Trello is not HIPAA compliant. Although Trello is owned by Atlassian, which does offer HIPAA-eligible products, Trello is not one of them. Atlassian’s Business Associate Agreement (BAA) only covers Jira, Confluence Cloud, and Jira Service Management. If you work in healthcare or handle protected health information (PHI), you cannot use Trello in a way that meets HIPAA requirements.
Why Trello Is Excluded
Atlassian’s HIPAA compliance page lists three products eligible for a BAA: Jira (project and issue tracking), Confluence Cloud (document collaboration), and Jira Service Management. Trello is absent from this list despite being part of the Atlassian product family since 2017.
This distinction matters because HIPAA requires any vendor that handles PHI on your behalf to sign a BAA. Without one, storing patient names, medical record numbers, appointment details, or any other identifiable health data on Trello would put your organization in violation of federal law. Trello does use encryption to protect data in transit and at rest, but encryption alone doesn’t make a tool HIPAA compliant. The legal agreement is the non-negotiable piece.
What Atlassian Products Are HIPAA Eligible
If you need project management within the Atlassian ecosystem and must stay HIPAA compliant, your options are Jira, Confluence Cloud, or Jira Service Management on a Standard, Premium, or Enterprise plan. Free and trial plans are not eligible for a BAA under any circumstances.
For Standard and Premium plans, you can sign the BAA directly through Atlassian’s admin console by navigating to Security, then Data Protection, then HIPAA Compliance. You’ll need a signatory with legal authority to bind your organization, and they must execute the agreement within 90 days or the signing link expires. Enterprise plan customers work with their Atlassian representative instead.
Signing a BAA Is Only the First Step
Even with the eligible products, Atlassian makes clear that compliance is a shared responsibility. They provide the infrastructure and security controls, but your organization is responsible for how the tools are actually used. Atlassian does not monitor or analyze the data you input, so internal policies and user training are on you.
The configuration requirements are specific and worth understanding before you commit:
- Disable all AI features. Atlassian Intelligence, Rovo, and any AI-powered tools must be turned off across your organization. When you add new Atlassian apps, you need to deactivate AI for those as well.
- Tag your apps for HIPAA. This is a setting within the admin console that enables HIPAA-specific configurations.
- Turn off push notifications in Confluence. Push notifications can expose PHI on lock screens or in notification previews.
- Avoid entering PHI in certain fields. Atlassian maintains a list of fields that fall outside the BAA’s protection, including workflow scheme names, custom field names, space names and keys, page titles in Confluence, and status or type fields in Jira. PHI should only go into protected content areas like issue descriptions, comments, and attachments within the covered apps.
- Vet every third-party integration. Any app you connect to Jira or Confluence needs its own BAA if it will touch PHI. Atlassian’s BAA does not extend to marketplace apps, analytics tools, or early access features.
What To Use Instead of Trello
If your team relies on Trello’s board-style visual workflow, Jira offers a similar board view for tracking tasks and can be configured for HIPAA compliance on a paid plan. The interface is more complex than Trello’s, but it supports kanban boards, card-based workflows, and drag-and-drop task management that will feel somewhat familiar.
Outside the Atlassian ecosystem, several project management platforms do sign BAAs and market themselves as HIPAA eligible. When evaluating any tool, the checklist is the same: confirm the vendor will sign a BAA, verify encryption standards, check what fields and features are actually covered, and ensure you can control access permissions tightly enough to limit PHI exposure to authorized users only. A platform calling itself “secure” or “encrypted” is not the same as being HIPAA compliant. The BAA is what creates legal accountability.
If your team currently has PHI stored in Trello boards, the priority is migrating that data to a compliant platform and purging it from Trello. Even if no breach has occurred, the mere presence of unsecured PHI on a platform without a BAA constitutes a compliance gap that could trigger penalties during an audit.