The HIPAA Implementation Guide
Who can do this? |
We’ve created this guide to provide you with the knowledge you need on how to use our Atlassian apps in a HIPAA-compliant way. This guide is intended for Atlassian customers who have a Business Associate Agreement (BAA) in place with us or intend to enter into one with us.
We can sign BAAs for Standard, Premium, and Enterprise plans for Jira, Jira Service Management, Confluence, Jira Product Discovery, and Rovo (Search, Chat, Agents, and in-app AI experiences). Free and trial plans are not eligible to sign BAAs. Sign a Business Associate Agreement (BAA)
Rovo (Search, Chat, Agents, and In-app AI experiences) and Jira Product Discovery are now available for Atlassian HIPAA customers. To have Rovo activated for your site, submit a support ticket. If you’ve purchased Jira Product Discovery, follow the guide below to configure your Atlassian account to help meet HIPAA requirements.
HIPAA-compliant use of Atlassian apps
We’re providing you with customer-controllable configurations to support you with your HIPAA compliance. This means that it’s your responsibility to ensure you’re using Atlassian apps in a HIPAA-compliant way. We don’t monitor or analyze the data that you input, so you need to have the required procedures in place to ensure all users adhere to end-to-end compliance.
You are also responsible for identifying and configuring your HIPAA compliance needs for all relevant third-party apps integrated with Atlassian apps. This includes having a signed Business Associate Agreement (BAA) with all relevant third-party apps.
The BAA that you sign with us covers only the eligible Atlassian apps. Any other apps or features that aren’t included in the core apps, features described below, or require an additional opt-in, aren't automatically covered by the BAA. This includes Rovo MCP, Rovo Browser Extension, and any apps or app features that are part of a trial or an early access offering.
Before you share any Protected Health Information (PHI) with a third party, you’ll need to first find out if you need a BAA or any other data privacy and security protections.
Configure your Atlassian account
To configure your Atlassian account to meet HIPAA requirements, you must:
Enter into a Business Associate Agreement (BAA) with Atlassian; required to use Atlassian services for PHI. Sign a Business Associate Agreement (BAA)
Tag your apps to enable HIPAA. Tag apps to enable HIPAA
If you have subscribed to any collections that includes non-HIPAA-ready apps, you will need to deactivate those apps.
Ensure that you don't input PHI into Atlassian Support tickets, surveys, or any metadata or naming fields (such as Confluence Space Names, file names, AI agent names/references, and Jira App configurations).
Go to Atlassian Support: Pricing, Billing, & Licensing | Atlassian
Select "How can we help: Other" and follow the instructions.
Configure the relevant settings for each of your apps according to the following sections.
Go to Atlassian Support: Pricing, Billing, & Licensing | Atlassian
Select How can we help: Other and follow the instructions.
Confluence
You need to turn off push notifications in Confluence settings.
To turn off push notifications:
Select the cog icon in the top-right corner to open Confluence administration.
Under Settings, select Configuration.
Select General configuration.
Clear the Push Notifications checkbox.
Select Save Configuration Changes to save your changes.
You can keep the email notifications enabled as Atlassian now supports email notification templates that don't include content that could contain PHI.
Jira and Jira Service Management, and Jira Product Discovery
You can keep both email and push notifications in Jira settings. Atlassian now supports notification templates that don't include content that could contain PHI. When email notifications are turned on, all emails originating from other Jira apps, such as Jira Service Management and Jira Product Discovery, will also be turned on.
Jira notifications
Jira admins will be responsible for ensuring automation rules are not configured to send out email notifications that include PHI data.
Enable email notifications.
Enable the ability for space admins to create and manage automation rules for their spaces.
In Jira, go to Settings.
Under Jira admin settings, select System.
Under Automation, select Global automation.
From the More actions (…) menu, select Global configuration.
Ensure the Allow space administrators to manage space flows checkbox is selected.
Clear the Allow non-admins to create recurring flows checkbox.
Jira Service Management
To enable safe customer notifications and HIPAA-compliant alert notifications in Jira Service Management:
In your Jira Service Management, go to Settings.
Under Jira admin settings, select Jira apps.
From the sidebar under Jira Service Management, select Compliance settings.
Turn on Safe customer notifications.
Turn on HIPAA-compliant alert notifications.
Rovo
If using Rovo, consider disabling web search as read requests may contain data (search parameters) from app instances and are subject to the destination's policies.
Disclaimer
Due to the changes in law or regulation or changes in Atlassian apps or services, we may update or revise this guide from time to time. We will provide you with notice of material changes and an updated copy through your owner or administrator.
This document contains Atlassian’s recommendations for certain minimum effective app configurations for its customers' protection of PHI within the Atlassian apps outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. It’s important to remember that HIPAA compliance is a shared responsibility between Atlassian and its customers. Completing these steps won't automatically guarantee an Atlassian Customer’s compliance with HIPAA. Each Atlassian Customer should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes don't conflict with or undermine the security of the configurations outlined in this document.
Was this helpful?