Care about security? We do too. Learn what Atlassian does and what you can do too.
Need to test security settings? Learn how with authentication policies.
Eager to configure? Read on about single sign-on.
Manage password policies for users? Set up two-step verification and idle session duration.
Stay on top of data across your organization with all the reports and tracking options we offer.
Learn about where your cloud product data is hosted and the types of data you can move.
Control how users and apps access your Atlassian cloud products.
We want to help you meet your organization’s compliance needs and are committed to protecting your and your customers' data. We understand the increasing need to be assured that your data is not only secure but that it’s also being used in a manner that's compliant with laws and regulations.
This guide is intended for Atlassian customers that have a Business Associate Agreement (BAA) in place with us, or intend to enter into one with us. We’ve created this guide to provide you with the knowledge you need on how to use our products in a HIPAA-compliant way.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services and is designed to protect the privacy and security of people’s protected health information (PHI). HIPAA applies to healthcare providers who electronically transmit health information in connection with certain transactions, health plans, and healthcare clearinghouses, as well as other third parties, known as “business associates”, that create, receive, maintain, or transmit PHI on behalf of covered entities.
Covered entity - a health care provider who electronically transmits health information in connection with certain transactions, a health plan, or a healthcare clearinghouse.
Protected health information (PHI) - individually identifiable health information that is transmitted or maintained by a covered entity or its business associate in any form or media, including electronic, paper, or oral, and that relates to:
an individual’s past, present, or future physical/mental health condition;
an individual’s provision of healthcare; or
the past, present, or future payment of healthcare.
Business associate - a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity. A business associate may also include a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.
Business associate agreement (BAA) - a contractual assurance from the business associate to the covered entity or another business associate that they follow HIPAA's requirements. It specifies each party’s responsibilities when it comes to safeguarding and using PHI. This agreement must be in place before the transfer of any PHI to the business associate.
HIPAA compliant use of Atlassian products
It’s your responsibility to ensure you’re using Atlassian products in a HIPAA-compliant way. We don’t monitor or analyze the data that you input. We have provided you with self-controlled security features, and we recommend that you have the required processes and procedures in place to ensure all users adhere to end-to-end compliance.
It’s also your obligation for ensuring all third-party applications integrated with Jira and Confluence are operated in a HIPAA-compliant way. The BAA that you sign with us only covers the applicable Atlassian products. Additional products, such as Atlassian Analytics, or product features that are not included in the applicable core products are not covered by the BAA unless otherwise indicated by this guide. You’ll need to determine if you require a BAA or any other data privacy and security protections before sharing any PHI with a third party.
How to configure your Atlassian account to meet HIPAA requirements
Step 1: To use Atlassian services for PHI you'll need to have an Enterprise plan, regardless of your company size.
Step 2: You need to enter into a Business Associate Agreement with us. For more information on the BAA, contact us
Step 3: Ensure that you don't input PHI into any of the following fields:
Step 4: Once you have set up your Enterprise plan, you’ll need to turn off all email and push notifications in the product settings.
Refer to the table below for instructions on how to configure these settings for each of our products.
Settings -> Configuration -> Further Configuration
Settings -> System -> General Configuration -> Options -> Push notifications (Android, iOS, macOS)
Settings -> Configuration -> Further Configuration
Settings -> System -> Outgoing mail
When email notifications are switched off, all emails originating from other products, such as Jira Work Management, will also be turned off.
2. Rules that trigger email notifications:
Settings -> System -> Global automation -> All rules -> Enabled/Disabled
Any rule that triggers an email notification will need to be disabled.
We undergo independent third-party audits, providing you with the assurance that we’re complying with current regulations and that your data is secure. Learn more about our compliance program
Due to the changes in law or regulation or changes in Atlassian or the Services, we may update or revise this guide from time to time. We will provide you with notice of material changes and an updated copy through your owner or administrator. This document contains Atlassian’s recommendations for certain minimum effective security configurations for its customers' protection of PHI within the Atlassian products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Atlassian subscriber should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes do not conflict with or undermine the security of the configurations outlined in this document.
Was this helpful?