Call now for cybersecurity help: 888-646-1616
Josh Ablett

Is Evernote HIPAA Compliant? (Updated)

November 1, 2020,

Evernote, a cloud notetaking app that syncs across mobile, tablet, web, and computer devices, is one of the most useful and popular methods of note organization available today.

But is Evernote HIPAA compliant?  Lots of medical providers and business associates want to know how they can use Evernote while still maintaining HIPAA compliance.

Can I use Evernote to keep track of patient information?

Unfortunately, Evernote is not HIPAA compliant.

By its very nature, Evernote is geared towards easily sharing data.  It syncs your data across your phone and computers, and makes it easy to access everything everywhere.

There’s no way to guarantee the safety of the information that you sync, and there are simply too many windows through which a hacker can break in and gain access to information.

It is absolutely not OK to put PHI on Evernote.

Is there any way I can use Evernote in my practice?

The only way that Evernote can be used in a way that involves any protected information is if the notes are kept completely offline. So, if you were to install Evernote on a PC or Mac under an encrypted account, and then put all of your notes in an offline (and it absolutely MUST be offline), then you wouldn’t be violating any HIPAA guidelines.

Unfortunately, though, under those circumstances Evernote would basically just be functioning as a text editor. You'd be better off using Notepad or Text Edit.  The lack of control over your data in these third-party cloud solutions means that they just aren’t safe for handling PHI.

What are my alternatives?

Google Keep

There's some exciting news coming out of Google on this front.

Is Evernote HIPAA Compliant

Google recently announced that Keep, their Evernote competitor, is covered by their HIPAA Business Associate agreement (BAA).

This means that you can use Google Keep to store PHI, but ONLY if:

  1. You're using Google's paid Google Workspace service, and
  2. You've signed a HIPAA BAA with Google.

We help practices just like yours to set up Google Workspace (and their whole practice) to be HIPAA compliant.

Microsoft OneNote

Microsoft didn't want to be left behind.  Their OneNote service (their version of Evernote) is also covered by the Microsoft HIPAA Business Associate agreement (BAA).

This means that you can use Microsoft OneNote to store PHI, but ONLY if:

  1. You're using Microsoft's paid Microsoft365 service, and
  2. You've signed a HIPAA BAA with Microsoft.

We also help practices like yours to set up Microsoft365 (and their whole practice) to be HIPAA compliant.

Other Options

You're only other option is going to be to rely on the note-taking features that are made specifically for healthcare practices.  Most of these are bundled with EMR/EHR systems.  A few we found include PracticeFusion, Carepaths, OfficeAlly, and Emphatic. These products range from specific to all-inclusive, simple to complex, and they are just a few of the many PHI-specific note taking solutions on the market.

Want to make your business more secure?

Evernote definitely isn't HIPAA compliant, even with their paid versions.  But we help customers to switch to Google Keep or Microsoft OneNote.

Still feeling a bit overwhelmed?

Get some free help!  Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

4 comments on “Is Evernote HIPAA Compliant? (Updated)”

  1. I use Evernote frequently for non-confidential and non-privileged notes. From the Evernote website:

    "Encrypted Text Within a Note: If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select. When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode. We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data."

    Provided that your data is stored in a local-only notebook with encryption enabled, it seems like it'd be secure.

    1. The problem is that Evernote does this on a note-by-note basis. Therefore you have to manually encrypt and decrypt every one of the 5000+ notes you have.
      Additionally, you lose Evernote's searching abilities since your encrypted note cannot be searched.

  2. I was told by Google that Google Workspace is HIPAA compliant when I signed up and that standard gmail is not. I didn't ask at the time whether Google Keep is included in that compliance, but everything in Google Drive is (or so they told me in writing). You could take notes in Google Docs instead of a note taking app if this is the case. I don't have sensitive client data, merely need my writing secured, so I didn't do as much research as a doctor would need to to protect sensitive client information.

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved