If your organization operates under HIPAA and your teams use Jira or Confluence, you’ve probably asked: can we put protected health information in here? The answer is yes — with the right setup. Atlassian Cloud supports HIPAA compliance, but it takes deliberate configuration before any PHI enters your environment.
Atlassian Cloud and HIPAA: What’s Actually Supported
Atlassian Cloud supports HIPAA compliance for three products: Jira, Jira Service Management, and Confluence. If your organization handles protected health information and uses these tools, Atlassian can act as a business associate under HIPAA — provided you’ve signed a Business Associate Agreement and completed the required configuration.
A few important qualifications upfront:
- BAAs are available on Standard, Premium, and Enterprise plans only. Free and trial plans are not eligible.
- HIPAA support covers Jira, JSM, and Confluence. It does not extend to Trello, Bitbucket, Loom, Statuspage, or other Atlassian products.
- Completing the setup steps does not automatically make your organization HIPAA-compliant. HIPAA compliance is a shared responsibility between Atlassian and your team.
That last point matters more than it might seem. Atlassian handles the infrastructure side: secure storage, encryption in transit, access controls, and certifications. Your organization is responsible for how PHI is entered and used, who can access it, staff training, and how third-party integrations are managed. More on that later.
Step 1: Sign a Business Associate Agreement
Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on your behalf must sign a Business Associate Agreement. That includes Atlassian.
Atlassian provides a standard BAA that you initiate through Atlassian Admin. Once you submit the request, Atlassian sends the BAA to your designated signatory by email. The signatory has 90 days to review and execute it. If the window lapses, you’ll need to restart the process.
The Atlassian BAA covers the products you tag for HIPAA, not your entire Atlassian environment. If you later add products or sites that will contain PHI, those need to be covered under the BAA too.
Before you sign, confirm:
- You’re on an eligible plan (Standard, Premium, or Enterprise)
- You know which products and sites will contain PHI
- Your designated signatory has authority to execute the agreement
Step 2: Tag Apps to Enable HIPAA and Disable AI
Once the BAA is signed, the next step is tagging the apps that will contain PHI. Tagging tells Atlassian which products are in scope for HIPAA protections under your BAA — and it’s not just an administrative label. Tagging activates HIPAA-specific controls for those apps.
It also triggers two requirements that affect your entire organization, not just the tagged products.
AI must be disabled across all apps. When you tag any app for HIPAA, Atlassian Intelligence and all AI features must be turned off for every app in your organization. This is a significant operational consideration for teams that rely on AI-powered features in Jira or Confluence. The tradeoff is non-negotiable: PHI and Atlassian AI cannot coexist in the same organization.
Customer Service Management must be deactivated. If your organization uses Service Collection or Customer Service Management, that app must be deactivated before HIPAA can be enabled.
All of this is managed in Atlassian Admin under your organization settings.
Step 3: Configure Notifications and PHI Field Restrictions
Tagging apps enables HIPAA controls, but configuration doesn’t stop there. The HIPAA Implementation Guide outlines notification settings and usage restrictions your team must implement and enforce before going live with PHI.
Notification settings
Notifications are one of the most common ways PHI accidentally leaves a controlled environment. Atlassian’s requirements here are specific:
- Confluence: Push notifications must be disabled entirely.
- Jira and Jira Service Management: Push and email notifications must use HIPAA-safe templates, which omit issue content and limit what’s transmitted. Automation rules must be reviewed to ensure they don’t pass PHI through notification payloads.
- Jira Service Management specifically: Enable “Safe customer notifications” and “HIPAA-compliant alert notifications” in your JSM compliance settings.
PHI field restrictions
Not all fields in Atlassian products are covered under HIPAA controls, even in a tagged app. PHI must not be entered in the following locations, as they can appear in notifications, logs, or UI elements that sit outside the protected scope:
- Work item type names, statuses, and workflow configuration fields
- Custom field names and labels
- Space names and space keys in Confluence
- Page titles
- Attachment filenames
PHI belongs in the body of issues, pages, and comments — not in structural or metadata fields. Getting this right requires training your teams, not just configuring the software.
Shared Responsibility: What Atlassian Handles vs. What You Own
Understanding where Atlassian’s responsibility ends and yours begins is essential before going live with PHI.
Atlassian’s side:
- Encrypted storage and data in transit
- SOC 2 Type II and ISO 27001 certifications
- Physical and infrastructure security
- BAA obligations for the covered products
Your side:
- Correct configuration before any PHI is entered
- Access controls: who can view, edit, and export PHI within Jira and Confluence
- Staff training on PHI field restrictions and proper usage
- Monitoring and auditing access within your Atlassian environment
- Incident response procedures if a breach occurs
As Atlassian notes, completing the setup steps does not automatically guarantee HIPAA compliance. Your organization must also ensure users follow HIPAA best practices and that your internal processes meet the regulation’s requirements.
Third-party Marketplace apps
This is where many organizations introduce compliance risk without realizing it. If you use third-party apps from the Atlassian Marketplace integrated with your HIPAA-tagged products, Atlassian’s BAA does not extend to those apps. Each vendor whose integration processes PHI needs its own BAA with your organization.
Before any Marketplace app goes live in a HIPAA environment, ask: does this integration handle PHI? If yes, do you have a signed BAA with that vendor? This applies to automation tools, reporting apps, integrations, and any other third-party add-ons connected to your environment.
Key Limitations to Know Before You Start
A quick summary of the most important constraints:
- Product scope: BAA covers Jira, JSM, and Confluence only. Trello, Bitbucket, Loom, and Statuspage are not covered.
- Plan eligibility: Free and trial plans cannot sign a BAA. Standard, Premium, or Enterprise is required.
- AI is off-limits: All Atlassian Intelligence and AI features must be disabled org-wide. There is no partial exception.
- Third-party apps: Each Marketplace integration that handles PHI needs its own BAA.
- Configuration before PHI: All setup must be completed before any protected health information enters the environment.
Ready to Configure Atlassian Cloud for HIPAA?
Getting HIPAA configuration right is a prerequisite — not something to sort out after teams have already started using the platform. With the right setup, Jira and Confluence can be a solid foundation for healthcare teams that need secure, collaborative project and service management.
If you’d like help working through the configuration or assessing whether your current Atlassian environment meets HIPAA requirements, get in touch with our team.