Atlassian continues to invest in its Cloud offering, and this includes ensuring the highest level of security and compliance. With security and compliance being the cornerstone of its products and services, Atlassian just hit another big milestone in their Cloud Roadmap: Jira Service Management is now HIPAA compliant. 

But what exactly does being HIPAA compliant mean? Why is it important for your business? And what does it mean for your Atlassian products? In this article, we’ll get to the bottom of these questions and give you the low-down on everything you need to know about Atlassian’s recent announcement regarding Jira Service Management’s HIPAA compliance. 

What Does HIPAA Compliance Involve?

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual’s Protected Health Information (PHI). The HIPAA Security Rule was established to protect individuals’ health information and ensure the security, integrity, and confidentiality of this data. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as other third parties, known as “Business Associates”, that create, receive, maintain, or send PHI.

Compliance with HIPAA can only occur when an entity implements controls and protections for any relevant Patient Health Information (PHI). To make this a reality, a healthcare company must review the entirety of HIPAA (privacy laws, omnibus, etc.) and make provisions to follow the regulations within their business. 

HIPAA compliance means implementing controls and safeguards to ensure the confidentiality and integrity of protected health information. It involves developing policies and procedures that are in line with HIPAA laws and regulations and requires your organization to use HIPAA-compliant software that keeps patient data confidential.

What Does Being HIPAA-Compliant Mean for My Atlassian Products?

Security failures, compliance oversights and not regulating how technology is used puts organizations at risk of violating HIPAA. When you use Atlassian products, Atlassian provides comprehensive privacy and security protections that enable customers to operate products in compliance with HIPAA. These include:

• Security measures for protecting PHI
• Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rules
• An annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
• Regular review and retention of HIPAA Security policies and procedures
• Security awareness content regarding the protection of ePHI, and
• The designation and role definition of a HIPAA Security Officer.

Additionally, as industry leaders in security and compliance, Atlassian works with third-party organizations to regularly audit their security, privacy, and compliance controls to support all of their customers’ compliance needs and meet different HIPAA requirements. We recommend referencing this chart that explains the different HIPAA requirements and what Atlassian is doing to meet them. 

What Atlassian Products Comply With HIPAA Regulations?

In addition to Jira Service Management Cloud Enterprise, Jira Software Cloud Enterprise, and Confluence Cloud Enterprise are also HIPAA compliant. Bookmark this page to stay up-to-date with any announcements related to Cloud products and compliance news.

How Do I Make Sure My Atlassian Software Is HIPAA-Compliant?

If your organization requires HIPAA compliance and you plan to use Atlassian products to manage patient information and confidential health data, you need to purchase an Enterprise Plan. HIPAA compliance only applies to Atlassian's Jira Software Cloud Enterprise, Confluence Cloud Enterprise, and Jira Service Management Cloud Enterprise plans.

In addition to purchasing an Enterprise Plan, you must also enter into a Business Associate Agreement (BAA) with Atlassian to ensure that the proper safeguards are in place to prevent misuse of patient health information.  

Once you are covered with these administrative steps, you will need to set your instance up in a way that meets HIPAA requirements. As part of their commitment to helping your organization meet its security and privacy needs, Atlassian created a HIPAA Implementation Guide to guide you through the process of using your Atlassian products in a HIPAA-compliant way. 

It’s also important to note that while Atlassian has provided you with the necessary security features, it’s up to your organization to ensure that your people and processes also adhere to HIPAA regulations. You will also need to make sure that any third-party apps integrated with Jira, Confluence, and Jira Service Management are operated in a HIPAA-compliant manner. 

Customize Your Atlassian Software to Work For You

While these updates to Atlassian products are exciting, there’s still a lot to learn and navigate through, especially when it comes to making sure your data is secure and is being managed properly. 

At Praecipio, we are committed to ensuring the unwavering security of your company’s information so your teams can focus on the work that matters most. In addition to guiding you through the complex process of migrating to Atlassian Cloud, we set you up for success with 

Atlassian Cloud Enterprise and ensure your instance is configured in a way that meets all HIPAA requirements. 

Contact us to learn more about how we can help your organization comply with laws and regulations regarding healthcare information. If you have additional questions about migrating to Atlassian Cloud, watch this webinar where our migration experts answer the most common questions about moving to cloud.

Atlassian offers many products to help you increase your productivity, including Atlassian Cloud and Atlassian Data Center. Though both Atlassian Cloud and Atlassian Data Center give you access to a full stack of Atlassian tools, they serve different purposes depending on the needs of your organization.

 Atlassian Cloud is a managed and hosted solution, meaning Atlassian handles all required infrastructure and hardware for you. By maintaining and hosting your infrastructure for you, Atlassian Cloud helps you innovate faster with less management required.

Atlassian Data Center, in contrast, requires a self-hosted environment, meaning you have an on-premise center that you maintain, upgrade, and secure. Although you have to perform these management tasks yourself, Atlassian Data Center promotes flexibility and enables you to build a custom-tailored solution.

