The HIPAA Implementation Guide

We want to help you meet your organization’s compliance needs and are committed to protecting your and your customers' data. We understand the increasing need to be assured that your data is not only secure but that it’s also being used in a manner that's compliant with laws and regulations.

This guide is intended for Atlassian customers that have a Business Associate Agreement (BAA) in place with us, or intend to enter into one with us. We’ve created this guide to provide you with the knowledge you need on how to use our products in a HIPAA-compliant way.

Currently, we can sign BAAs with customers who purchase an Enterprise plan for the applicable products.
Learn more about the future plans for HIPAA

What is the Health Insurance Portability and Accountability Act (HIPAA)?

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services and is designed to protect the privacy and security of people’s protected health information (PHI). HIPAA applies to healthcare providers who electronically transmit health information in connection with certain transactions, health plans, and healthcare clearinghouses, as well as other third parties, known as “business associates”, that create, receive, maintain, or transmit PHI on behalf of covered entities.

Key terms

Covered entity - a health care provider who electronically transmits health information in connection with certain transactions, a health plan, or a healthcare clearinghouse.
Protected health information (PHI) - individually identifiable health information that is transmitted or maintained by a covered entity or its business associate in any form or media, including electronic, paper, or oral, and that relates to:
- an individual’s past, present, or future physical/mental health condition;
- an individual’s provision of healthcare; or
- the past, present, or future payment of healthcare.
Business associate - a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity. A business associate may also include a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.
Business associate agreement (BAA) - a contractual assurance from the business associate to the covered entity or another business associate that they follow HIPAA's requirements. It specifies each party’s responsibilities when it comes to safeguarding and using PHI. This agreement must be in place before the transfer of any PHI to the business associate.

HIPAA compliant use of Atlassian products

It’s your responsibility to ensure you’re using Atlassian products in a HIPAA-compliant way. We don’t monitor or analyze the data that you input. We have provided you with self-controlled configurations, and we recommend that you have the required processes and procedures in place to ensure all users adhere to end-to-end compliance.

It’s also your obligation for ensuring all third-party applications integrated with Atlassian products are operated in a HIPAA-compliant way. This includes your obligation to have a BAA in place with all such applicable third-party applications. The BAA that you sign with us only covers the applicable Atlassian products. Additional products or product features that are not included in the applicable core products, or require an additional opt-in, such as Atlassian Analytics and Atlassian Intelligence, are not covered by the BAA unless otherwise indicated by this guide. This includes products or product features that are part of a trial, alpha, beta, or early access offering. You’ll need to determine if you require a BAA or any other data privacy and security protections before sharing any PHI with a third party.

How to configure your Atlassian account to meet HIPAA requirements

Step 1: To use Atlassian services for PHI you'll need to have an Enterprise plan, regardless of your company size.

Step 2: You need to enter into a Business Associate Agreement with us. For more information on the BAA, contact us

Step 3: Ensure that you don't input PHI into any of the following fields:

Confluence	Jira Software and Jira Service Management	Other
Space keys Space name Page title	Configuration data: issues project name project key workflow schemes	Surveys Customer feedback

Step 4: Once you have set up your Enterprise plan, you’ll need to turn off all email and push notifications in the product settings.

Refer to the table below for instructions on how to configure these settings for each of our products.

Notification type	Confluence	Jira Software and Jira Service Management
Push	Settings -> Configuration -> Further Configuration	Settings -> System -> General Configuration -> Options -> Push notifications (Android, iOS, macOS)
Email	Settings -> Configuration -> Further Configuration	Email notifications: Settings -> System -> Outgoing mail When email notifications are switched off, all emails originating from other products, such as Jira Work Management, will also be turned off. 2. Automation rules that trigger email notifications: Settings -> System -> Global automation -> All rules -> Enabled/Disabled Any rule that triggers an email notification will need to be disabled. 3. The ability of the project admins to manage automation rules: Settings -> System -> Global automation -> [...] -> Global configuration The ability of the project admins to create and manage automation rules for their projects has to be disabled. To do this, uncheck the Allow project administrators to manage project rules checkbox.

Notification type

Confluence

Jira Software and
Jira Service Management

Push

Settings -> Configuration -> Further Configuration

Settings -> System -> General Configuration -> Options -> Push notifications (Android, iOS, macOS)

Settings -> Configuration -> Further Configuration

Email notifications:

Settings -> System -> Outgoing mail

When email notifications are switched off, all emails originating from other products, such as Jira Work Management, will also be turned off.

2. Automation rules that trigger email notifications:

Settings -> System -> Global automation -> All rules -> Enabled/Disabled

Any rule that triggers an email notification will need to be disabled.

3. The ability of the project admins to manage automation rules:

Settings -> System -> Global automation -> [...] -> Global configuration

The ability of the project admins to create and manage automation rules for their projects has to be disabled. To do this, uncheck the Allow project administrators to manage project rules checkbox.

Security audits

We undergo independent third-party audits, providing you with the assurance that we’re complying with current regulations and that your data is secure. Learn more about our compliance program

Disclaimer

Due to the changes in law or regulation or changes in Atlassian or the Services, we may update or revise this guide from time to time. We will provide you with notice of material changes and an updated copy through your owner or administrator. This document contains Atlassian’s recommendations for certain minimum effective product configurations for its customers' protection of PHI within the Atlassian products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Atlassian subscriber should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes do not conflict with or undermine the security of the configurations outlined in this document.

Was this helpful?

It wasn't accurate

It wasn't clear

It wasn't relevant

Atlassian Support