by Ryan Ozawa
Article filed in
Is Confluence HIPAA Compliant?
by Ryan Ozawa
Confluence has been around since 2004, created as an enterprise-grade “knowledge management system,” similar to a wiki.
Note that Atlassian Confluence is not the same entity as Confluence Health, which suffered a HIPAA email breach in 2018.
Why do businesses use Confluence?
Although created to provide a more robust, business-friendly alternative to the wiki, Confluence has evolved into a team collaboration tool that combines several features to facilitate business operations.
In addition to serving as a knowledge base, where documentation and answers to common questions can be easily accessed, Confluence can be used to organize projects, or document meetings and action items.
And Confluence provides several integrations with other Atlassian products, including Jira and Trello, allowing businesses to use several tools to meet their needs that each work with the other.
Is Confluence useful in the healthcare environment?
Any operation of some complexity could benefit from Confluence, especially where a collaboratively edited and managed wiki format would be helpful.
While the most common uses for Confluence are in software development and IT, it can support a knowledge base for any project or topic, or support powerful meeting minutes and task tracking for any business.
In fact, Atlassian hosts a “virtual coffee shop” for customers using its products in the Research & Healthcare space. This industry group provides a message board for Atlassian users to ask questions, share best practices, and network.
In the healthcare space, however, the chances of working with personally identifiable information (PII) are high. As a result, HIPAA compliance is an important consideration before putting Confluence in place.
How secure is Confluence?
The Atlassian user community does address compliance issues like HIPAA. For example, at the 2019 Atlassian Summit, there was a session focused on “Architecting Atlassian for Healthcare and FDA Compliance.”
Information on HIPAA compliance is also one of the most common topics in Atlassian’s online community, but specific information directly from the company is limited.
Confluence and the business associate agreement
Because the information of Atlassian’s hosted Cloud solutions can, under certain circumstances, be accessed by Atlassian employees, the company’s FAQ states:
For our Cloud products, we are not able to sign a Business Associate agreement and we recommend our Server products for companies that need to comply.
Confluence will not sign a BAA for cloud products and makes no mention of signing a BAA under any other circumstances.
Hosting Confluence on your own server
If you use our server or data center Services, responsibility for securing storage and access to the information you put into the Services rests with you and not Atlassian.
Is Confluence HIPAA compliant?
The company expressly states that its cloud services are not HIPAA compliant, and that HIPAA compliance is the customer’s responsibility when hosting on one’s own server.
Conclusion: Confluence’s cloud products are not HIPAA compliant.
In order to maintain HIPAA compliance, you must run Confluence Server on your own infrastructure, and your infrastructure (whether at your own data center or using a service like Amazon Web Services) must be properly secured. You will be responsible for ensuring that your entire system is HIPAA compliant.
Keep in mind that you must sign a BAA with any cloud-based service that you use to store PII, including your email provider.