Your best bet is probably to email sales@atlassian.com and ask them through that channel.

This. As there's no such thing as HIPAA certifications, compliance comes from your specific business rules and configuration. In addition to your configuration, the global support and operations teams at Atlassian will have access to your data per https://www.atlassian.com/hosted/security

I am really trying to determine if I can use JIRA for support for our customers. Some issues reported by customers involves PHI, such as on 8/1/13 Jane Doe had a A&D service and it was not approved correctly. This would be considered HIPAA data, and my question is, is JIRA OnDemand

That is roughly what I'm getting at - you'll need to go through your requirements and investigate whether Jira can match them. We can't give you a simple yes or no because we don't know what your entire set of requirements might be.

Even then, looking at the case you've just presented, the answer is only "probably", because it depends on how you decide to configure it. It'll certainly track all the data you enter and update, but whether it's compliant with your interpretation of the hipaa rules is still up to you.

Thanks for the replies, I have 2 follow up questions:

1) Will Atlassian sign a Business Associate Agreement (or have a standard they will sign as Microsoft does for MS 365 and other products)?

2) If I use JIRA installed does anyone else(that I do not grant access to) have access to my data?

1) You'll need to ask Atlassian. If there's any work involved in doing that, then I suspect the answer is "no", because they expect you, as the user, to handle local legal requirements, not them. No harm in asking, I'd simply email "sales at atlassian dot com".

2) No. It'll be your system on your hardware with your data. You can set up any protections you need internally.

Minor exception on point 2 - if you use the UI to ask Atlassian for support, it will copy *system* information over to them, but none of your data.

Ok, I feel obliged to chime in because there is a lot of incorrect information in this thread. (Disclaimer: I am not a lawyer)

"That is not something we can know. ... The answer depends on what the act currently requires of your organisation, how you plan to implement it, whether you are using your own install, hosting, managed services, what you are integrating it with, what your access control plans are."

Wrong. HIPAA is crystal-clear on what is required to be compliant. The confusion here may arise from the fact that HIPAA does not specify what technical safeguards must be implemented... it's primarly administrative. Use http://www.hhs.gov/ocr/privacy/index.html as a starting point for understanding HIPAA.

"As there's no such thing as HIPAA certifications, compliance comes from your specific business rules and configuration."

There is no certification, correct, but compliance involves all parties that handle PHI. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.

"In addition to your configuration, the global support and operations teams at Atlassian will have access to your data"

Atlassian may not realize it, but regardless of their interpretation of the law, terms of use, or other customer agreements, they are liable for a breach if their employees access any identifiable health information protected under HIPAA. You can find more information on that here: http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php.

Depending on the severity of any breach, HHS can enforce a penalty of up to $1.5MM. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html.

Q: Will Atlassian sign a Business Associate Agreement?
A: If there's any work involved in doing that, then I suspect the answer is "no", because they expect you, as the user, to handle local legal requirements, not them.

Wrong. As explained here, http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php, Atlassian is responsible for HIPAA compliance if they handle protected health information under any circumstance. If they operate in the U.S., they are responsible for handling these legal requirements.

Q: If I use JIRA installed does anyone else(that I do not grant access to) have access to my data?
A: No. It'll be your system on your hardware with your data. You can set up any protections you need internally.

This is the best answer here. If you want to use JIRA and maintain compliance then install it on your own servers.

Before we even get to HIPAA for the application - let's take a step back. The data center needs to be HIPAA compliant - including the servers it's hosted in. As said by Andrew, there are clear certifications for this and proof can be provided. That's step 1. Next is to look at the application/environment.

Andrew - these links to not resolve, can you please update you post?

Actually, Andrew, I believe you might have been looking for this information - http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

As Atlassian is not a covered entity, and will not be engaging as a "Business Associate", they are not responsible for this information.

Also note "HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant."