...
Its not related to GDPR, but here as a close related topic. See https://www.atlassian.com/trust/compliance/resources/hipaa for more context.
Atlassian FAQ’s
Customer Facing FAQ answers from Atalssian:https://atlassianpartners.atlassian.net/wiki/spaces/resources/pages/342655180/HIPAA+Compliance+Overview
Question | Response |
|---|---|
Why is Atlassian expanding HIPAA availability across all paid plans? | We listened to customer feedback and an overwhelming amount of smaller teams expressed the need for HIPAA compliance. We believe in a cloud-first future for all of our customers and decided to invest in additional automation that would enable us to expand HIPAA compliance beyond the Enterprise plan. We are currently working through the details of implementation and will share once HIPAA is available across all paid plans. Our Enterprise plan continues to be the best choice for enterprise customers and includes a number of features like BYOK, mulitple instances, Atlassian Analytics, and Atlassian Access included for free with every purchase. |
Will Atlassian sign customer BAAs?
| No, Atlassian’s BAA is carefully and specifically drafted and structured to reflect the manner that Atlassian offers its products and services, and Atlassian’s privacy and security program. Due to our company’s emphasis on providing high-quality products to a large customer base under a uniform compliance program, we do not sign customer BAAs. However, we do listen to customer feedback, track and collect it, so if you have some feedback on our BAA, please let us know. |
Are marketplace apps included in this compliance? | No, our BAA only covers Jira Software Cloud, Confluence Cloud, and JSM Cloud products. Marketplace apps integrated with Atlassian products are not covered by a Customer’s BAA with Atlassian. Customers must assess their use of each marketplace app and determine if they need a BAA with the app in order to meet their compliance needs. |
Atlassian Platform HIPAA support
Atlassian provides comprehensive privacy and security protections that enable customers to operate Atlassian products in compliance with HIPAA.
...
As we see it, enabling HIPAA is done at the Atlassian Product (Jira/Confluence) level in order to apply “protection” to specific typed/identified/tagged data holding entities like Jira Custom Fields, limiting search and (I we expect) remote access from apps like JEMHC.
HIPAA certification/compliance
According to https://www.atlassian.com/trust/compliance/resources/hipaa/requirements:
At present, there’s no certification in relation to HIPAA. The agencies that certify health technology don’t approve software or empower independent certifying authorities to accredit business associates or covered entities with a HIPAA attestation. Therefore, there is no official
...
certification to say that we comply with HIPAA. However, our cloud products undergo independent verification of the operational effectiveness of their security, privacy, and compliance controls on an annual basis. An independent certifying authority has performed an audit and confirmed that Atlassian has the required controls and practices in place to ensure all HIPAA regulations are being adhered to.
We have passed a SOC2 (type 1) audit and are currently undergoing a SOC2 (type 2) audit.
How We/JEMHC enable HIPAA compliance
Based on the structure used in https://www.atlassian.com/trust/compliance/resources/hipaa/requirements, in the fullness of time, we will complete the following:
Risk management
Reduce risks and vulnerabilities, conduct periodic technical, and nontechnical evaluations in response to environmental or operational changes
...
AWS logs are retained for 12months12 months. We have very limited data logged.
...
Our GDPR contact addresses are as follows:
UK: dpo@dataguard.co.uk , you can also use privacy@thepluginpeople.com to talk to us about any privacy issues.
...
Business Associate Agreement
BAA’s require legal oversight, we do not have one at this timeWe are currently undergoing SOC2 Audit (type 1 passed, type 2 currently underway). As a Business Associate of customers processing Protected Health Information (PHI).
Atlassian have a BAA (https://www.atlassian.com/legal/business-associate-agreement ), for their host environments, it doesn’t include apps.
What is a Business Associate Agreement (BAA)
The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
JEMHC BAA
(1) establish the permitted and required uses and disclosures of protected health information by the Business Associate;
(2) provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
(3) require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
(4) require the Business Associate to report to the Covered Entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
(5) require the Business Associate to disclose protected health information as specified in its contract to satisfy a Covered Entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
(6) to the extent the Business Associate is to carry out a Covered Entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
(7) require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the Business Associate on behalf of, the Covered Entity for purposes of HHS determining the Covered Entity’s compliance with the HIPAA Privacy Rule;
(8) at termination of the contract, if feasible, require the Business Associate to return or destroy all protected health information received from, or created or received by the Business Associate on behalf of, the Covered Entity;
(9) require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
(10) authorize termination of the contract by the Covered Entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and Business Associates that are subcontractors are subject to these same requirements
A draft Business Associate Agreement for JEMHC is now available for review/comment.
Further Information
If you need more, feel free to log a support ticket with us: