...
As we see it, enabling HIPAA is done at the Atlassian Product (Jira/Confluence) level in order to apply “protection” to specific typed/identified/tagged data holding entities like Jira Custom Fields, limiting search and (I we expect) remote access from apps like JEMHC.
HIPAA certification/compliance
According to https://www.atlassian.com/trust/compliance/resources/hipaa/requirements:
At present, there’s no certification in relation to HIPAA. The agencies that certify health technology don’t approve software or empower independent certifying authorities to accredit business associates or covered entities with a HIPAA attestation. Therefore, there is no official
...
certification to say that we comply with HIPAA. However, our cloud products undergo independent verification of the operational effectiveness of their security, privacy, and compliance controls on an annual basis. An independent certifying authority has performed an audit and confirmed that Atlassian has the required controls and practices in place to ensure all HIPAA regulations are being adhered to.
We have passed a SOC2 (type 1) audit and are currently undergoing a SOC2 (type 2) audit.
How We/JEMHC enable HIPAA compliance
Based on the structure used in https://www.atlassian.com/trust/compliance/resources/hipaa/requirements, in the fullness of time, we will complete the following:
Risk management
Reduce risks and vulnerabilities, conduct periodic technical, and nontechnical evaluations in response to environmental or operational changes
...
Business Associate Agreement
BAA’s require legal oversight, we do not have one at this time.We are currently undergoing SOC2 Audit (type 1 passed, type 2 currently underway). As a Business Associate of customers processing Protected Health Information (PHI).
Atlassian have a BAA (https://www.atlassian.com/legal/business-associate-agreement ), for their host environments, it doesn’t include apps.
What is a Business Associate Agreement
The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
JEMHC BAA
TODO
Further Information
If you need more, feel free to log a support ticket with us: