Understand HIPAA compliance for Atlassian apps
Atlassian's Health Insurance Portability and Accountability Act (HIPAA) solution enables you to operate Atlassian apps as per your HIPAA compliance obligations. HIPAA is a federal regulation developed by the United States Department of Health and Human Services. It is designed to protect the privacy and security of people's protected health information (PHI).
HIPAA applies to covered entities and business associates that create, receive, maintain, access or send PHI.
It is your responsibility to ensure your compliance with HIPAA and determine whether you must enter into a Business Associate Agreement (BAA) with Atlassian.
We can sign BAAs for Standard, Premium, and Enterprise plans for Jira, Jira Service Management, and Confluence. Free and trial plans are not eligible to sign BAAs. Learn how to sign a BAA
To operate Atlassian apps to support your HIPAA compliance needs, you will need to take the following steps:
Sign a Business Associate Agreement (BAA) with Atlassian: A BAA is a written contract between a business associate and a covered entity or another business associate. The BAA outlines the terms and conditions to safeguard Protected Health Information (PHI). Learn how to sign a BAA
Tag Atlassian apps: Tagging apps involves marking or labelling certain apps that contain protected health information (PHI) so that they can be identified and treated in accordance with HIPAA regulations. Learn how to tag Atlassian apps
Configure your apps: You must follow the steps outlined in the HIPAA Implementation Guide to configure your app settings. This will help ensure you are using our apps in a HIPAA-compliant manner. Learn how to configure your apps in accordance with the HIPAA Implementation Guide
When you add new Atlassian apps to a site or later tag an app to enable HIPAA, you will also need to deactivate AI for all apps on that site. Always double-check this setting, as AI can be on by default when new Atlassian apps are added.
It’s important to remember that HIPAA compliance is a shared responsibility between Atlassian and you. Completing these steps won't automatically guarantee your compliance with HIPAA, you must also ensure that you follow HIPAA best practices.
Was this helpful?