Is OpsGenie HIPAA Compliant? BAA, Security, and Compliance Explained
Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA Is OpsGenie HIPAA Compliant? BAA, Security, and Compliance Explained

Is OpsGenie HIPAA Compliant? BAA, Security, and Compliance Explained

Kevin Henry

HIPAA

November 27, 2025

5 minutes read
Share this article
Is OpsGenie HIPAA Compliant? BAA, Security, and Compliance Explained

HIPAA Compliance Status

Short answer: treat HIPAA support for OpsGenie capabilities as delivered through Jira Service Management (JSM), not as a standalone OpsGenie entitlement. Atlassian’s HIPAA program lists Jira, Jira Service Management, and Confluence as eligible apps; OpsGenie’s alerting and on-call features are being consolidated into JSM, with guided migration available. For handling Protected Health Information (PHI) and personal health information protection, use JSM configured for HIPAA and covered by an Atlassian BAA, rather than standalone OpsGenie. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

Practically, that means you should sign an Atlassian BAA, enable HIPAA for eligible apps, and use JSM’s HIPAA-safe notifications when you need to transmit alerts without exposing PHI. Migration of OpsGenie data and configurations to JSM is supported and encouraged ahead of OpsGenie’s retirement timeline. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Business Associate Agreement Overview

Atlassian will sign a Business Associate Agreement for Standard, Premium, and Enterprise plans of Jira, Jira Service Management, and Confluence. Free and trial plans aren’t eligible. The BAA covers only eligible Atlassian apps; it doesn’t extend to every feature or to third‑party Marketplace apps. If you rely on integrations, you are responsible for obtaining BAAs with those vendors as needed. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Because OpsGenie’s capabilities are now available in JSM, organizations that require HIPAA should execute the Atlassian BAA and operate their alerting and on‑call workflows within JSM configured for HIPAA. This aligns your paging workflows with the scope of the BAA and Atlassian’s HIPAA implementation guidance. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

Security Certifications

OpsGenie (as part of Atlassian Cloud) aligns to well‑known security and privacy standards. Atlassian’s program reflected on the OpsGenie security page includes SOC 2, SOC 3, ISO/IEC 27001, ISO/IEC 27018, PCI DSS, and GDPR. These attestations and frameworks help you meet internal audit and vendor risk requirements when evaluating the platform. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Security Feature Overview

Data Encryption AES-256: OpsGenie encrypts data in transit with TLS 1.2+ (with perfect forward secrecy) and encrypts user data at rest using AES‑256. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

Access and identity: You can integrate SAML 2.0 single sign‑on (SSO) with common identity providers to centralize authentication and strengthen access control. ([support.atlassian.com](https://support.atlassian.com/opsgenie/docs/configure-saml-based-sso/?utm_source=openai))

Operational controls: OpsGenie supports static IP allowlisting for integrations, provides persistent alert and incident logs for traceability, and participates in a coordinated bug‑bounty program for vulnerability discovery. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

Data locality and key management: Data residency moves let you choose where OpsGenie data is hosted across supported regions. If you migrate to JSM Enterprise, you can use customer‑managed encryption keys (BYOK) to meet stricter key‑control requirements. ([confluence.atlassian.com](https://confluence.atlassian.com/cloud/blog/2025/04/atlassian-cloud-changes-mar-31-to-apr-7-2025))

HIPAA Compliance Settings

Enable HIPAA at the organization level: After executing your Atlassian BAA, tag eligible apps to enable HIPAA in Atlassian Administration and disable Atlassian AI across the site. This is the effective HIPAA compliance toggle you control before handling PHI. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Configure JSM’s notification hygiene: In JSM, turn on Safe customer notifications and HIPAA‑compliant alert notifications to prevent PHI from appearing in emails, push, SMS, or voice content. Manage these under Settings > Apps > Compliance settings and related JSM app settings. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Follow field‑level safeguards: Atlassian’s HIPAA Implementation Guide details fields where PHI must not be entered (for example, certain titles, summaries, or support channels). Review and enforce these controls as part of your admin checklist. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Compliance Limitations

Scope matters: The Atlassian BAA applies only to eligible apps (Jira, JSM, Confluence) on paid tiers—not to trials, and not automatically to third‑party apps. Each third‑party integration that touches PHI needs its own evaluation and, if required, a separate BAA. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Configuration is required: HIPAA is a shared‑responsibility model. You must enable the HIPAA settings, follow Atlassian’s implementation steps, and keep PHI out of disallowed fields and notification payloads to maintain compliance. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Encryption changes post‑migration: OpsGenie’s legacy edge encryption has been replaced by BYOK in JSM Enterprise. If you need customer‑managed keys, plan your migration path accordingly. ([support.atlassian.com](https://support.atlassian.com/opsgenie/docs/data-encryption-after-migration/))

Product lifecycle: OpsGenie’s alerting and on‑call features live on in JSM, and Atlassian directs customers to migrate, with a published target date for completing moves. If HIPAA is a requirement, plan to operate in JSM with HIPAA enabled rather than relying on standalone OpsGenie. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

Summary: To use OpsGenie‑style alerting with PHI, sign an Atlassian BAA, enable the HIPAA compliance toggle, and run your workflows in Jira Service Management with safe notifications. Leverage Atlassian’s security certifications, strong encryption, and data‑residency controls to support your organization’s personal health information protection goals. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

FAQs

Does OpsGenie provide a Business Associate Agreement?

Atlassian signs a Business Associate Agreement for eligible cloud apps—Jira, Jira Service Management, and Confluence—on Standard, Premium, and Enterprise plans. OpsGenie isn’t listed as an eligible app on its own, so you should operate PHI within JSM configured for HIPAA under the Atlassian BAA. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/))

What security certifications does OpsGenie hold?

Atlassian’s program (as reflected on the OpsGenie security page) includes SOC 2, SOC 3, ISO/IEC 27001, ISO/IEC 27018, PCI DSS, and GDPR. These frameworks help demonstrate mature security controls across Atlassian Cloud services. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

How does OpsGenie protect personal health information?

OpsGenie encrypts data in transit (TLS 1.2+) and at rest (AES‑256), supports SAML‑based SSO, and offers logging and IP allowlisting for integrations. For HIPAA use cases, you should run alerts in JSM with HIPAA‑safe notifications enabled and follow Atlassian’s field‑level guidance to keep PHI out of disallowed locations. ([atlassian.com](https://www.atlassian.com/software/opsgenie/security))

Is OpsGenie fully HIPAA compliant?

No single tool is “fully HIPAA compliant” by itself; compliance depends on contracts and configuration. Atlassian provides a BAA and HIPAA controls for eligible apps (Jira, JSM, Confluence). Because OpsGenie’s capabilities are now in JSM, use JSM with HIPAA enabled and a signed BAA to handle PHI safely. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/the-hipaa-implementation-guide/))

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...