Paubox blog: HIPAA compliant email made easy

Is Confluence HIPAA compliant?

Written by Ryan Ozawa | August 03, 2020
Confluence has been around since 2004, created as an enterprise-grade "knowledge management system," similar to a wiki. It's one of many software products offered by Atlassian, an Australian company that also provides Jira for software development and Trello (which it acquired in 2017) for simple project management. Note that Atlassian Confluence is not the same entity as Confluence Health, which suffered a HIPAA email breach in 2018.

Why do businesses use Confluence?

Although created to provide a more robust, business-friendly alternative to the wiki, Confluence has evolved into a team collaboration tool that combines several features to facilitate business operations. In addition to serving as a knowledge base, where documentation and answers to common questions can be easily accessed, Confluence can be used to organize projects, or document meetings and action items. And Confluence provides several integrations with other Atlassian products, including Jira and Trello, allowing businesses to use several tools to meet their needs that each work with the other.

 

Is Confluence useful in the healthcare environment?

Any operation of some complexity could benefit from Confluence, especially where a collaboratively edited and managed wiki format would be helpful. While the most common uses for Confluence are in software development and IT, it can support a knowledge base for any project or topic, or support powerful meeting minutes and task tracking for any business. In fact, Atlassian hosts a "virtual coffee shop" for customers using its products in the Research & Healthcare space. This industry group provides a message board for Atlassian users to ask questions, share best practices, and network. In the healthcare space, however, the chances of working with personally identifiable information (PII) are high. As a result, HIPAA compliance is an important consideration before putting Confluence in place.

 

How secure is Confluence?

The Atlassian user community does address compliance issues like HIPAA. For example, at the 2019 Atlassian Summit, there was a session focused on " Architecting Atlassian for Healthcare and FDA Compliance." Information on HIPAA compliance is also one of the most common topics in Atlassian's online community, but specific information directly from the company is limited. Customers are directed to the company's Trust FAQ and Privacy Policy. Together, the answer becomes more clear.

 

Confluence and the business associate agreement

A business associate agreement is a written contract between a covered entity and a business associate. It is a required part of HIPAA compliance. Because the information of Atlassian's hosted Cloud solutions can, under certain circumstances, be accessed by Atlassian employees, the company's FAQ states:
 For our Cloud products, we are not able to sign a Business Associate agreement and we recommend our Server products for companies that need to comply.
Confluence will not sign a BAA for cloud products and makes no mention of signing a BAA under any other circumstances.

 

Hosting Confluence on your own server

According to Confluence's Privacy Policy, if you host your own instance of Confluence, security and HIPAA compliance is your responsibility:
 If you use our server or data center Services, responsibility for securing storage and access to the information you put into the Services rests with you and not Atlassian.

Is Confluence HIPAA compliant?

The company expressly states that its cloud services are not HIPAA compliant, and that HIPAA compliance is the customer's responsibility when hosting on one's own server. Conclusion: Confluence's cloud products are not HIPAA compliant. In order to maintain HIPAA compliance, you must run Confluence Server on your own infrastructure, and your infrastructure (whether at your own data center or using a service like Amazon Web Services) must be properly secured. You will be responsible for ensuring that your entire system is HIPAA compliant. Keep in mind that you must sign a BAA with any cloud-based service that you use to store PII, including your email provider. Paubox Email Suite makes it possible for you to send  HIPAA compliant email via your existing email client, such as  Outlook or  Google Workspace.
 
Try Paubox Email Suite for FREE today.