Atlassian changes will complicate HIPAA compliance

Featured image

Share this article

Atlassian Changes will Complicate HIPAA Compliance - Paubox

Atlassian, which provides a number of popular software development tools like Jira, Confluence, and Trello, has announced changes to its server and data center products as it shifts to be “a cloud-first company.”

Specifically, Atlassian is eliminating the self-hosted “Server” option for its products (Jira and Jira Service Desk, Confluence, Bitbucket, and Crowd), encouraging customers to switch to the Data Center or Atlassian Cloud option instead.

The move is described as “simplifying our self-managed offerings,” but it has a significant impact on customers in the healthcare and medical space, which often rely on having complete control over infrastructure to ensure HIPAA compliance.

What is the difference between Server and Data Center product lines?

Atlassian currently allows Server customers to download, install, host, and run its software on their own hardware, whether on-premise or through cloud hosting services like Amazon Web Services (AWS).

With Server products, “you can customize your setup however you’d like,” the company explains.

“Administrators of our server products have full access to the database, which allows admins full control over customization and administration,” Atlassian adds. “[And] since you’re hosting it, you can control network access policies yourself.”

The Data Center option, meanwhile, allows customers to use and administer Atlassian software on Atlassian infrastructure. The company says the Data Center products offer “the same functionality as our server products but have additional capabilities to better serve enterprise organizations.”

The key difference, of course, is that Server customers have ownership and complete control over the hardware on which Atlassian software runs. The Data Center option is hosted by Atlassian, although Data Center customers have a great deal of control over that hosted system—especially when compared to Atlassian Cloud offerings.

Why is Atlassian making this change?

By declaring itself a “cloud-first company,” Atlassian clearly believes its future lies in the Atlassian Cloud product line.

The company had already been pushing Server clients to switch to its Data Center products. But with this latest announcement, Atlassian hints that even its Data Center offerings will also be put out to pasture eventually.

“Today, the majority of [customers] already benefit from the advantages of Cloud, with more server and Data Center customers making the switch every day,” the company says on its Journey to Cloud web page. “If you aren’t ready to move to cloud, we’ll continue to offer our self-managed enterprise edition, Data Center.”

Notably, price increases for Data Center are part of the “bold changes” the company is introducing with this announcement.

When will the changes take effect?

In the October announcement, Atlassian said it will stop selling new Server licenses on February 2, 2021. Three years later, on February 2, 2024, Atlassian will end support for its Server products, which means support and bug fixes will no longer be available.

Because well-managed enterprise IT systems require active support and regular updates to fix security vulnerabilities, Server customers will need to transition to another system by the 2024 deadline.

What does this mean for HIPAA compliance?

As we found when looking into the HIPAA ramifications for Jira and Confluence, the Terms of Service for Atlassian’s Cloud offerings prohibit submitting or receiving “Sensitive Personal Information” on its Cloud Products, which includes “patient, medical or other protected health information regulated by HIPAA.”

SEE ALSO: HIPAA Compliant Email: the Definitive Guide

Further, Atlassian says it will not sign a business associate agreement, and that “we recommend our Server products for companies that need to comply.”

Now the company’s Server products are going away. As for Data Center?

“If you use our Server or Data Center services, responsibility for securing storage and access to the information you put into the Services rests with you and not Atlassian.”

A company representative did post that “we’re working on HIPAA compliance for JIRA Cloud” in 2019.

Conclusion

We already determined that Jira Cloud products are not HIPAA compliant, and that self-hosted Server installs would be the only way to attempt HIPAA compliant use of Atlassian products.

With the company’s Server line being retired in 2024, it is likely that no Atlassian software will be HIPAA compliant after that point.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022