Support for the Health Insurance Portability and Accountability Act (HIPAA) was rolled out to Jira and Confluence Cloud in Q1 of 2022, but was only available to organizations on the Enterprise cloud tier. This meant that small-to-medium-sized businesses with fewer than 1,000 users (the minimum for Enterprise) were effectively barred from migrating to Atlassian Cloud if they were required to adhere to HIPAA standards. That barrier is beginning to come down as Atlassian expands HIPAA support to the Premium and Standard cloud tiers!
Atlassian Roll Out Plan
Check out Atlassian's Cloud Roadmap for the most recent updates regarding HIPAA compliance for Atlassian products. They are careful to stress that this will be a "throttled" release, to give them time to detect any issues that were not identified during their testing. As a result, not all cloud customers will see this capability immediately. Nevertheless, with HIPAA support rolling out, now is the time to begin planning a move to the cloud, especially now that Atlassian has ended support for their Server products.
Requirements for HIPAA
To assist with the adoption of HIPAA standards, Atlassian has provided an implementation guide detailing the process. The guide identifies three important steps to implement HIPAA:
1. Enter into a Business Associate Agreement (BAA) with Atlassian
This step involves legal paperwork, so it is best to begin that as soon as you are able by contacting Atlassian about Product Features.
2. Refrain from entering Protected Health Information (PHI) into fields that cannot be secured
Certain fields in Jira and Confluence are not secured by permissions, and so might be seen by those without the proper permissions. These fields include:
- Confluence Space keys, Space names, and page titles
- Jira issues, project names, project keys, and workflow scheme names
- Customer feedback
This step is the responsibility of the organization, and so must be incorporated into the global business process.
3. Turn off email and push notifications
Jira issues and Confluence pages may contain PHI, but as long as access is controlled properly, HIPAA rules are not violated. However, both applications have the ability to send notifications with information from those items, and that information may contain PHI. As a result, notifications must be disabled.
Following these steps will allow customers to meet the minimum requirements for HIPAA compliance.
HIPAA support for the Standard and Premium cloud tiers of Jira and Confluence is something that has been anticipated since the feature first rolled out for Enterprise in 2022. Now all paid tiers of the Cloud offerings allow companies to provide HIPAA compliance to their users in the convenience and efficiency of the Atlassian Cloud.
Once this feature is globally available, there is certain to be a sharp increase in the number of cloud migrations, so the sooner the process is begun the better. That advice is even more important for Server-based customers who need HIPAA, since February 2024 marked the end of support for all products on the Server platform.
Reach out to discuss how Praecipio can help your organization move to the Cloud and ensure HIPAA compliance within your Atlassian tools.