One of the most popular software development tools available today is Jira, from Atlassian. It's an issue tracking system that supports agile project management. While Jira is primarily used to manage software projects, track bugs and tasks and coordinate code changes, it is powerful enough to manage almost any kind of project. And it is usually in these broader use cases that the question of HIPAA compliance comes up. For example, if you use Jira to manage general business tasks, you might include information on employees or hiring candidates. Once Jira or any business application contains information on people, you should raise the HIPAA caution flag and proceed carefully.
What does it mean to be HIPAA compliant?
The Health Insurance Portability and Accountability Act of 1996 ( HIPAA) sets national standards for disclosing sensitive patient health information. The HIPAA Privacy Rule specifically addresses the use and disclosure of protected health information ( PHI). There is no such thing as a HIPAA certification, or an official test or passing grade. Each covered entity subject to HIPAA must determine whether its policies and procedures are HIPAA compliant. One thing that is not optional is that covered entities must sign a business associate agreement ( BAA) with all business associates that they partner with to store or use PHI.
Is Jira Cloud HIPAA compliant?For cloud-based Jira, Atlassian offers only a standard agreement through its Terms of Service for all cloud product customers; they will not sign a BAA with covered entities. We found a relevant post on the Atlassian community discussion board about HIPAA compliance. On August 7, 2019 the Atlassian team explained:
We're working on HIPAA compliance for Jira Cloud - keep an eye on https://www.atlassian.com/trust/compliance for the latest official updates.The latest comment from the Atlassian team is from June 12, 2020:
I know that we are working on our strategy and roadmap for HIPAA amongst other endeavors and we'll work to be as transparent as we can be. Certainly happy to know that there is interest in HIPAA and appreciate the comments here.
Conclusion: Jira for the cloud is not HIPAA compliant because it will not sign a BAA. Keep in mind that you must sign a BAA with any cloud-base service that you use to store PHI, including your email provider. Paubox Email Suite makes it possible for you to send HIPAA compliant email via your existing email client, such as Outlook or Gmail.
Hosting Jira on your own servers
Atlassian also allows customers to install, maintain, and use Jira on their own servers instead of in the cloud. This is the most likely path to HIPAA compliance when using Jira, but it does require that your own business practices, policies, and controls (which extend to your servers) meet HIPAA requirements. These requirements are primarily administrative, not technical, and the CDC provides guidance for HIPAA for professionals. In short, if you want to use Jira and be HIPAA compliant, you should run it on your own servers in your HIPAA compliant business operations.
What if we host Jira on Amazon Web Service (AWS)?
Of course, in order to maintain HIPAA compliance you must host Jira on a HIPAA compliant web server. Amazon Web Service (AWS) is one example that does offer HIPAA compliance for some of its products (with a signed BAA). Amazon provides specific documentation for AWS customers on how to achieve HIPAA compliance within its hosted server environment.
ConclusionIf you install Jira on your own server:
- You need to verify your internal infrastructure and configuration are HIPAA compliant.
- Make sure you sign a BAA with the vendor.
- Do not store any PHI because Atlassian will not sign a BAA with your organization.