Both versions of the Atlassian suite include core applications like Jira Software, Jira Service Management, Confluence, and Bitbucket. However, some applications like Trello and Opsgenie are available with Atlassian Cloud only, while others, like Bamboo and Crowd, are only available in Atlassian Data Center.  

Whether Atlassian Cloud or Atlassian Data Center is the best choice for your organization depends on your use case. This article highlights use cases where Atlassian Cloud or Atlassian Data Center would serve you better, helping you decide between Atlassian Cloud and Atlassian Data Center.

Atlassian Cloud Versus Atlassian Data Center: Use Cases

To understand the differences between Atlassian Cloud and Atlassian Data Center, you can compare the features, accompanying stack of Atlassian tools, and infrastructure management requirements for each solution. However, it’s also helpful to compare the use cases for each solution and understand how their capabilities and limitations match up to your organization’s business goals. 

Atlassian Cloud

Global Product Teams

Globally-distributed product teams need tools that enable collaboration without adding friction. Atlassian Cloud tools like Jira and Confluence let remote teams brainstorm, plan, and track the development of new product features from anywhere, on any device, without requiring anyone to sign into a company VPN to use on-premises tools.  

Security and Governance

Integration with Atlassian Access means Atlassian Cloud apps work seamlessly with your existing single sign-on (SSO) and identity management infrastructure. Atlassian Cloud is compliant with strict regulations like PCI DSS, SOC 3, and GDPR, so you can spend more time being productive and less time worrying about compliance and governance.

Reliability

Global enterprises need tools that work 24 hours a day because downtime is expensive. Atlassian Cloud offers service level agreements (SLAs) up to 99.95 percent — meaning your productivity apps are always available when needed. 

Looking to Leverage Cloud-Only Atlassian Tools

Some Atlassian tools are only available in Atlassian Cloud, such as: 

• Trello for lightweight project planning and collaboration
• Opsgenie for IT incident response and on-call management

If applications like these are essential parts of your organization’s workflows, Atlassian Cloud is an ideal choice.

Atlassian Data Center

Requiring More Infrastructure and Environment Control

Large, established teams that require more control over their infrastructure than Cloud offers can use Atlassian Data Center. While Atlassian Cloud offers excellent flexibility, Atlassian Data Center lets you control how and where you run your applications. Atlassian Data Center is the ideal choice if you require a traditional on-premises deployment or want to deploy to a private cloud. 

Additionally, if you’re working in an industry that requires a high level of control and security, like a government agency or financial institution, using Atlassian Data Center would be an ideal solution because it gives you tighter environmental control and customizability to maintain security and meet regulatory conditions.  

Retaining Customizations Over Time

Atlassian Data Center is the best choice if your teams are moving from previous versions of Jira Software or Confluence and you want to retain customizations built into your products over time. Many long-time users of Atlassian applications have built deep integrations between these apps and internal line-of-business systems. Making those integrations work with Atlassian Cloud may range from difficult to impossible.

Adding New Customizations

Organizations looking for more customization options to meet their exact business needs without sacrificing performance or security are better-suited to Atlassian Data Center. Although Atlassian Cloud offers many integration points via APIs, on-premises Atlassian deployments are easier to integrate deeply with the rest of your enterprise’s applications. 

Needing to Meet Compliance Criteria

Organizations with strict compliance and regulatory requirements may not be met by Atlassian Cloud’s capabilities (though note that Cloud does support SOC2, SOC3, and PCI DSS). 

With Atlassian Data Center, you are fully responsible for managing your system’s security and ensuring it stays compliant with industry regulations. This means additional work for your organization, but that application security and compliance are as strict as you need.

Thinking Long-Term About a Cloud-first Future

Migrating to the cloud offers notable long-term benefits, including server savings of 30 percent, which is due to right-sizing servers, IT cost savings of 20 percent, and giving your organization a competitive edge by enabling staff to spend more time on strategic, business development tasks and less time on infrastructure maintenance and planning. These benefits have led to widespread cloud adoption, with Gartner predicting that more than 50 percent of IT spending will shift to the cloud by 2025.

Although you can use Atlassian tools in your data center, migrating to Atlassian Cloud offers additional benefits that help future-proof your business and enable you to get the most out of Atlassian tools, including: 

• Improved team collaboration and easier access to Atlassian experts if you need support, training, or mentoring.
• Reduced IT resource costs associated with maintaining your in-house infrastructure.
• Better scalability to meet peak demands without downtime; data centers cannot be easily scaled vertically like SaaS.
• Get faster time to value with Atlassian’s latest apps, features, and integrations. You can use the newest apps and features as soon as they are available rather than waiting for an upgrade cycle.
• Moving your Data Center products to Cloud means you can take advantage of Atlassian’s SaaS-only tools.  

Conclusion

Choosing between Atlassian Cloud and Atlassian Data Center is not always a clear-cut decision. It’s important to fully understand what you’re looking to achieve by using an on-premise or Cloud-based solution and what tools each solution offers to help you meet your goal.

