Hot off the press! We're excited to announce that two Atlassian offerings, Jira SoftwareCloud Enterprise and Confluence Cloud Enterprise, are now HIPAA compliant. This is great news for regulated industries that have not been able to take advantage of Atlassian Cloud previously due to HIPAA requirements.
Why HIPAA Compliance Matters for Atlassian Customers
Atlassian has been making big investments in their Cloud products across the board, including creating an environment that meets the demands of their customers' compliance and security requirements.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was put in place to protect the privacy and security of an individual’s Protected Health Information (PHI). Any company that manages PHI must be in compliance with HIPAA, regardless of what industry its in. Unlike other industry-specific regulations, HIPAA compliance isn’t dependent on the field you work in, but the type of data your organization manages.
Without compliance, companies that manage PHI would not be able to store that data in Atlassian Cloud.
What is HIPAA?
HIPAA is a U.S. federal law developed and introduced by the U.S. Department of Health and Human Services in 1996. Since then, it's been extended several times and had additional rules mandated that were not included in the original law. It was created with the purpose of protecting the privacy and security of an individual’s Protected Health Information (PHI). These safeguards are accomplished through several administrative, physical, and technical processes, including:
Privacy and security measures for protecting PHI
Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rule requirements
An annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
The regular review and retention of HIPAA Privacy and Security policies and procedures
Privacy and security awareness content regarding the protection of PHI
The designation and role definition of a HIPAA Privacy and Security Officer
HIPAA compliance does not depend on the industry an organization is in, but rather the type of data it administers. Below are examples of organizations that come into contact with PHI:
Organizations that provide services or products used to provide medical treatment or collect health information about individuals or groups of individuals
Healthcare clearinghouses: Third-party systems that interpret claim data between provider systems and insurance payers
Organizations that create, receive, maintain, or transmit PHI on behalf of the above-mentioned customers, including:
Cloud providers to the customers above, like Atlassian (i.e., a “Business Associate”)
Service providers or subcontractors of a Business Associate (e.g., AWS for Atlassian)
Atlassian and HIPAA - What You Need to Know
It's important for organizations that are subject to HIPAA compliance and want to use Atlassian's Cloud offering to understand the following:
- HIPAA Compliance applies to Atlassian's Jira Software Cloud Enterprise and Confluence Cloud Enterprise plans ONLY. No other tools or Cloud plans are HIPAA compliant at this time.
- Jira Service Management is NOT HIPAA compliant at this time. However, it is on Atlassian's roadmap.
- Atlassian Marketplace apps are not currently HIPAA compliant.
- Organizations that require HIPAA compliance must enter into a Business Associate Agreement (BAA) with Atlassian.
- The BAA terms require that Atlassian:
- Describe the permitted use cases of PHI
- Commit to not use or further disclose PHI other than as permitted by the contract or as required by law;
- Use appropriate safeguards to prevent inappropriate PHI use or disclosure
How Isos Technology Can Help
Migrating to Atlassian Cloud is no small feat. It can be a complicated process, especially for organizations with large amounts of data, users, and instances. If you are just starting your Cloud migration journey, I highly recommend reading this blog post, "Prepping for your Atlassian Ground to Cloud Migration," by our very own Solutions Engineer, Nick Nader, and reaching out to Isos Technology for help.
I cannot stress enough how important it is to reach out to a Solution Partner to gain an understanding of Atlassian Cloud and the Cloud migration process. Isos can guide you through what Atlassian's new HIPAA compliance means for your organization, and help you choose the best Cloud offerings for your business. Contact us today to discuss your organization's needs and options.
For more information, visit Atlassian's HIPAA resource page.
Sign up to receive more great content
Learn more about Atlassian and how Isos can help by signing up to receive our latest blogs, eBooks, whitepapers and more.
Isos Technology Partners with a Fortune 500 Media Company to Optimize Agile Practices and Implement Jira Align