Is GoodNotes HIPAA Compliant?

May 28, 2025

In the healthcare industry, the security of patient information is paramount. With the rise of digital tools like GoodNotes, it's natural to wonder if such applications can safely handle sensitive data. Specifically, is GoodNotes HIPAA compliant? This question is crucial for healthcare professionals who need to ensure that their tools align with privacy regulations. Let's explore what it means for a tool to be HIPAA compliant and whether GoodNotes meets these requirements.

The Basics of HIPAA Compliance

Before we can determine if GoodNotes is HIPAA compliant, it's important to understand what HIPAA compliance actually entails. The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, sets the standard for protecting sensitive patient data. Organizations handling protected health information (PHI) must follow stringent rules to secure this information from unauthorized access.

HIPAA compliance involves several key components:

Privacy Rule: Establishes the conditions under which PHI can be used or disclosed.
Security Rule: Requires the implementation of administrative, physical, and technical safeguards to protect the integrity of electronic PHI (ePHI).
Breach Notification Rule: Mandates that covered entities notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, when a breach of unsecured PHI occurs.
Enforcement Rule: Sets the procedures and penalties for HIPAA violations.

Understanding these components helps clarify what it means for a tool like GoodNotes to be compliant. It's not just about having secure features but ensuring that the tool and its use align with these regulations.

What is GoodNotes?

GoodNotes is a digital note-taking app available on iOS, primarily used for organizing notes, documents, and other information. It's popular for its user-friendly interface and features like handwriting recognition, PDF annotation, and document management. Many users appreciate its ability to sync across devices, making it a versatile tool for both personal and professional use.

However, when it comes to using GoodNotes in healthcare settings, its suitability hinges on whether it can comply with HIPAA regulations. This brings us to the next point: how GoodNotes handles security and whether it offers the necessary features to protect PHI.

Security Features of GoodNotes

Security is a significant concern for any app handling sensitive information. GoodNotes offers several features aimed at safeguarding user data. Let's look at some of these features:

Encryption: GoodNotes uses encryption to protect data both in transit and at rest. This means that when data is being transferred from one place to another or stored on a device, it is encoded to prevent unauthorized access.
Passcode Lock: Users can set a passcode to protect access to the app, adding an additional layer of security.
iCloud Sync: GoodNotes allows users to sync their notes across devices using iCloud. While convenient, it's essential to consider the security of iCloud itself when using this feature for sensitive information.

Despite these features, the critical question remains: Are these measures sufficient for HIPAA compliance? Let's explore further.

Evaluating GoodNotes for HIPAA Compliance

To determine if GoodNotes is truly HIPAA compliant, we need to assess its features against HIPAA requirements. Here are some considerations:

Business Associate Agreement (BAA)

One of the fundamental requirements for HIPAA compliance is having a Business Associate Agreement (BAA) with any service provider that handles PHI. A BAA is a contract that outlines each party's responsibilities to protect PHI and ensures that the service provider is compliant with HIPAA regulations.

As of now, GoodNotes does not offer a BAA. This absence is a significant indicator that the app is not HIPAA compliant. Without a BAA, healthcare providers cannot legally use GoodNotes to handle PHI while remaining compliant with HIPAA.

Data Encryption and Security

While GoodNotes does offer encryption, HIPAA compliance requires more than just basic encryption. The app must implement robust safeguards to protect ePHI. This includes regular security assessments, employee training, and measures to prevent unauthorized access.

GoodNotes' security features, while beneficial, do not guarantee compliance with the comprehensive security requirements outlined by HIPAA. The lack of a BAA further complicates the app's compliance status.

Alternatives to GoodNotes for Healthcare Professionals

Given that GoodNotes is not HIPAA compliant, healthcare providers should consider alternative note-taking apps that meet the necessary standards. Here are a few options:

Notability: Like GoodNotes, Notability is a popular note-taking app with robust features. However, it also does not offer a BAA, making it unsuitable for handling PHI.
OneNote: Microsoft OneNote can be used in a HIPAA-compliant manner when configured correctly and used in conjunction with Microsoft's BAA.
Evernote for Business: While the personal version of Evernote is not HIPAA compliant, Evernote for Business offers features that can be configured to comply with HIPAA when used properly.

It's crucial to verify the compliance of any tool before using it to handle PHI. Always ensure that a BAA is in place and that the tool offers the necessary security features to meet HIPAA requirements.

Practical Tips for Using Note-Taking Apps in Healthcare

Here are some practical tips for healthcare professionals using note-taking apps while adhering to HIPAA regulations:

Check for BAA: Always ensure the app provider offers a BAA. This is non-negotiable for HIPAA compliance.
Use Strong Passwords: Protect access to apps with strong, unique passwords and enable two-factor authentication if available.
Regularly Review App Permissions: Be mindful of the app's permissions and ensure it only has access to necessary data.
Conduct Regular Security Audits: Periodically review the app's security settings and update them as needed.
Educate Staff: Train staff on the importance of maintaining confidentiality and the proper use of digital tools in compliance with HIPAA.

By following these tips, healthcare professionals can better protect patient data while using digital tools.

