Overview of Atlassian’s HIPAA compliance

Atlassian is a software company that develops products focused on software development, project management, and collaboration. Some of its well-known products include:

• Jira: A project management tool initially designed for software development teams to plan, track, and manage their work using agile methodologies. 
• Confluence: A collaboration and documentation tool that allows teams to create, share, and collaborate on content on one centralized platform.
• Bitbucket: A Git repository management solution that enables teams to collaborate on code, manage repositories, and conduct code reviews.
• Trello: A visual project management tool based on boards, lists, and cards, facilitating a more intuitive and flexible way to manage tasks and projects.

Atlassian offers tools that can be used in healthcare settings, but attaining HIPAA compliance isn’t solely about the software itself; it’s also about how it’s configured, used, and integrated into a healthcare organization's systems.

Is Atlassian HIPAA compliant?

Atlassian had an external auditor conduct an intensive assessment of the Atlassian-eligible products and found them compliant with HIPAA regulations. Atlassian is also committed to adhering to HIPAA regulations through various strategies. With a BAA in place for all organizations that must comply with HIPAA, yes, Atlassian is HIPAA compliant. 

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996. It protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. In the case of Atlassian, the company falls into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform. 

A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. 

Why HIPAA compliance matters

Healthcare organizations bound by HIPAA regulations can use Atlassian products. HIPAA compliance ensures that all covered entities and their business associates are committed to protecting the privacy of sensitive patient information.

Atlassian and business associate agreement (BAA)

Atlassian’s HIPAA Implementation Guide says that BAAs can be signed for the “Standard, Premium, and Enterprise plans for Jira Software, Jira Service Management, and Confluence.” The onus is not only on the company to ensure HIPAA compliance. As an Atlassian user, you should ensure that you use their products in a HIPAA compliant way. You should also ensure that you sign a BAA with any third parties associated with Atlassian. 

Eligible products

• Jira Software Cloud
• Jira Service Management Cloud
• Confluence Cloud

Go deeper: HIPAA | Atlassian

Limitations to Atlassian’s HIPAA compliance

• Atlassian does not “monitor or analyze the data that you input,” therefore, the product user is responsible for ensuring that HIPAA guidelines are followed.
• Product users must configure their products to ensure compliance with HIPAA regulations. This includes tagging the product, turning off Confluence push notifications, turning on Jira email and push notifications, and turning on email notifications with limited information, and enabling automation rules. 

Related: HIPAA Compliant Email: The Definitive Guide