Is Jira HIPAA Compliant? BAA, Eligible Plans, and Setup Requirements (2026)

Jira's HIPAA Compliance Status

Yes—Jira Cloud can be operated in a HIPAA-compliant manner when you sign a Business Associate Agreement and configure the environment according to Atlassian’s HIPAA Implementation Guide. Atlassian offers BAAs for Jira, Jira Service Management, and Confluence; Free and trial plans are excluded. HIPAA use requires tagging eligible apps and deactivating AI features across the site. Compliance follows a shared-responsibility model: Atlassian provides platform safeguards while you implement administrative and technical safeguards for Protected Health Information. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

Atlassian also documents HIPAA-focused security work (for example, annual HIPAA Security Attestation and Security Risk Analysis), supporting your due diligence and vendor-risk reviews. ([atlassian.com](https://www.atlassian.com/trust/compliance/resources/hipaa))

Eligible Plans for BAA

Jira Cloud is eligible for a HIPAA BAA on the following plans:

• Standard
• Premium
• Enterprise

Eligibility applies to Jira, Jira Service Management, and Confluence; Free and trial plans are not eligible. After the BAA is in place, you must tag the app instances that will process PHI. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

BAA Coverage and Terms

The BAA applies only to “HIPAA‑Qualified Cloud Products” listed by Atlassian and only when you configure those products per the Implementation Guide before entering PHI. It excludes third‑party Marketplace apps you choose to integrate, as well as any Atlassian products or features outside the HIPAA‑qualified scope. ([atlassian.com](https://www.atlassian.com/legal/business-associate-agreement))

Only PHI in tagged apps is processed under HIPAA controls; tagging may redact notifications to avoid exposing PHI. The guide also clarifies that add‑on offerings like Atlassian Analytics, Atlassian AI, and Rovo are not covered by the BAA. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/tag-products-to-enable-hipaa/))

The BAA sets incident obligations, including notifying you of a breach of Unsecured PHI without unreasonable delay and no later than five calendar days after discovery. ([atlassian.com](https://www.atlassian.com/legal/business-associate-agreement))

Setup Requirements for HIPAA Compliance

1) Sign the BAA and tag eligible apps

• Execute a Business Associate Agreement with Atlassian.
• Tag each Jira, Jira Service Management, and Confluence instance that will handle PHI; tagging one Jira-family app tags peer Jira apps on the same site and enables HIPAA behaviors (for example, redacted notifications). ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

2) Deactivate AI for the entire site

• Disable AI for all Atlassian apps in the organization and re‑check after adding any new apps, because AI can be enabled by default when apps are added. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

3) Configure notifications to prevent PHI exposure

• Confluence: Turn off push notifications; you may keep email notifications because HIPAA‑safe templates omit content that could include PHI. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))
• Jira and Jira Service Management: You can keep email and push notifications on, using templates that limit content. In JSM, enable “Safe customer notifications” and “HIPAA‑compliant alert notifications.” Ensure automation rules never include PHI in emails. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

4) Keep PHI out of disallowed fields and channels

• Do not place PHI in metadata and configuration (for example, issue type or status names, space names/keys, custom field names, workflow schemes) or in Atlassian Support tickets and attachments. Use issue bodies and attachments thoughtfully within tagged apps. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

5) If you use Service Collection

• Request removal of the Customer Service Management app for HIPAA sites as directed by Atlassian support. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

Data Security Measures and Audits

Atlassian encrypts customer data in transit using TLS 1.2+ with Perfect Forward Secrecy and at rest with AES‑256. Atlassian’s program also includes SOC 2 and ISO/IEC 27001/27018 certifications and organization‑wide audit logging (via Atlassian Guard) for visibility. ([atlassian.com](https://www.atlassian.com/software/confluence/security))

For regulated industries, data residency lets you pin eligible Jira, Jira Service Management, and Confluence data to supported regions to meet locality expectations. Separately, Atlassian performs HIPAA‑oriented activities such as an annual HIPAA Security Attestation and Security Risk Analysis. ([support.atlassian.com](https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/?utm_source=openai))