Migrating to Atlassian Cloud reduces costs, minimizes maintenance times, and enables you to develop faster. However, performing a migration can be challenging, especially if you’re not starting with a fresh instance. You must migrate your users, apps, and data, meaning the chances of downtime and overall complexity are high. Similarly, when working with Atlassian Data Center, you take on significant maintenance, security, and configuration responsibilities. Though this independence provides you with more control over your instance, it also means you don’t have direct support from Atlassian if there are any problems with your infrastructure.

Fortunately, you’re not alone. Praecipio is an Atlassian Platinum Solution Partner, and we’re ready to help you select — and implement — the best Atlassian solution for your enterprise. Contact Praecipio to help guide you through the journey of a successful migration to Atlassian Cloud or Atlassian Data Center.

What is FDA 21 CFR Part 11?

FDA 21 CFR Part 11 regulation (Part 11) is the Food and Drug Administration's regulations that cover document signing and records retention for processes and documents specified by the FDA. Prescribed as an “open system” system solution, as defined in Section 11.3(b)(9), in which there is electronic communication among multiple persons and where system access extends to people who are not part of the organization that operates the system. The controls for an open system are discussed in Section 11.30.

...the system shall employ procedures and controls designed to ensure the authenticity, integrity and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt to ensure record authenticity, integrity and confidentiality.

To help meet the control requirements, DocuSign’s Part 11 module has pre-set account options to add, authenticate and limit envelope access to authorized signers. 

DocuSign's Part 11 Module: Designed for Ensured Compliance

DocuSign sets the global standard for electronic signatures and Digital Transaction Management (DTM) and supports life science organizations’ compliance with the e-signature practices set forth in 21 CFR Part 11 with tailored functionality and packaged service offerings. DocuSign’s open, standards-based approach makes it easy to integrate compliant electronic signatures, even into complex processes and systems.

DocuSign Part 11 Module available with DocuSign Enterprise delivers transactions guaranteed to meet all FDA regulations. It contains capabilities designed specifically for the Life Sciences industry that include:

• Signature-level credentialing
• Signature-level Signature Meaning
• Pre-packaged account configuration
• Signature manifestation (Printed Name, Date/Time, and Signature Meaning)

Automating Compliance Into Your Workflow

For organizations that use Jira to manage their business processes, DocuSign for Jira makes it easy to integrate and automate DocuSign-guaranteed compliance directly into your Jira workflows. For Life Science and other industries that must comply with strict FDA regulations DocuSign for Jira is a must. DocuSign for Jira is specifically designed to work with your existing DocuSign template libraries so you can automate the sending of critical, government-regulated documentation at each stage of your business process that requires official sign-off.

Map Your Recipients to Jira Issue Fields & Roles

In each transition you can specify variables from Jira issue fields, roles or identify static Jira users and email addresses to map to the DocuSign's envelope recipients. This can be done using Template Schemes where Jira Issue Types can be mapped to DocuSign Templates and recipient roles mapped as well. Or Jira administrators can identify specific templates, recipient and field mappings directly into workflow transitions for greater flexibility.

Pre-Fill Your DocuSign Documents with Jira Data

The sign-off process involving official, regulated documentation can be data-entry intensive. Often this is done by manual document creation, then further manual uploads to DocuSign via Word .docx or Adobe .pdf files that are then decorated with initial, signature and other DocuSign tabs.  Though DocuSign provides a robust field definition and configuration capability, this often goes unused beyond capture of necessary inputs for the document itself. Reporting, querying or re-use of the valuable data entered during envelope signing is not possible. DocuSign for Jira allows fields 

Capture Your DocuSign Recipient Data Entry in JIra Fields

DocuSign for Jira supports bidirectional or "two-way" synchronization between DocuSign "Tabs" and your Jira issue fields allowing capture and reportable persistence of all information and corrections gathered during the signing processes. If your recipients are external to your organization and not users in your Jira instance, you can still capture their data inputs from DocuSign envelopes using the "Delegate Edit" feature. This capability is particularly useful in cases where multiple documents are filled/signed in a process where subsequent documents rely on previous 

Manage DocuSign Envelopes from Jira

Your employees who rely heavily on DocuSign and Jira to perform their daily functions and duties will find links and information at their fingertips from within their Jira issues or in DocuSign for Jira's Project Report. Filter by Envelope Title, Sender, Status and sort as well. View recipient-level status as well by expanding the rows. Each issue has a new DocuSign Envelopes pane as well as a DocuSign audit tab for quick, easy access to envelopes and important, audit events.

Automate and Simplify

DocuSign Enterprise CFR Part 11 Module guarantees thorough compliance with FDA regulations. DocuSign for Jira takes that full capability and DocuSign's carrier-grade infrastructure and combines it with Jira's world class business process management application to automate the review, approval and signature processes that require the utmost confidence in security, retention, audit and repeatability. With DocuSign for Jira's unique template-based mapping system, you can capture all your data inputs from the signature process in DocuSign in to Jira for reporting and reuse.

To learn more about DocuSign for Jira, take a look at our demo video or contact Praecipio Consulting to help your organization automate your eSignature process.