Close
HIPAA logo

This chart is designed to help organizations that must comply with the Health Insurance Portability and Accountability Act (HIPAA) understand how we support HIPAA compliance.

If you have an existing Atlassian contract or would like to learn more about how these requirements could apply to your organization, please contact us.

 

Requirement

Description

How we are meeting this requirement

Risk management

Description

Reduce risks and vulnerabilities, conduct periodic technical, and nontechnical evaluations in response to environmental or operational changes

How we are meeting this requirement

Annually, we perform a Gap Assessment, update our Security Risk Analysis, and obtain a HIPAA Attestation from an independent certifying authority.

We perform risk assessments which include the identification, assessment, assignment, acceptance, remediation, and other relevant management activities, to ensure we operate within the agreed upon risk appetite and relevant legal and regulatory requirements. We continuously evaluate the design of controls and mitigation strategies, including recommending changes in the control environment. We maintain a risk and controls matrix within our Governance, Risk, and Compliance (GRC) tool.

Workforce security

Description

Background screening and proper termination procedures

How we are meeting this requirement

New Atlassians, globally, are required to complete a background check upon accepting an offer of employment. A comprehensive set of background checks are automatically triggered and run on all new hires, as well as independent contractors.

Our employees and contractors that have access to confidential information are bound by their employment contracts and confidentiality deeds to ensure that information security responsibilities and duties remain valid after termination, or change of employment, as well as the end of contractual relationships.

Description

Sanctions against workforce members

How we are meeting this requirement

During onboarding, every new employee must acknowledge our company Code of Business Conduct and Ethics policy, as well as complete Security Awareness training. Formal sanctions exist and are employed for individuals failing to comply with established information security policies and procedures.

Information access management

Description

Authorization of access for employees who work with ePHI

How we are meeting this requirement

Active Directory role membership is automatically assigned based on a user’s department and team and is restricted to those that need such access. If a user transfers to another team, an alert is generated that triggers follow-up and removal of legacy access where appropriate. System or service owners have been designated as approvers to grant or modify user access within Active Directory access levels for various systems.

Privileged access to production environments is restricted to authorized and appropriate users only.

Access to our internal network and tools is restricted to authorized users via logical access measures. Each user account must:

  • have an active Active Directory account, and
  • be a member of the appropriate Active Directory group.

Description

Appropriate granting of access (least privileged basis)

Description

Terminate a session after predetermined time of inactivity

How we are meeting this requirement

Desktop and mobile applications have a maximum user session timeout based on our standard operating procedures (8 to 24 hours for desktop sessions, 30 to 90 days for mobile sessions).

A screensaver is enforced for both MacOS and Windows endpoints with a requirement to enter a password to unlock it.

Incident response management

Description

Audit logging/detection (including monitoring of login attempts)

How we are meeting this requirement

We retain and secure event logs against loss or tampering. We review access to logs periodically. We have enabled logging within our AWS environment and direct those logs to Splunk. We have deployed automated alerts for AWS as well as all HIPAA-qualified cloud events based upon known and prior security events and incidents.

We maintain a review process to tune and optimize our alerts, and remove false-positives. We have a dedicated automation engineer to streamline the alert development and triage process.

Description

Identify and respond to suspected or known security incidents. Mitigate and document the incidents and their outcomes

How we are meeting this requirement

We have implemented an organizational-wide incident management process, with the Security team responsible for the program, which comprises of:

  • recording every action, when managing an incident, into the Incident Management System under an incident ticket. Records must include:
    • incident start time
    • incident description
    • severity
    • services affected
    • impact
    • number of affected customers
    • root cause
    • actions taken
    • affected SLOs (capabilities impacted)
  • associating problems, where possible, with the underlying cause and/or grouping them together into parent incidents
  • completing a Post Incident Review (PIR) after Major and Critical Incidents

Security responsibility

Description

Identify an individual responsible for the development and implementation of the HIPAA security compliance program

How we are meeting this requirement

We have a dedicated HIPAA Security Officer. Our Security Officer understands their responsibilities, the HIPAA Security Rule, and how those requirements apply to our products.

