Evernote, a cloud notetaking app that syncs across mobile, tablet, web, and computer devices, is one of the most useful and popular methods of note organization available today.
But is Evernote HIPAA compliant? Lots of medical providers and business associates want to know how they can use Evernote while still maintaining HIPAA compliance.
Unfortunately, Evernote is not HIPAA compliant.
By its very nature, Evernote is geared towards easily sharing data. It syncs your data across your phone and computers, and makes it easy to access everything everywhere.
There’s no way to guarantee the safety of the information that you sync, and there are simply too many windows through which a hacker can break in and gain access to information.
It is absolutely not OK to put PHI on Evernote.
The only way that Evernote can be used in a way that involves any protected information is if the notes are kept completely offline. So, if you were to install Evernote on a PC or Mac under an encrypted account, and then put all of your notes in an offline (and it absolutely MUST be offline), then you wouldn’t be violating any HIPAA guidelines.
Unfortunately, though, under those circumstances Evernote would basically just be functioning as a text editor. You'd be better off using Notepad or Text Edit. The lack of control over your data in these third-party cloud solutions means that they just aren’t safe for handling PHI.
There's some exciting news coming out of Google on this front.
Google recently announced that Keep, their Evernote competitor, is covered by their HIPAA Business Associate agreement (BAA).
This means that you can use Google Keep to store PHI, but ONLY if:
We help practices just like yours to set up Google Workspace (and their whole practice) to be HIPAA compliant.
Microsoft didn't want to be left behind. Their OneNote service (their version of Evernote) is also covered by the Microsoft HIPAA Business Associate agreement (BAA).
This means that you can use Microsoft OneNote to store PHI, but ONLY if:
We also help practices like yours to set up Microsoft365 (and their whole practice) to be HIPAA compliant.
You're only other option is going to be to rely on the note-taking features that are made specifically for healthcare practices. Most of these are bundled with EMR/EHR systems. A few we found include PracticeFusion, Carepaths, OfficeAlly, and Emphatic. These products range from specific to all-inclusive, simple to complex, and they are just a few of the many PHI-specific note taking solutions on the market.
Evernote definitely isn't HIPAA compliant, even with their paid versions. But we help customers to switch to Google Keep or Microsoft OneNote.
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!