The Role of Cloud Storage in HIPAA Compliance

Cloud storage plays a significant role in how note-taking apps handle data. For an app to be HIPAA compliant, its cloud storage solution must also comply with HIPAA regulations. This includes secure data transfer, encryption, and a BAA with the cloud provider.

When considering a note-taking app for healthcare use, it's essential to evaluate the cloud storage solution it uses. Ensure that it meets HIPAA standards and that a BAA is in place. Without these, the app cannot be considered compliant, regardless of its other features.

Understanding the Implications of Non-Compliance

Using non-compliant tools in healthcare can have serious consequences. HIPAA violations can result in hefty fines, not to mention the potential damage to a provider's reputation. It's crucial to take compliance seriously and use only tools that meet the necessary standards.

Non-compliance can stem from several factors:

Lack of a BAA: Without a BAA, there's no legal assurance that the app provider is safeguarding PHI.
Inadequate Security Measures: Apps lacking robust security measures can expose data to breaches.
Misuse of Tools: Even compliant tools can lead to violations if used incorrectly.

By understanding these implications, healthcare professionals can make informed decisions about the tools they use.

How to Choose the Right Digital Tools for Healthcare

Choosing the right digital tools involves careful evaluation. Here are some steps to guide healthcare professionals in selecting compliant note-taking apps:

Research: Investigate potential apps and their compliance status. Look for reviews and user experiences.
Request a BAA: Before using any tool, ensure a BAA is available and review its terms.
Evaluate Security Features: Assess whether the app offers encryption, access controls, and other security measures.
Consider Usability: The tool should be user-friendly and integrate well with existing systems.
Test: Before full implementation, conduct a trial to ensure the app meets your needs and compliance standards.

By following these steps, healthcare professionals can confidently choose tools that support their work while maintaining compliance.

Final Thoughts

While GoodNotes is a fantastic tool for personal note-taking, it's not suitable for handling PHI in compliance with HIPAA. Healthcare professionals must carefully choose tools that offer BAAs and robust security measures. Speaking of compliant tools, Feather offers a HIPAA-compliant AI assistant that can help with documentation, coding, and more, reducing the administrative burden so you can focus on patient care. Feather makes it easy to handle sensitive data securely and efficiently, offering peace of mind alongside productivity.

Feather Staff

Feather is a team of healthcare professionals, engineers, and AI researchers with over a decade of experience building secure, privacy-first products. With deep knowledge of HIPAA, data compliance, and clinical workflows, the team is focused on helping healthcare providers use AI safely and effectively to reduce admin burden and improve patient outcomes.

HIPAA-Compliant AI Chat for Healthcare Providers

Feather gives teams that deal with PHI, PII and other controlled information access to private, secure, and compliant AI without any of the downsides.

Get Started

Other posts you might like

Is Freshdesk HIPAA Compliant?

Managing patient data while ensuring compliance can be a tricky task. If you're using Freshdesk in a healthcare setting, you're probably wondering whether it's HIPAA compliant. Let's take a closer look at what HIPAA compliance entails and whether Freshdesk fits the bill.

Is Vonage HIPAA Compliant?

Vonage is often recognized as a robust communication platform, popular for its cloud-based solutions. But when it comes to healthcare, a pressing question emerges: Is Vonage HIPAA compliant? This is crucial for healthcare organizations that need to ensure all their communications, including telehealth consultations, remain secure and private. In this article, we’ll explore what HIPAA compliance means and whether Vonage fits the bill for healthcare providers.

Is NetSuite HIPAA Compliant?

Navigating the healthcare landscape can feel like walking through a maze, especially when it comes to handling sensitive patient information. At the heart of this challenge lies HIPAA compliance, a term that often sounds easier to achieve than it is. NetSuite, a cloud-based business management software, is used by many industries, including healthcare. But is it HIPAA compliant? Let's break down what you need to know about NetSuite and its relationship with HIPAA.

Is Microsoft Teams Chat HIPAA Compliant?

Microsoft Teams has become a mainstay in many workplaces, especially in healthcare settings where communication and collaboration are vital. But when it comes to handling sensitive patient information, the big question arises: Is Microsoft Teams Chat HIPAA compliant? Let's break this down and understand what it means to use Microsoft Teams in a healthcare environment while keeping patient information secure.

Is Microsoft 365 Business Standard HIPAA Compliant?

Microsoft 365 Business Standard is a popular choice for businesses looking to streamline their operations with cloud-based applications. But when it comes to healthcare providers in the United States, there's an important question to address: Is Microsoft 365 Business Standard HIPAA compliant? After all, handling patient information requires strict adherence to the Health Insurance Portability and Accountability Act (HIPAA) regulations. In this article, we'll explore what it means for a service to be HIPAA compliant and how Microsoft 365 Business Standard measures up.

Is Excel HIPAA Compliant?

Working in healthcare often means juggling a lot of data, and Excel is a go-to tool for many when it comes to organizing and analyzing information. But when patient data is involved, adhering to HIPAA regulations becomes a top priority. Is Excel up to the task? Let's roll up our sleeves and explore what it takes to make Excel a HIPAA-compliant tool.