Additional Security Controls

• Identity and access: Enforce SAML SSO, SCIM user provisioning, and organization‑wide two‑step verification through Atlassian Guard authentication policies to strengthen account assurance. ([support.atlassian.com](https://support.atlassian.com/security-and-access-policies/docs/authentication-policy-settings-for-your-organizations/?utm_source=openai))
• Network perimeter: Apply IP allowlisting to restrict access to trusted ranges for Atlassian Cloud apps. ([support.atlassian.com](https://support.atlassian.com/atlassian-cloud/kb/what-is-the-scope-of-ip-allowlists-in-atlassian-cloud/?utm_source=openai))
• Encryption enhancements: Consider customer‑managed keys (CMK/EKM) available to Cloud Enterprise for selected Jira, JSM, and Confluence data sets. ([atlassian.com](https://www.atlassian.com/enterprise/cloud/cloud-enterprise/cmk-openbeta?utm_source=openai))
• Data Loss Prevention: Integrate a CASB with Atlassian Guard to add DLP-style inspection and policy enforcement across content and sharing pathways. ([atlassian.com](https://www.atlassian.com/software/confluence/security))
• Data residency: Pin product data to compliant regions as part of your data governance program. ([support.atlassian.com](https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/?utm_source=openai))

Compliance Responsibility and Limitations

HIPAA compliance is shared. Atlassian supplies platform security and HIPAA‑eligible capabilities, but you are responsible for implementing HIPAA Security Controls, including Administrative Safeguards (policies, workforce training, access management) and Technical Safeguards (SSO/MFA, least‑privilege, audit logging, DLP) and for conducting a documented Risk Analysis. ([atlassian.com](https://www.atlassian.com/dam/jcr%3A810e52d6-c4cf-49e2-b5ad-182bce372fec/Shared-Responsibility-Whitepaper-052622.pdf?cdnVersion=1496&utm_source=openai))

Scope matters: the BAA covers only HIPAA‑qualified cloud products and only PHI in tagged apps; third‑party Marketplace apps, Atlassian Analytics, and AI/Rovo features are out of scope unless separately governed. Atlassian does not monitor your content for PHI, so you must prevent PHI from entering disallowed fields and external support channels. ([atlassian.com](https://www.atlassian.com/legal/business-associate-agreement))

Conclusion

In 2026, Jira Cloud can support HIPAA when you: sign a BAA on an eligible plan, tag apps, deactivate AI, configure safe notifications, and implement layered safeguards (SSO/MFA, IP allowlists, DLP/CASB, data residency, CMK). Treat HIPAA as a shared program—pair Atlassian’s controls with your policies, training, and risk management to protect PHI end to end. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

FAQs.

Is Jira eligible for a HIPAA BAA?

Yes. Atlassian will sign a BAA for Jira Cloud on Standard, Premium, and Enterprise plans (Free and trial plans are not eligible). After signing, you must tag the app instances and follow the Implementation Guide before storing PHI. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

What plans of Jira support HIPAA compliance?

Standard, Premium, and Enterprise plans of Jira Cloud support HIPAA use when combined with a signed BAA and required configuration. Jira Service Management and Confluence are also eligible under the same plan tiers. ([atlassian.com](https://www.atlassian.com/trust/compliance/resources/hipaa))

How does Jira handle PHI under HIPAA regulations?

You designate which apps will process PHI by tagging them; Atlassian applies safeguards and redacts notifications to avoid exposing PHI. Jira/JSM support safe email/push templates; Confluence requires disabling push. PHI must not be placed in restricted metadata or support tickets. All data is encrypted in transit and at rest. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/tag-products-to-enable-hipaa/))

What additional measures are required for HIPAA compliance when using Jira?

Beyond the BAA and tagging, deactivate AI across the site; configure safe notifications; enforce SSO, SCIM, and two‑step verification with Atlassian Guard; restrict access with IP allowlists; set data residency; consider customer‑managed keys; deploy DLP via a CASB; and complete your own HIPAA Risk Analysis and administrative/technical safeguards. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))