Evernote, a cloud notetaking app that syncs across mobile, tablet, web, and computer devices, is one of the most useful and popular methods of note organization available today.
But is Evernote HIPAA compliant? Lots of medical providers and business associates want to know how they can use Evernote while still maintaining HIPAA compliance.
Unfortunately, Evernote is not HIPAA compliant.
By its very nature, Evernote is geared towards easily sharing data. It syncs your data across your phone and computers, and makes it easy to access everything everywhere.
There’s no way to guarantee the safety of the information that you sync, and there are simply too many windows through which a hacker can break in and gain access to information.
It is absolutely not OK to put PHI on Evernote.
The only way that Evernote can be used in a way that involves any protected information is if the notes are kept completely offline. So, if you were to install Evernote on a PC or Mac under an encrypted account, and then put all of your notes in an offline (and it absolutely MUST be offline), then you wouldn’t be violating any HIPAA guidelines.
Unfortunately, though, under those circumstances Evernote would basically just be functioning as a text editor. You'd be better off using Notepad or Text Edit. The lack of control over your data in these third-party cloud solutions means that they just aren’t safe for handling PHI.
There's some exciting news coming out of Google on this front.
Google recently announced that Keep, their Evernote competitor, is covered by their HIPAA Business Associate agreement (BAA).
This means that you can use Google Keep to store PHI, but ONLY if:
We help practices just like yours to set up Google Workspace (and their whole practice) to be HIPAA compliant.
Microsoft didn't want to be left behind. Their OneNote service (their version of Evernote) is also covered by the Microsoft HIPAA Business Associate agreement (BAA).
This means that you can use Microsoft OneNote to store PHI, but ONLY if:
We also help practices like yours to set up Microsoft365 (and their whole practice) to be HIPAA compliant.
You're only other option is going to be to rely on the note-taking features that are made specifically for healthcare practices. Most of these are bundled with EMR/EHR systems. A few we found include PracticeFusion, Carepaths, OfficeAlly, and Emphatic. These products range from specific to all-inclusive, simple to complex, and they are just a few of the many PHI-specific note taking solutions on the market.
Evernote definitely isn't HIPAA compliant, even with their paid versions. But we help customers to switch to Google Keep or Microsoft OneNote.
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!
I use Evernote frequently for non-confidential and non-privileged notes. From the Evernote website:
"Encrypted Text Within a Note: If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select. When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode. We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data."
Provided that your data is stored in a local-only notebook with encryption enabled, it seems like it'd be secure.
The problem is that Evernote does this on a note-by-note basis. Therefore you have to manually encrypt and decrypt every one of the 5000+ notes you have.
Additionally, you lose Evernote's searching abilities since your encrypted note cannot be searched.
I was told by Google that Google Workspace is HIPAA compliant when I signed up and that standard gmail is not. I didn't ask at the time whether Google Keep is included in that compliance, but everything in Google Drive is (or so they told me in writing). You could take notes in Google Docs instead of a note taking app if this is the case. I don't have sensitive client data, merely need my writing secured, so I didn't do as much research as a doctor would need to to protect sensitive client information.
Good news - Google Keep is now covered by Google's HIPAA BAA.