Call now for cybersecurity help: 888-646-1616
Unfortunately, Evernote is not HIPAA compliant. Evernote, a cloud notetaking app that syncs across mobile, tablet, web, and computer devices, is one of the most useful and popular methods of note taking and organization available today.
But the question we always receive is: Is the Evernote app secure and HIPAA compliant in 2025?
Lots of medical providers and business associates want to know how they can use Evernote while still maintaining HIPAA compliance.
Is Your note-taking app HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit.. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance.
Unfortunately, Evernote is not HIPAA compliant.
By its very nature, Evernote is geared towards easily sharing data. It syncs your data across your phone and computers and makes it easy to access everything everywhere.
There’s no way to guarantee the safety of the information that you sync, and there are simply too many windows through which a hacker can break in and gain access to information.
It is absolutely not OK to put PHI on Evernote.
The only way that Evernote can be used in a way that involves any protected information is if the notes are kept completely offline. So, if you were to install Evernote on a PC or Mac under an encrypted account, and then put all of your notes offline (and it absolutely MUST be offline), then you wouldn’t be violating any HIPAA guidelines.
Unfortunately, though, under those circumstances, Evernote would just be functioning as a text editor. You'd be better off using Notepad or Text Edit. The lack of control over your data in these third-party cloud solutions means that they just aren’t safe for handling PHI.
What our clients say
There's some exciting news coming out of Google on this front.
Google recently announced that Keep, their Evernote competitor, is covered by their HIPAA Business Associate Agreement (BAA).
This means that you can use Google Keep to store PHI, but ONLY if:
We help practices just like yours to set up Google Workspace (and their whole practice) to be HIPAA compliant.
Microsoft didn't want to be left behind. Their OneNote service (their version of Evernote) is also covered by the Microsoft HIPAA Business Associate Agreement (BAA).
This means that you can use Microsoft OneNote to store PHI, but ONLY if:
We also help practices like yours to set up Microsoft 365 (and their whole practice) to be HIPAA compliant.
You're only other option is going to be to rely on the note-taking features that are made specifically for healthcare practices. Most of these are bundled with EMR/EHR systems. A few we found include PracticeFusion, Carepaths, OfficeAlly, and Emphatic. These products range from specific to all-inclusive, simple to complex, and they are just a few of the many PHI-specific note-taking solutions on the market.
Evernote definitely isn't HIPAA compliant, even with their paid versions. But we help customers to switch to Google Keep or Microsoft OneNote.
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!
No, Evernote is not HIPAA compliant and cannot guarantee the security of Protected Health Information (PHI).
Yes, you can use alternatives like Google Keep (with a HIPAA BAA on paid Workspace accounts) and Microsoft OneNote (with a HIPAA BAA on paid Microsoft365 accounts) are HIPAA compliant.
What our clients say
I use Evernote frequently for non-confidential and non-privileged notes. From the Evernote website:
"Encrypted Text Within a Note: If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select. When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode. We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data."
Provided that your data is stored in a local-only notebook with encryption enabled, it seems like it'd be secure.
The problem is that Evernote does this on a note-by-note basis. Therefore you have to manually encrypt and decrypt every one of the 5000+ notes you have.
Additionally, you lose Evernote's searching abilities since your encrypted note cannot be searched.
I was told by Google that Google Workspace is HIPAA compliant when I signed up and that standard gmail is not. I didn't ask at the time whether Google Keep is included in that compliance, but everything in Google Drive is (or so they told me in writing). You could take notes in Google Docs instead of a note taking app if this is the case. I don't have sensitive client data, merely need my writing secured, so I didn't do as much research as a doctor would need to to protect sensitive client information.
Good news - Google Keep is now covered by Google's HIPAA BAA.