Confluence HIPAA Compliance: Requirements, BAA, and Setup Guide

Business Associate Agreement Overview

A Business Associate Agreement (BAA) is a contract that defines how a business associate safeguards Protected Health Information (PHI) on behalf of a covered entity. For Confluence Cloud, Atlassian acts as the business associate and requires that you execute a BAA before any PHI is uploaded or processed in Confluence. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

The BAA applies only to HIPAA-qualified, eligible Atlassian cloud products that you actively configure for HIPAA. It does not automatically cover Atlassian Analytics, AI/Rovo features, early access/beta features, or any third-party Marketplace apps; those must be evaluated and, where applicable, governed by their own BAAs. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Eligible Confluence Plans for BAA

Confluence Cloud Standard, Premium, and Enterprise plans are eligible to sign a BAA with Atlassian. Free and trial plans are not eligible. Atlassian Government Cloud is not available for this HIPAA program. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

Standard and Premium customers can complete the BAA through a self-serve flow in Atlassian Administration, while Enterprise customers work with their Atlassian representative to execute the BAA. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

Configuring Confluence for HIPAA

Step 1: Sign the BAA

• In Atlassian Administration, go to Security > Data protection > HIPAA compliance > Health Insurance Portability and Accountability Act (HIPAA) > Sign a BAA, then submit the requested details for your legal signatory. Enterprise customers should contact their Atlassian representative. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

Step 2: Tag Confluence to enable HIPAA

• From the same HIPAA compliance area, select Tag apps and tag your Confluence Cloud instance(s). Only PHI in tagged apps is treated per HIPAA and your BAA. Tagging may also change notification behavior (for example, redacting content). ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/tag-products-to-enable-hipaa/))

Step 3: Apply required Data Protection Settings

• Use the HIPAA dashboard under Security > Data protection to confirm Confluence is tagged and to review any remaining actions from Atlassian’s HIPAA Implementation Guide. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/tag-products-to-enable-hipaa/))

Step 4: Deactivate AI for your organization

• You must ensure no Atlassian apps in your organization have AI enabled. You’ll complete AI feature deactivation in the next section, then return here to verify compliance status. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Step 5: Configure safe notifications

• Disable Confluence push notifications at the site level; keep email notifications enabled (templates omit content that could contain PHI). Detailed steps follow in the Notifications section. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Step 6: Restrict PHI in specific fields

• Do not place PHI in Confluence titles, space names, or space keys. These values appear broadly in the UI, URLs, and notifications. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Step 7: Review connected apps and integrations

• Assess all Marketplace and external integrations; only eligible Atlassian apps covered by your BAA are in scope. Obtain separate BAAs where needed for third-party tools. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Deactivating AI Features

Block Rovo/AI features for Confluence

• In Atlassian Administration, open Rovo > Rovo access.
• Select Add app, choose Confluence, then Block access to disable all current and upcoming AI features for Confluence. Repeat as needed for other apps on the same site. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/activate-atlassian-intelligence-for-products/))

Verify organization-wide AI Feature Deactivation

• Ensure every app in your organization that could access Confluence data has AI disabled. If any Jira-family app retains AI, common AI experiences (for example, Rovo search/chat) may still surface. Allow time for changes to propagate. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/activate-atlassian-intelligence-for-products/))
• Atlassian’s HIPAA Implementation Guide requires AI to be deactivated across all Atlassian apps in your org for HIPAA use. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Managing Notification Settings

Turn off push notifications for Confluence

• In Confluence, go to Settings > Configuration > Further Configuration, select Edit, and deselect Push Notifications, then Update. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))
• Admins can centrally control email and push notifications for the site from this area. ([support.atlassian.com](https://support.atlassian.com/confluence-cloud/docs/subscribe-to-email-notifications/?utm_source=openai))

Email notifications

• You may keep email notifications enabled because Atlassian’s templates are designed to avoid including content that could contain PHI; still ensure users don’t embed PHI in fields that appear in notifications. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Avoiding PHI in Confluence Fields

To reduce disclosure risk through URLs, indexes, or notifications, never place PHI in these Confluence fields:

• Titles (page, whiteboard, blog, or live doc titles)
• Space name
• Space key

Keep PHI within appropriately secured page content and attachments only after your BAA is executed, apps are tagged, AI is disabled, and notifications are configured per this guide. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

User Responsibilities for Compliance

• Compliance accountability: HIPAA is a shared responsibility. You must configure eligible Atlassian apps as directed, manage users and access, and ensure third-party apps meet your HIPAA obligations. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))
• User training: Instruct everyone not to place PHI in titles, space names, or space keys, and to avoid copying PHI into mentions or comments that could be broadcast.
• Access controls: Apply least-privilege space permissions and review group membership regularly; restrict admin rights to limit misconfiguration risk.
• Change management and audits: Monitor audit logs, periodically re-check HIPAA tags and AI deactivation, and validate notification behavior after app or policy changes. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/tag-products-to-enable-hipaa/))
• Third-party governance: Inventory Marketplace and external integrations; execute separate BAAs as needed or remove noncompliant apps before PHI is introduced. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Conclusion

To use Confluence with PHI, you must execute a BAA, tag Confluence under Data Protection Settings, deactivate all AI features, configure safe notifications, and keep PHI out of high-exposure fields. Maintain ongoing oversight of users and apps to uphold HIPAA-aligned controls. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

FAQs.

What is a Business Associate Agreement (BAA) for Confluence?

It’s a contract in which Atlassian (as a business associate) commits to safeguard PHI for your organization’s eligible cloud products. You must have a BAA in place before uploading PHI to Confluence. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

Which Confluence plans support HIPAA compliance with BAA?

Confluence Cloud Standard, Premium, and Enterprise plans are eligible. Free and trial plans aren’t eligible, and this program isn’t available in Atlassian Government Cloud. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/sign-a-business-associate-agreement-baa/))

How do I deactivate AI features for HIPAA compliance in Confluence?

In Atlassian Administration, go to Rovo > Rovo access, add Confluence, and Block access to disable all AI features for that app. Repeat for other apps to ensure organization-wide AI Feature Deactivation, as required by the HIPAA Implementation Guide. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/activate-atlassian-intelligence-for-products/))

What fields should not contain PHI in Confluence?

Never place PHI in titles, space names, or space keys. These appear broadly (including in URLs and notifications) and must not contain PHI. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))