Jira is a widely used project management and issue-tracking software developed by Atlassian. It helps teams plan, track, and manage their work efficiently. Created for software development teams, Jira has expanded its use to various industries and teams with different workflows.
Cloudwards says Jira is part of their “best project management software.”
Is Jira HIPAA compliant? Yes, based on our research, Jira is HIPAA compliant.
Will Jira sign a business associate agreement (BAA)?
Yes, Jira will sign a business associate agreement thorough Atlassian, which can be reviewed here.
Learn more: Overview of Atlassian’s HIPAA compliance
What does the Atlassian BAA cover?
The Atlassian (Jira) BAA covers the use and disclosure of protected health information (PHI), stating, "This BAA is applicable only to the extent that Customer has an active Subscription Term for a HIPAA-Qualified Cloud Product and has configured such HIPAA-Qualified Cloud Product in accordance with the specifications provided in Section 5 of this BAA."
Their BAA covers:
- Protection of PHI
- Implementation and use of appropriate technical, physical, and administrative safeguards.
- Disclosures required by law
- Breach notification
- Sharing of the minimum necessary information
What does the Atlassian (Jira) BAA exclude?
Atlassian’s BAA outlines various limits and restrictions concerning the handling and disclosure of PHI according to the Health Insurance Portability and Accountability Act (HIPAA) and its regulations. These include:
Use and disclosure limits: The BAA specifies limitations on the use and disclosure of PHI by the business associate (Atlassian). This is stated in Section 3.1 (a): "With regard to its use or disclosure of PHI, Business Associate agrees to: not use or disclose PHI except as permitted or required by this BAA or as otherwise Required by Law."
Minimum necessary standard: The BAA requires that only the minimum amount of PHI necessary should be used or disclosed to accomplish the intended purpose, seen in Section 3.1 (j): "Request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure."
Prohibition on remuneration: In Section 3.1 (k), the BAA prohibits the Business Associate from receiving remuneration in exchange for any PHI.
Communication restrictions: The BAA prohibits the Business Associate from making certain communications about products or services. Here's the relevant quote: "Not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3)." (Section 3.1(l))
Conclusion
Jira (Atlassian) signs a BAA and is therefore HIPAA compliant.
See also: HIPAA Compliant Email: The Definitive Guide
FAQS
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
Related: What is the purpose of a business associate agreement?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Who does HIPAA apply to?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
Tshedimoso Makhene
