Highlighted

Jira Cloud & HIPAA Compliance

Thomas B Community Leader Aug 07, 2019

Hello everyone!

I've followed the changes and upcoming of Atlassian over the past 3 years. All the changes are super exciting. The business I work for is in the Medical Claims industry (one line of business) and we use Jira Server across multiple departments. We are looking forward to Jira Cloud becoming HIPAA Compliant! The most exciting part of our business will be to have the ability to access Jira outside of our network and mobile, we are confined to our network for the time being. I'm sure there are groups of other users who are excited that these changes are 'in the works' and are ready to migrate to the cloud.

11 comments

Brad Atlassian Team Aug 07, 2019

Thanks @Thomas B ! We're working on HIPAA compliance for Jira Cloud - keep an eye on https://www.atlassian.com/trust/compliance for the latest official updates.

Like # people like this

any update to this or any ETA When we could expect the Jira Cloud to be HIPAA Compliant ??

Like # people like this

@Brad  Any updated timeline for HIPAA compliance for JIRA cloud?

Brad Atlassian Team Feb 06, 2020

hey @Martin_Hanna no updated timeline at the moment; out of curiosity - are you looking for a particular strategy to be in place? For example, HIPAA controls mapping, SOC2 +, or perhaps HITRUST certification? Is there a preference?

@Brad
Ideally we would like Jira to provide a HIPAA BAA 

Like # people like this

Any update on this? we are looking same here. We are using Jira Service Desk Cloud edition, and want to be HIPAA compliant. @Brad

+1 joining the question here, @Brad 

Where is this going?

An ETA, updates, roadmap insights may be able to help the entire community as there's a need for that and no official updates from the Atlassian team anywhere I could find.

Thanks ahead

Like Craig Tucker likes this
Brad Atlassian Team Jun 12, 2020

Tagging in @Filiberto Selvas from the Atlassian Team on this thread - I know that we are working on our strategy and roadmap for HIPAA amongst other endeavors and we'll work to be as transparent as we can be. Certainly happy to know that there is interest in HIPAA and appreciate the comments here.

Like # people like this

Thanks for the quick response.

There's definitely interest, and unfortunately as opposed to functionality gaps / enhancement requests - compliance might have a bigger impact on our needs than lack of functionality.

That's why I'll speak for myself and can only assume other community members feel the same - I really need to know where this is heading and given this has been communicated as 'in progress' for a while - I'm hoping to hear good news.

Thanks again

We are moving forward with purchasing both Jira server version AND GitHub locally to get past the HIPAA compliance cloud holdup.  I am hoping the the two integrate nicely like they do in the cloud...

HIPPA has been in place for several years and companies get fined when they have Personal Health Information available and easily accessed in JIRA. I for one do not want my company fined due to the inability of JIRA software to provide this piece. It hinders software development companies in a major way. It can cost people their jobs and in my book this is not a good thing. I am frustrated with constantly hearing Atlassian is working on it - when do you stop playing around with 'working on it' to actually working on it and having it available. With all the developers at Atlassian, it is disheartening to know that in Aug 2019 you were working on it and here it is 6 months later and still not delivered. Come on guys...can we please get this done?

Like # people like this

It would be nice to have an ETA from Atlassian here.

Like # people like this

Hi @Brad 

We are a government insurance group as well and are looking for a Jira HIPAA BAA.  Are there any new developments (ETA) on when this will be available?

Thank you,

Craig

Like Martin_Hanna likes this

I would like to see JIRA supports HIPAA. Thanks!

Like # people like this

Any potential update on this? We are looking at Jira and Zendesk to move our support team to in the next few months but HIPAA is mandatory. We have our dev team in Jira cloud already.

I'll add my voice to the need for HIPAA BAA support for Jira/Confluence Cloud. We are also looking to move our support team to Jira Service Desk in the next few months but HIPAA is mandatory. We have our dev team in Jira cloud already.

We also need a BAA for HIPAA compliance!

We are in the same boat. We'd love to move our support team into Jira, but we can't do that without HIPAA compliance. 

@Brad Any update on this? We are using Jira Cloud edition, and want to be HIPAA compliant.

Atlassian, can you please give an update. WHEN? Barring some response, we have to start looking for other solutions as it is a hassle to always work around this limitation.

Hello everybody, 

My name is Filiberto Selvas, I am a product manager in the Atlassian Enterprise Cloud team, I recently became 100% focused on regulated industries. 

I can't give you an specific timeline yet, there is a public roadmap update in progress and I will point that out as soon as it is published.  But I can share what we are doing: 

  • In the mid term we are planning a selective edge BYOK encryption capability, if your use case requires to capture PHI in only a few fields - attachments then this can be a compensation control, we would never see that data as it is encrypted before it reaches us.  If you are interested on providing input reach to fselvas at atlassian dot com. 
  • We are already working on all the security and access controls required to satisfy the HIPAA law as well as regulations such as FedRAMP, this is a continuation of the SOC 2 work we did in the recent past. 
  • We have kicked of work on the legal side, as you probably know we can't sign a BAA agreement with our customers until we have similar agreements in place with our own vendors, this is expected to be the long pole of the whole effort. 
  • We are looking into our service and support processes and tools, and how these may need to be changed given the potential of PHI handling. 

I will give you a straight answer on timeline as soon as the updated roadmap is published, but I wanted to make sure you knew there is indeed work in progress in this space. 

I hope this helps 

Like # people like this

I think you must make better estimations for us (your clients). More than three years stating same (you are working on..) doesnt' look good.

I can only say I agree Fernando, and offer you to add more details as soon as I can. Hopefully what I have stated above indicates clearly we are really working on this 

Like Brian Reavey likes this

Yes, it indicates you are really working on this.

No, it's not satisfying as a blank 'WIP' statement without clear dates/roadmap is less than what I (and the community apparently) expects from a $1.6B company like Atlassian.

Also greatly interested in a BAA agreement.  I would love to convert our Server Atlassian Stack over to Cloud, but need to know that if someone accidentally entered PHI into a description field, for instance, we would be covered - legally - and would have the opportunity to remove said PHI from the issues in question.

Any additional updates you can give on the roadmap would be greatly appreciated.

Comment

Log in or Sign up to comment
TAGS