Is PagerDuty HIPAA Compliant? BAA, PHI, and Secure Use Explained

PagerDuty HIPAA Compliance Overview

Whether PagerDuty can be used in a HIPAA-aligned way depends on your specific implementation, the data you send into the platform, and the contractual protections you obtain. HIPAA does not “certify” products; instead, you must combine vendor controls with your own administrative, technical, and physical safeguards.

Think in terms of shared responsibility. If any workflow could expose Protected Health Information (PHI), you need appropriate configurations, restricted data flows, and a signed Business Associate Agreement (BAA). If you cannot meet those conditions, treat PagerDuty as a non-PHI system and keep all incident content free of identifiers.

Key questions to answer before using PagerDuty with PHI

• Will the vendor sign a Business Associate Agreement (BAA) that fits your use case?
• What kinds of alerts, incident notes, or attachments might contain PHI, and how will you prevent that?
• Which monitoring tools, ticketing systems, and webhooks integrate with PagerDuty, and do they pass any PHI?
• How will you enforce access controls, audit logging, retention, and data deletion?
• What evidence (for example, SOC 2 Type II) supports the vendor’s security posture?

Business Associate Agreement Availability

A Business Associate Agreement is required when a service provider creates, receives, maintains, or transmits PHI on your behalf. Without a BAA in place, you should not store, process, or route PHI through the platform. A BAA does not by itself make a service HIPAA compliant, but it defines obligations and safeguards that underpin compliant use.

Confirm with your PagerDuty account team whether a BAA is currently offered for your subscription tier and region, and make sure its scope matches the features and integrations you plan to use. Keep a countersigned copy on file and align internal procedures to its terms.

What your BAA should cover

• Permitted and prohibited uses/disclosures of PHI, including integrations and subprocessors.
• Safeguards, incident response, and breach notification timelines.
• Data location, access controls, audit logging, and minimum necessary standards.
• Subprocessor management and your right to receive notice of changes.
• Termination assistance, data return, and secure destruction requirements.

Protected Health Information Handling

The safest path is to keep PHI out of PagerDuty by design. Use opaque IDs, case numbers, or short-lived tokens instead of names, addresses, medical record numbers, images, or free text that could reveal identity. Apply strict redaction at every ingress point and educate responders to avoid posting PHI in incident titles, notes, or chat.

Map all data flows into and out of the platform. If you use log-based alerting, enable pattern-based scrubbing before alerts are generated. For webhooks or event pipelines, strip high-risk fields, enforce schema validation, and block attachments that might contain PHI.

Practical patterns

• Do: tokenize patient references, use least-privilege routing, and define retention limits.
• Do: maintain runbooks that label PHI-safe vs. PHI-restricted fields for each integration.
• Avoid: incident titles or notes containing names, test results, diagnoses, or images.
• Avoid: forwarding raw logs or screenshots that may include identifiers.

Security Certifications and Authorizations

Independent attestations help you evaluate risk. A SOC 2 Type II report shows how a vendor’s controls operated over time, but it is not a substitute for HIPAA requirements. Request a high-level summary (such as SOC 3) for procurement and ensure your security team reviews the detailed report under NDA when needed.

Some vendors also pursue government-focused authorizations such as FedRAMP Low Authorization for low-impact systems. This can indicate rigorous control baselines and continuous monitoring, but it does not equate to HIPAA compliance. Treat these attestations as inputs to your overall risk assessment rather than definitive approval to handle PHI.

How to use attestations in your risk assessment

• Check audit periods, scope boundaries, and any noted exceptions or remediation plans.
• Validate coverage for relevant features (alerting, integrations, mobile apps, APIs).
• Correlate mapped controls with your HIPAA security rule requirements.

Data Protection and Privacy Policies

Review the vendor’s Data Processing Addendum to understand roles, subprocessors, and data handling aligned to privacy laws. Pair it with the Acceptable Use Policy to confirm prohibited content, rate limits, and security obligations. Ensure retention, deletion, and data portability align with your compliance program.

From a technical standpoint, expect encryption in transit and at rest, robust key management, access logging, and tamper-evident audit trails. Clarify data residency options, backup/restore processes, and how the provider validates changes to critical security configurations.

Procurement checklist

• Data Processing Addendum, Acceptable Use Policy, and confidentiality terms.
• Documentation for encryption standards, key management, and audit logging.
• Data retention defaults, deletion SLAs, and breach notification commitments.
• Subprocessor list and change-notification mechanism.

Security Best Practices and Guidelines

Strong security hygiene reduces risk regardless of PHI scope. Enforce least privilege, separate duties for administrators and responders, and review access quarterly. Rotate API tokens, prefer scoped service accounts, and store secrets outside the incident platform.

Minimize sensitive content in alerts, enable field-level redaction, and standardize incident templates that avoid PHI. Define short retention windows for nonessential data and automate secure deletion where feasible.

Configuration recommendations

• Require SSO, enforce MFA, and disable local passwords where supported.
• Use role-based access controls and approval workflows for admin changes.
• Enable event/Log scrubbing, attachment controls, and IP allowlisting.
• Set retention and export policies that align with your records strategy.
• Continuously monitor integrations; block or strip high-risk fields by default.

Operational runbooks

• Classify incidents (no PHI, PHI-possible, PHI-confirmed) and route accordingly.
• Define a data-exposure playbook with rapid triage, notification, and remediation.
• Audit and attest on configuration drift; conduct periodic tabletop exercises.

Single Sign-On Support

Secure user authentication is central to HIPAA-aligned use. Most enterprise SaaS platforms support Single Sign-On through standards like SAML or OpenID Connect, along with SCIM for automated provisioning. Enforce SSO for all users, map groups to roles, and apply conditional access policies from your identity provider.

Harden sessions with short lifetimes, re-authentication for sensitive actions, and device/risk-based controls. Where available, disable fallback passwords, require MFA, and restrict API access to managed contexts. These measures reduce credential sprawl and keep access consistent with least privilege.

Bottom line: you can use PagerDuty safely in healthcare environments by avoiding PHI in the platform whenever possible, obtaining a fit-for-purpose BAA when needed, and enforcing strong identity, data minimization, and auditing controls.

FAQs.

Does PagerDuty sign a Business Associate Agreement?

It can depend on your subscription tier, use case, and region. Engage your PagerDuty account team or legal contact to request a Business Associate Agreement and confirm exactly which features and integrations are covered. Do not assume coverage until you have a countersigned BAA that matches your intended workflows.

Is PagerDuty suitable for handling Protected Health Information?

Only if you have a signed BAA and you configure the platform to limit, protect, and monitor any PHI exposure. Many organizations choose a “no PHI in PagerDuty” standard and use tokens or case IDs instead. If PHI must flow through, implement strict redaction, least-privilege access, short retention, and continuous auditing.

What security certifications does PagerDuty hold?

Expect to evaluate independent attestations such as SOC 2 Type II and, where applicable, government-focused authorizations like FedRAMP Low Authorization. Always verify the current scope and audit period through the vendor’s official documentation and obtain detailed reports for security review.

How does PagerDuty support secure user authentication?

By integrating with your identity provider for Single Sign-On using standards like SAML or OpenID Connect, often paired with SCIM for automated provisioning. Enforce SSO and MFA, map groups to roles, disable local passwords where possible, and set session policies that align with zero-trust principles.