Hot off the press! We're excited to announce that two Atlassian offerings, Jira SoftwareCloud Enterprise and Confluence Cloud Enterprise, are now HIPAA compliant. This is great news for regulated industries that have not been able to take advantage of Atlassian Cloud previously due to HIPAA requirements.
Atlassian has been making big investments in their Cloud products across the board, including creating an environment that meets the demands of their customers' compliance and security requirements.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was put in place to protect the privacy and security of an individual’s Protected Health Information (PHI). Any company that manages PHI must be in compliance with HIPAA, regardless of what industry its in. Unlike other industry-specific regulations, HIPAA compliance isn’t dependent on the field you work in, but the type of data your organization manages.
Without compliance, companies that manage PHI would not be able to store that data in Atlassian Cloud.
HIPAA is a U.S. federal law developed and introduced by the U.S. Department of Health and Human Services in 1996. Since then, it's been extended several times and had additional rules mandated that were not included in the original law. It was created with the purpose of protecting the privacy and security of an individual’s Protected Health Information (PHI). These safeguards are accomplished through several administrative, physical, and technical processes, including:
Privacy and security measures for protecting PHI
Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rule requirements
An annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
The regular review and retention of HIPAA Privacy and Security policies and procedures
Privacy and security awareness content regarding the protection of PHI
The designation and role definition of a HIPAA Privacy and Security Officer
HIPAA compliance does not depend on the industry an organization is in, but rather the type of data it administers. Below are examples of organizations that come into contact with PHI:
Organizations that provide services or products used to provide medical treatment or collect health information about individuals or groups of individuals
Health plans
Healthcare clearinghouses: Third-party systems that interpret claim data between provider systems and insurance payers
Healthcare providers
Organizations that create, receive, maintain, or transmit PHI on behalf of the above-mentioned customers, including:
Cloud providers to the customers above, like Atlassian (i.e., a “Business Associate”)
Service providers or subcontractors of a Business Associate (e.g., AWS for Atlassian)
It's important for organizations that are subject to HIPAA compliance and want to use Atlassian's Cloud offering to understand the following:
Migrating to Atlassian Cloud is no small feat. It can be a complicated process, especially for organizations with large amounts of data, users, and instances. If you are just starting your Cloud migration journey, I highly recommend reading this blog post, "Prepping for your Atlassian Ground to Cloud Migration," by our very own Solutions Engineer, Nick Nader, and reaching out to Isos Technology for help.
I cannot stress enough how important it is to reach out to a Solution Partner to gain an understanding of Atlassian Cloud and the Cloud migration process. Isos can guide you through what Atlassian's new HIPAA compliance means for your organization, and help you choose the best Cloud offerings for your business. Contact us today to discuss your organization's needs and options.
For more information, visit Atlassian's HIPAA resource page.