Jira Service Management is Now HIPAA Compliant

Untitled-2345 Good news for companies that are subject to HIPAA—Jira Service Management Cloud Enterprise is now HIPAA compliant! Atlassian continues to invest in its Cloud product on all fronts, including enhancing its features and functionality, and growing its compliance certifications. In fact, JSM is just the latest addition to the Atlassian solutions that are now HIPAA compliant—in Q1 of 2022, the company announced Jira Software and Confluence Cloud Enterprise have met the criteria as well.

Here’s what you need to know about Atlassian and HIPAA compliance, including some useful links!

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual’s Protected Health Information (PHI). The HIPAA Security Rule was established to protect individuals’ health information and ensure the security, integrity, and confidentiality of this data. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as other third parties, known as “Business Associates,” that create, receive, maintain, or send PHI.

Which Atlassian products are HIPAA compliant?

What does Atlassian mean when they say these products are HIPAA compliant?

Atlassian provides comprehensive privacy and security protections that enable its customers to operate its products in compliance with HIPAA. These include:

Security measures for protecting PHI
Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rules
An annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
The regular review and retention of HIPAA Security policies and procedures
Security awareness content regarding the protection of ePHI, and
The designation and role definition of a HIPAA Security Officer

How does Atlassian meet HIPAA requirements?

Atlassian works with an independent, third party on an annual basis to verify that it has the necessary controls and practices in place to satisfy HIPAA requirements, and ensure all the required regulations are being adhered to. This includes requirements around risk management, workforce security, information access management, incident response management, security and privacy responsibilities, security awareness and training, contingency planning, business associate contracts, physical security and endpoint controls, policies and procedures, and transmission security.

Atlassian has a chart on its website that explains in detail how they meet each of these requirements.

Do I have to do anything on my end?

Great question! Yes, If your organization is subject to HIPAA compliance, and you are using or are planning to use Atlassian Jira Software, Confluence, or Jira Service Management to create, send, receive, or maintain PHI, you must be on a standard, premium, or enterprise plan and enter into a Business Associate Agreement with Atlassian that covers the applicable products and services.

You must also make sure your instance is set up properly so that you can use it in a HIPAA-compliant way. To help you meet this need, Atlassian provides a HIPAA Implementation Guide. You can also reach out to us here at Isos Technology. We would be happy to lend our expertise to help you navigate this important and complex regulatory landscape.

Helpful Resources

Explore The Atlassian Trust Center Compliance Resource Center to see all their certifications.
Learn more about Atlassian and HIPPA compliance on the Atlassian HIPPA landing page.
View the chart to explore in detail of each HIPAA requirement and how Atlassian is meeting it.
Explore the Atlassian Cloud Roadmap to learn what’s next for Atlassian and HIPAA compliance.

Read the HIPAA Implementation Guide to learn how to use Atlassian tools in a HIPAA-compliant way.