• Products
  • Documentation
  • Resources

The HIPAA Implementation Guide

We want to help you meet your organization’s compliance needs and are committed to protecting your and your customers' data. We understand the increasing need to be assured that your data is not only secure but that it’s also being used in a manner that's compliant with laws and regulations.

This guide is intended for Atlassian customers that have a Business Associate Agreement (BAA) in place with us, or intend to enter into one with us. We’ve created this guide to provide you with the knowledge you need on how to use our products in a HIPAA-compliant way.

Currently, we’re able to sign BAAs for Jira Software and Confluence for customers with Enterprise plans. Learn more about the future plans for HIPAA

What is the Health Insurance Portability and Accountability Act (HIPAA)?

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services and is designed to protect the privacy and security of people’s protected health information (PHI). HIPAA applies to healthcare providers who electronically transmit health information in connection with certain transactions, health plans, and healthcare clearinghouses, as well as other third parties, known as “business associates”, that create, receive, maintain, or transmit PHI on behalf of covered entities.

Key terms

  • Covered entity - a health care provider who electronically transmits health information in connection with certain transactions, a health plan, or a healthcare clearinghouse.

  • Protected health information (PHI) - individually identifiable health information that is transmitted or maintained by a covered entity or its business associate in any form or media, including electronic, paper, or oral, and that relates to:

    • an individual’s past, present, or future physical/mental health condition;

    • an individual’s provision of healthcare; or

    • the past, present, or future payment of healthcare.

  • Business associate - a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity. A business associate may also include a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

  • Business associate agreement (BAA) - a contractual assurance from the business associate to the covered entity or another business associate that they follow HIPAA's requirements. It specifies each party’s responsibilities when it comes to safeguarding and using PHI. This agreement must be in place before the transfer of any PHI to the business associate.

HIPAA compliant use of Atlassian products

It’s your responsibility to ensure you’re using Atlassian products in a HIPAA-compliant way. We don’t monitor or analyze the data that you input. We have provided you with self-controlled security features, and we recommend that you have the required processes and procedures in place to ensure all users adhere to end-to-end compliance.

It’s also your obligation for ensuring all third party applications integrated with Jira and Confluence are operated in a HIPAA-compliant way. The BAA that you sign with us only covers the applicable Atlassian products. You’ll need to determine if you require a BAA or any other data privacy and security protections before sharing any PHI with a third party.

How to configure your Atlassian account to meet HIPAA requirements

Step 1: To use Atlassian services for PHI you'll need to have an Enterprise plan, regardless of your company size.

Step 2: You need to enter into a Business Associate Agreement with us. For more information on the BAA, please contact us

Step 3: Before entering any data into your product, you need to compose your data in accordance with HIPAA requirements. This includes not inputting any PHI into any of the following fields:

Confluence

Jira Software

Other

  • Space keys

  • Space name

  • Page title

  • Configuration data:

    • issues

    • project name

    • project key

    • workflow schemes

  • Surveys

  • Customer feedback

Step 4: Once you have set up your Enterprise plan, you’ll need to turn off all email and push notifications in the product settings.

Refer to the table below for instructions on how to configure these settings for each of our products.

Notification type

Confluence

Jira

Push

Settings -> Configuration -> Further Configuration

Confluence push notification settings

Settings -> System -> General Configuration -> Options -> Push notifications (Android, iOS, macOS)

Jira push notification settings

Email

Settings -> Configuration -> Further Configuration

Confluence email notification settings
  1. Email notifications:

Settings -> System -> Outgoing mail

When email notifications are switched off, all emails originating from other products, such as Jira Work Management, will also be turned off.

Jira screenshot

2. Rules that trigger email notifications:

Settings -> System -> Global automation -> All rules -> Enabled/Disabled

Any rule that triggers an email notification will need to be disabled.

JSM screenshot

 

Security audits

We undergo independent third party audits, providing you with the assurance that we’re complying with current regulations and that your data is secure. Learn more about our compliance program

 

Disclaimer

Due to the changes in law or regulation or changes in Atlassian or the Services, we may update or revise this guide from time to time. We will provide you with notice of material changes and an updated copy through your owner or administrator. This document contains Atlassian’s recommendations for certain minimum effective security configurations for its customers' protection of PHI within the Atlassian products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Atlassian subscriber should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes do not conflict with or undermine the security of the configurations outlined in this document.

Additional Help