Evernote is not HIPAA compliant and cannot be used by a HIPAA Covered Entity or Business Associate to save, store, sync, or share documents, images, or notes containing protected health information because the platform lacks controls required for compliance with the HIPAA Privacy Rule and the HIPAA Security Rule and Evernote will not enter into a Business Associate Agreement with customers.
Evernote functions as a repository for information such as documents, audio files, images, and video files. A core feature is the ability to automatically sync notes and files across multiple devices, which supports accessibility but expands the number of endpoints where protected health information could be accessed, stored, or disclosed. When protected health information is involved, the storage location, syncing behavior, sharing options, and administrative oversight become part of the compliance boundary under the HIPAA Security Rule.
Evernote is available as a free application and as a paid service for businesses, and it includes security features intended to reduce unauthorized access. The platform incorporates access controls such as single sign on and two factor authentication. Evernote stores data on the Google Cloud platform, and encryption is supported in Evernote for Mac and Evernote for Windows Desktop. In note encryption uses an AES 128 bit key. These features do not satisfy HIPAA requirements when the vendor does not provide a Business Associate Agreement and when the available controls do not meet the HIPAA Security Rule requirements for an environment that creates, receives, maintains, or transmits electronic protected health information.
Evernote is designed to make data sharing easy, which increases the likelihood of impermissible disclosures when staff use the application for patient documents or dictated notes. Access controls cannot prevent disclosures that occur when content is shared with unauthorized recipients or synchronized to unmanaged devices. Workforce procedures, device management, and monitoring can reduce risk, but they do not replace the Business Associate Agreement requirement when a vendor handles protected health information on behalf of a covered entity.
Organizations that need a note taking application for protected health information should select an alternative service that offers a Business Associate Agreement and provides administrative controls that support access restriction, secure sharing, and audit oversight aligned with the HIPAA Security Rule and the HIPAA Privacy Rule.