An Atlassian data privacy milestone: Jira Cloud and Confluence Cloud are now HIPAA-compliant. Atlassian recently published a guide to HIPAA compliance. Together with this knowledge, our instructions, and in just five easy steps, you'll make HIPAA compliance a breeze.
Get started now!
Let’s start with the basics, clarifying what HIPAA actually is. For a brief definition, take a look at our Knowledge Base article on HIPAA.
HIPAA is the acronym of: Health Insurance Portability and Accountability Act, a U.S. federal law that has been in place since 1996. It was established to protect the medical records and Protected Health Information (PHI) of U.S. citizens. The original purpose of the law was to protect the data of employees who change jobs from disclosure. Limits on disclosure of health records without patient consent are intended to ensure trust, confidentiality, and integrity throughout the medical space. The introduction of national standards for the processing of electronic Protected Health Information (ePHI) should also contribute to better data protection and cost savings.
While HIPAA was written to protect individuals in the U.S., these protections also come into effect when the data processing company is NOT located in the United States. Once your company stores or processes data of U.S. citizens, you must ensure HIPAA compliance. Whether you are located in Europe, Asia, or anywhere else in the world, it doesn’t matter.
HIPAA-compliance should therefore be ensured if you process health data from the United States AND fall under one of the following categories:
Health care providers ( doctors, clinics, hospitals, pharmacies).
Health plans (insurance companies, government programs such as Medicare)
Health care clearinghouses (billing services and community health systems for organizing health data)
Health information that is protected under HIPAA includes an individual’s name, address, medical record number, and other Personally Identifiable Information (PII), as well as an individual’s physical or mental health condition, nursing care that an individual is receiving. For more examples of PHI, see the HIPAA law text.
A HIPAA violation can result in maximum fines of up to $1.5 million per year. A person who “knowingly” acquires and discloses health information can face criminal charges of up to one year in prison.
Of course, you don’t want to risk that.
But what does all this have to do with Atlassian?
Many healthcare organizations and hospitals use platforms like Jira and Confluence Cloud to manage their daily tasks, projects, and data. This allows them to store and access all the Protected Health Information (PHI) they need quickly and easily. Which means they collect an exorbitant amount of sensitive data about their patients, putting them at risk of violating HIPAA regulations.
For a long time, Jira and Confluence Cloud were not HIPAA-compliant – now, Atlassian’s announcement changes everything. An external auditor has conducted an intensive assessment of the following Atlassian products and found them to be compliant with HIPAA regulations:
Jira Software Cloud
Confluence Cloud
Jira Service Management
To make Jira, JSM, and Confluence HIPAA-compliant with absolute certainty and avoid any penalties, you should perform specific configurations on your Atlassian account, as Atlassian describes in their implementation guide.
Summarized for you, here are the five simple steps you can take to make Confluence and Jira HIPAA-compliant:
Organizations that need to comply with HIPAA policies should purchase an Enterprise Plan
Sign a Business Associate Agreement (BAA) with Atlassian
This is a contractual agreement stating that HIPAA requirements will be met
Ensure that all third-party applications integrated with Jira and Confluence Cloud are running in a HIPAA-compliant manner
The BAA covers only the corresponding Atlassian products
Ensure that you do not store PHI in any of the following fields:
Confluence
Space keys
Space name
Page title
Jira Software
Configuration data:
issues
project name
project key
workflow schemes
Others
Surveys
Customer feedback
Disable all email and push notifications in product settings
Be especially careful with step four, verifying that you are not storing PII/PHI outside recommended fields/locations. Perform a detailed security audit. This is where our Data Protection and Security Toolkit for Jira/Confluence comes to the rescue. This smart assistant lets you scan your cloud instances at lightning speed to find critical health data. Simply select birthdates, phone numbers, social security numbers or the like from predefined search rules:
With this tool, you’re guaranteed to never miss any sensitive health data and be one step closer to HIPAA-compliance.
Thanks to Atlassian’s update, HIPAA compliance in healthcare has never been easier – even for cloud products! Still, compliance doesn’t just fall into your lap. However, by following the HIPAA implementation guide and our tips, you’ll be on the safe side. A smart tool like our Data Protection and Security Toolkit is a not to be underestimated help in the process of data protection procedures.
If you would like further guidance concerning HIPAA compliance for Jira and Confluence, feel free to contact our Data Protection Compliance Service. If you are able and willing to perform the steps listed above on your own, it is worth taking a look at the app presented.
Convince yourself and test it for free!
