Is Evernote HIPAA Compliant?

evernotehipaa compliant

Evernote is a useful cloud-based tool for taking notes, making to do lists, planning projects, and collaborating with team members. However, is it acceptable for physicians and other healthcare professionals to use Evernote in connection with ePHI without breaking HIPAA Rules? Is Evernote HIPAA compliant?

Evernote has been designed to serve as a readily accessible repository for a wide range of digital information, such as documents, photos, audio and video files. A key feature of Evernote that makes it very handy is its ability to instantly synchronize files and notes across multiple devices.

Evernote has a range of access and security controls, which include two-factor authentication and single sign-on (SSO) to stop unauthorized use of the application. Both Evernote for Mac and Evernote for Windows Desktop use encryption to keep data secure. In-note encryption uses an AES 128-bit key. The platform runs on the Google Cloud, and Google does support HIPAA compliance.

Is Evernote HIPAA Compliant?

Do the previously mentioned security features make Evernote HIPAA compliant? Although the security features mentioned do provide a good degree of protection against unauthorized data access, security is not sufficient to meet all the requirements of the HIPAA Security Rule requirements at this time. Additionally, Evernote doesn’t offer healthcare organizations a business associate agreement (BAA).

Consequently, Evernote cannot be considered HIPAA compliant. HIPAA covered entities should therefore not use Evernote in association with any PHI.

Alternative solutions are available to healthcare providers, two of which are Google Keep  and Microsoft OneNote.