Privacy responsibility

Description

Identify an individual responsible for the development and implementation of the HIPAA privacy compliance program

How we are meeting this requirement

We have a dedicated HIPAA Privacy Officer. Our Privacy Officer understands their responsibilities, the HIPAA Privacy Rule, and how those requirements apply to our products.

Security awareness and training

Description

User awareness training

How we are meeting this requirement

As part of the Atlassian Security Awareness program, all employees are required to complete training annually. Additionally, we distribute security-related awareness exercises and communications ad hoc throughout the year.

Contingency planning

Description

Procedures to enable continuation of critical business processes

How we are meeting this requirement

We have defined, reviewed, and tested procedures for Disaster Recovery execution. The policy describes, at a high level, the purpose, objectives, scope, recovery time objective, recovery point objective, and roles/responsibilities. We test formal business continuity and disaster recovery plans on a quarterly basis. In support of contingency plan components, we assess services and systems for their criticality annually.

We perform and test backups and restores of applications, systems, and configurations associated with the Atlassian assets in line with our standard operating procedures.

Business associate contracts

Description

Business Associate Agreements contain satisfactory assurances that your data will be appropriately safeguarded by Atlassian and third party suppliers

How we are meeting this requirement

We provide assurances that we will appropriately safeguard your information, and will only use or disclose your information as permitted or required wherever we create, receive, maintain, or transmit PHI on your behalf. These assurances are captured in Business Associate Agreements with you. We have also created an Implementation Guide that provides instructions to customers on how they should use and configure our services to ensure they are also appropriately safeguarding information.

Additionally, we ensure relevant third party suppliers will protect your PHI by requiring them to sign Business Associate Agreements with us.

Physical security and endpoint controls

Description

Safeguard physical facilities and equipment from tampering or theft

How we are meeting this requirement

All of our staff and contractors are issued a security badge when onboarding to gain physical access to a facility. Upon termination and close of a profile in our Human Resources Information System, our system automatically revokes physical access.

We issue temporary badges to visitors at local sites. Visitors must return guest passes on exit of the building. If cards are not returned, we automatically terminate those badges.

Description

Implement physical safeguards for all workstations that access ePHI

How we are meeting this requirement

We have implemented a ZeroTrust network to only allow access from known devices that are enrolled into a management platform. We have placed our applications into security tiers depending on the data they store and the systems they connect to. This tiered network is as follows: High Tier, Low Tier, and Open Tier. The type of device and its security posture are assessed to determine what applications it can access.

We manage disk encryption, password lock, and security patching on all MacOS and Windows laptops.

We have configured USB mass storage devices as read-only on all Atlassian issued MacOS and Windows machines.

Description

Procedures to address the final disposition of ePHI and the hardware on which it is stored

How we are meeting this requirement

We wipe any laptop returned before it is redeployed or disposed. A lost/stolen laptop procedure is also in place to ensure data is not stolen.

Policies and procedures

Description

Retain documentation for 6 years from the date of its creation, or the date when it was last in effect

How we are meeting this requirement

All of our policies are reviewed at least annually by the designated policy owner and are retained indefinitely. To view a snapshot of our policies, visit Our Atlassian Security & Technology Policies.

Our Privacy Policy can be found here.

Transmission Security

Description

Security measures to ensure that ePHI is not improperly modified

How we are meeting this requirement

We encrypt all HIPAA-qualified cloud product's data at rest. Additionally, we encrypt data transmitted over public networks and ensure the data reaches its intended destination.

External users connect to HIPAA-qualified cloud products using encrypted traffic via the SSL protocol.

Description

Mechanisms to encrypt ePHI whenever it is deemed appropriate

Certification

At present, there’s no certification in relation to HIPAA. The agencies that certify health technology don’t approve software or empower independent certifying authorities to accredit business associates or covered entities with a HIPAA attestation. Therefore, there is no official certification to say that we comply with HIPAA. However, our cloud products undergo independent verification of the operational effectiveness of their security, privacy, and compliance controls on an annual basis. An independent certifying authority has performed an audit and confirmed that Atlassian has the required controls and practices in place to ensure all HIPAA regulations are being adhered to.