• Documentation

The HIPAA Implementation Guide

We’ve created this guide to provide you with the knowledge you need on how to use our products in a HIPAA-compliant way. This guide is intended for Atlassian customers who have a Business Associate Agreement (BAA) in place with us or intend to enter into one with us.

We can sign BAAs for Standard, Premium, and Enterprise plans for Jira, Jira Service Management, and Confluence. Free and trial plans are not eligible to sign BAAs. Learn how to sign a BAA

HIPAA-compliant use of Atlassian products

We’re providing you with self-controlled configurations to support you with your HIPAA compliance. This means that it’s your responsibility to ensure you’re using Atlassian products in a HIPAA-compliant way. We don’t monitor or analyze the data that you input, so you need to have the required procedures in place to ensure all users adhere to end-to-end compliance.

All third-party apps integrated with Atlassian products also need to be operated in a HIPAA-compliant way. This means you must have a signed Business Associate Agreement (BAA) with all relevant third-party apps.

The BAA that you sign with us covers only the eligible Atlassian products. Any other products or features that aren’t included in the core products, or require an additional opt-in, aren't automatically covered by the BAA unless otherwise indicated in our guidelines. This includes Atlassian Analytics, Atlassian Intelligence, Atlassian Rovo, and any products or product features that are part of a trial or an early access offering.

Before you share any Protected Health Information (PHI) with a third party, you’ll need to first find out if you need a BAA or any other data privacy and security protections.

Configure your Atlassian account

To configure your Atlassian account to meet HIPAA requirements:

  1. To use Atlassian services for PHI you'll need to enter into a BAA with us. Learn more about signing a BAA

  2. Tag your products to enable HIPAA. Learn more about tagging products

  3. Deactivate Atlassian Intelligence for all the Atlassian products within this organization. In the future, when you create new Atlassian products under this organization, you will also need to deactivate Atlassian Intelligence for those products. Learn how to deactivate Atlassian Intelligence

  4. Ensure that you don't input PHI into any of the following fields:

Jira and Jira Service Management

Confluence

All products

  • Issue details:

    • Type (including icon)

    • Status

  • Project data:

    • Name

    • Key

  • Configuration:

    • Workflow schemes

    • Custom field names

    • Name of filter in a filter subscription

  • Others:

    • Email sent by Admins (from System -> Send email page) to project users and project groups

  • Space keys

  • Space name

  • Titles

 

 

 

  • Surveys

  • Customer feedback

4. Configure the notifications settings for each of your products according to the following sections.

Confluence

You need to turn off push notifications in Confluence settings.

To turn off push notifications:

  1. Go to Confluence, and select Settings.

  2. Select Configuration > Further Configuration.

  3. Select Edit.

  4. Deselect the Push Notifications checkbox.

  5. Select Update to save your changes.

You can keep the email notifications enabled as Atlassian now supports email notification templates that don't include content that could contain PHI.

Jira and Jira Service Management

You can keep both email and push notifications enabled in Jira settings. Atlassian now supports notification templates that don't include content that could contain PHI.

Push notifications

To turn on push notifications with limited information:

  1. In Jira, go to Settings.

  2. Select System > General Configuration.

  3. Select Edit Settings.

  4. Turn on Push notifications (Android, iOS).

  5. Select Update to save your changes.

Email notifications

To turn on email notifications with limited information and enable automation rules:

When you turn on email notifications, they include limited information, protecting the PHI data. When email notifications are turned on, all emails originating from other Jira products, such as Jira Service Management, will also be turned on.

  1. In Jira, go to Settings.

  2. Select System > Outgoing mail.

  3. Select Enable outgoing Mail.

  4. Enable the automation rules that trigger an email notification. Go to Settings > System > Global automation > All rules and enable the rules.  

  5. Enable the ability of the project admins to create and manage automation rules for their projects. To do this, go to Settings > System > Global automation > [...] > Global configuration and select the Allow project administration checkbox.

Global configuration for Jira software for HIPAA

Your admins will be responsible for ensuring automation rules are not configured to send out email notifications that include PHI data.

Safe customer notifications for Jira Service Management

To turn on safe customer notifications in Jira Service Management:

  1. In your Jira Service Management, go to Settings.

  2. Select Products > Compliance settings.

  3. Turn on Safe customer notifications.

 

It’s important to remember that HIPAA compliance is a shared responsibility between Atlassian and you. Completing these steps won't automatically guarantee your compliance with HIPAA, you must also ensure that you follow HIPAA best practices.

Disclaimer

Due to the changes in law or regulation or changes in Atlassian products or services, we may update or revise this guide from time to time. We will provide you with notice of material changes and an updated copy through your owner or administrator.

This document contains Atlassian’s recommendations for certain minimum effective product configurations for its customers' protection of PHI within the Atlassian products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Atlassian Customer should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes don't conflict with or undermine the security of the configurations outlined in this document.

Still need help?

The Atlassian Community is here for you.