Is Confluence HIPAA compliant?

Featured image

Share this article

Is Confluence HIPAA Compliant? - Paubox

Confluence has been around since 2004, created as an enterprise-grade “knowledge management system,” similar to a wiki.

It’s one of many software products offered by Atlassian, an Australian company that also provides Jira for software development and Trello (which it acquired in 2017) for simple project management.

Note that Atlassian Confluence is not the same entity as Confluence Health, which suffered a HIPAA email breach in 2018.

Why do businesses use Confluence?

Is Confluence HIPAA compliant?

Although created to provide a more robust, business-friendly alternative to the wiki, Confluence has evolved into a team collaboration tool that combines several features to facilitate business operations.

In addition to serving as a knowledge base, where documentation and answers to common questions can be easily accessed, Confluence can be used to organize projects, or document meetings and action items.

And Confluence provides several integrations with other Atlassian products, including Jira and Trello, allowing businesses to use several tools to meet their needs that each work with the other.

Is Confluence useful in the healthcare environment?

Any operation of some complexity could benefit from Confluence, especially where a collaboratively edited and managed wiki format would be helpful.

While the most common uses for Confluence are in software development and IT, it can support a knowledge base for any project or topic, or support powerful meeting minutes and task tracking for any business.

In fact, Atlassian hosts a “virtual coffee shop” for customers using its products in the Research & Healthcare space. This industry group provides a message board for Atlassian users to ask questions, share best practices, and network.

In the healthcare space, however, the chances of working with personally identifiable information (PII) are high. As a result, HIPAA compliance is an important consideration before putting Confluence in place.

How secure is Confluence?

The Atlassian user community does address compliance issues like HIPAA. For example, at the 2019 Atlassian Summit, there was a session focused on “Architecting Atlassian for Healthcare and FDA Compliance.”

Information on HIPAA compliance is also one of the most common topics in Atlassian’s online community, but specific information directly from the company is limited.

Customers are directed to the company’s Trust FAQ and Privacy Policy. Together, the answer becomes more clear.

Confluence and the business associate agreement

A business associate agreement is a written contract between a covered entity and a business associate. It is a required part of HIPAA compliance.

Because the information of Atlassian’s hosted Cloud solutions can, under certain circumstances, be accessed by Atlassian employees, the company’s FAQ states:

 For our Cloud products, we are not able to sign a Business Associate agreement and we recommend our Server products for companies that need to comply.

Confluence will not sign a BAA for cloud products and makes no mention of signing a BAA under any other circumstances.

Hosting Confluence on your own server

According to Confluence’s Privacy Policy, if you host your own instance of Confluence, security and HIPAA compliance is your responsibility:

 If you use our server or data center Services, responsibility for securing storage and access to the information you put into the Services rests with you and not Atlassian.

Is Confluence HIPAA compliant?

The company expressly states that its cloud services are not HIPAA compliant, and that HIPAA compliance is the customer’s responsibility when hosting on one’s own server.

Conclusion: Confluence’s cloud products are not HIPAA compliant.

In order to maintain HIPAA compliance, you must run Confluence Server on your own infrastructure, and your infrastructure (whether at your own data center or using a service like Amazon Web Services) must be properly secured. You will be responsible for ensuring that your entire system is HIPAA compliant.

Keep in mind that you must sign a BAA with any cloud-based service that you use to store PII, including your email provider.

Paubox Email Suite makes it possible for you to send HIPAA compliant email via your existing email client, such as Outlook or Google Workspace.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022