

What you're currently saying is please wait more while you are "Looking at Expanding the eligibility".  From those words, there is a 50/50 chance that you don't provide the BAA to lower tiers, or it isn't available by the time you cut off support for on-prem systems.

I'll add input into the link you provided but we have waited long enough.  The finish line keeps moving and it's going to be a large enough lift to get all of our items off of Confluence, Jira, JSM that we need to start that process now to stay within HIPAA compliance.  If you're saying it'll be expanded within 30-60 days that is something we could reconsider but at this point there is only a thought about expanding it.

Like # people like this

I agree -- this is very important.  For years, Jira has provided health care companies with a valuable solution.  Jira needs to be able to support lower tiered users with a BAA; and they need to support JSM.


@Filiberto Selvas - what kind of guarantee can we get that Jira can support JSM and lower tiered plans?  Because Jira is not extending support beyond next year; we as customers, need time to know if it is going to be included or not so that we have time to research, and migrate away from Jira.

I thought everyone should be aware of this as well -- in researching their HIPAA Guide -- they indicate that you have to have all email notifications and push notifications turned off.... 

What is everyone else's opinion of this?

https://support.atlassian.com/security-and-access-policies/docs/the-hipaa-implementation-guide/

How to configure your Atlassian account to meet HIPAA requirements

Step 1: To use Atlassian services for PHI you'll need to have an Enterprise plan, regardless of your company size.

Step 2: You need to enter into a Business Associate Agreement with us. For more information on the BAA, please contact us

Step 3: Before entering any data into your product, you need to compose your data in accordance with HIPAA requirements. This includes not inputting any PHI into any of the following fields:

Confluence

Jira Software

Other

  • Space keys

  • Space name

  • Page title

  • Configuration data:

    • issues

    • project name

    • project key

    • workflow schemes

  • Surveys

  • Customer feedback

Step 4: Once you have set up your Enterprise plan, you’ll need to turn off all email and push notifications in the product settings.

Like Sara Tucker likes this

Hello @Jordan Fuller , 

  • Clarifying timelines, Support for Atlassian Server products ends on February 15, 2024, please check here: https://www.atlassian.com/migration/assess/journey-to-cloud
  • We are very seriously considering to expand eligibility to lower user tiers, precisely because of the points you made.  I would truly appreciate if you can add your vote / case here: https://jira.atlassian.com/browse/CLOUD-11410 
  • As for the notifications:  yes, this is a strong limitation and we are in agreement it needs to be addressed.  We are already working on an updated option for notifications for the Jira family which will give you the choice of 3 levels of notifications: full notifications (as you know them), what we are currently calling "redacted" notifications - that minimize the use of your "user generated content" in the notification itself - which will minimize the risk of PHI being included and the "no notifications" option. I don't have a solid timeline for it but it should be this calendar year (2022) 
  • Some customers have implemented the no notifications + channeling all notifications through slack (they have a  HIPAA offering), maybe something that could work for you? 

Pinging back to Atlassian on this -- do we have an update from Atlassian?

@Filiberto Selvas 

We will expand eligibility for BAA - but I don't have. timeline yet, waiting for that to update the public roadmap

Another small non-profit healthcare org that needs HIPAA compliance in JSM.

Like Filiberto Selvas likes this

Does anyone know of any help content or community posts about what happens when you do turn off all email notifications? Specific trying to figure out what happens on the JSM side for customers? 

Hey @Sara Tucker and others,

I'm Michelle, the Product Manager who’s been looking after Jira Service Management’s Customer Notifications and Compliance/Regulation features. We're currently working towards HIPAA compliance for Jira Service Management and have rolled out a feature this week that will help you meet your organization’s compliance needs and protect your and your customers' data!

Announcing safe customer notifications in Jira Service Management as a building block for compliance and privacy needs 

I'd love for you to try out our feature and give us early feedback on the user experience as we work towards HIPAA compliance in the coming months. Hopefully this means you don't need to completely turn off customer notifications as some of the fields will be redacted instead. 😊

Like Sara Tucker likes this

@Michelle Tanbased on your request for people to try this out, I 'm not sure you realize this request makes almost no sense. 

Those who need Atlassian to provide a HIPAA Compliant platform are NOT yet using the cloud platform as we cannot get a BAA in place yet and therefore cannot entrust our data to you, we're all still using self hosted options.  (Not to mention the vast majority of us are looking for other platforms because of the Enterprise licensing requirement for a BAA).

There's almost no one able to test for you unless you roll the feature out to to the self hosted platforms.

@Arthur Laramy

Our clinic has agreed to test this out, as we're currently using the cloud based solution but currently keep all PHI separate from this application. We'd be happy to be early adopters and pave the way for other organizations to be able to use the small cloud based HIPAA compliant solution. 

-Brooklyn Trumpy

Here we are at the end of 1st Quarter and I know we'd all appreicate an update on where Atlassian is at with the change.  We all would like to know if we need to start a search for a replacement system or not.

Apologies for the delay @Jordan Fuller and all.   We recently updated our public roadmap indicating we will be expanding eligibility for BAA signing beyond the current minimum user tiers for Cloud Enterprise plans. this is currently ailed for Calendar 2023 Q2-Q3.  Please follow the item for any updates here:   https://www.atlassian.com/roadmap/cloud?category=compliance&

Like Michelle Tan likes this

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events