In 2021, digital transformation has accelerated. At the tail end of the COVID pandemic, with companies remaining remote, the demand for cloud services in the enterprise is the highest it's ever been. Healthcare organizations, which more directly encountered the acute challenges posed by the pandemic, were among the first to be shaped by the current wave of digital transformation. Companies like Atlassian have been built from the ground up to enable digital transformation, so it’s no surprise to us that we often get asked if Atlassian Cloud is HIPAA-compliant.
What products and services does Atlassian Cloud offer?
Atlassian Cloud is a suite of products that help with building organization-wide knowledgebases as well as managing the software development lifecycle. Atlassian Cloud’s core offerings include:
- Jira Software: For planning, tracking, and flagging tasks in the software development lifecycle.
- Confluence: For building detailed internal wikis, knowledgebases, and documentation.
- Jira Service Management: For managing IT service management and operations.
- Opsgenie: For incident response.
- Statuspage: For tracking and reporting service status in real time.
- Halp: A Slack/Microsoft Teams-first approach to support ticket intake and management.
- Trello: A lightweight approach to Kanban board-style project management.
- Jira Work Management: An alternative to Trello for business users looking for project management platforms for non-developers.
- BitBucket: A git-based repository management solution.
- Sourcetree: A desktop client that provides a UI for interacting with Git repositories.
Atlassian also grants access to third-party plugins via the Atlassian Marketplace. Plugins allow users to enhance usability or security of their Atlassian products. For example, Nightfall DLP is accessible for the marketplace and allows for organizations to scan for PII, PHI, and other sensitive information in files, messages, and other content within Confluence.
Can Atlassian products be configured to be HIPAA-compliant?
On its Trust FAQ page under “Does Atlassian adhere to information security standards” Atlassian lists that it complies with a variety of standards, including:
- ISO/IEC 27001
- ISO/IEC 27018
- The Cloud Security Alliance Security, Trust, & Assurance Registry
- FedRAMP for Trello Enterprise
Under the HIPAA/HITECH portion of this section, Atlassian states that Jira Software Cloud Enterprise and Confluence Cloud Enterprise are HIPAA and HITECH compliant, linking to a page that provides an overview of which attributes of the HIPAA Security Rule it helps enable.
What are the steps for HIPAA compliance with Atlassian Cloud?
In order to be HIPAA compliant while using Atlassian Cloud products, you must:
- Choose the appropriate products. As of this writing (Feb 2023), Atlassian can only provided BAAs for Confluence, Jira Service Management, and Jira Software for users on Enterprise plans. However, Atlassian appears to have roadmapped additional HIPAA coverage for other services.
- Configure your account correctly. Once on an enterprise plan for either Confluence or Jira Software, you must ensure that you turn off all email and push notification features for your product(s). Atlassian details how to do so here.
- Execute a BAA with Atlassian. When you're ready, you can communicate directly with Atlassian to sign a BAA with them in order to enable your environments to be HIPAA-compliant.
How can you protect PHI in Atlassian Cloud?
The HIPAA security rule, as well as Atlassian's BAA will inform how you will go about securing PHI within Jira Software Cloud Enterprise and Confluence Cloud Enterprise. Aside from keeping PHI out of email and push notifications, you'll need to ensure PHI is only accessible to authorized parties on a need to know basis. Doing so will require:
- Enforcing authentication standards like two-factor authentication and strong passwords
- Regularly monitoring logs and Admin console reports
- Monitoring public Confluence Spaces, Jira Projects, and file attachments for PHI. This can be done with Nightfall DLP for Jira and Confluence.
- Enforcing strict permission settings for Spaces and Projects that will be used exclusively by parties authorized to share and disclose PHI. Even within these spaces, you'll want to monitor to ensure that employees are only sharing the minimum necessary amount of PHI.
Being HIPAA-compliant means asking the right questions
Are you looking for other HIPAA-compliant SaaS applications to enable digital transformation within your healthcare organization? Grab a copy of our Guide to HIPAA Compliance Checklist. It has important details you’ll want to ask any SaaS provider as a HIPAA covered entity. You can also learn more about the HIPAA Security Rule requirements from our Ultimate HIPAA Security and Compliance FAQ, which can be read for free online.