by Kapua Iao
Article filed in

Is Simplenote HIPAA compliant?

by Kapua Iao

Simplenote logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to correctly create notations for proper patient care while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.

Today, we will determine if Simplenote is HIPAA compliant or not.

About Simplenote

Simplenote is a free note-taking app that uses markdown language for text formatting. Developed in 2008 by Simperium, Automattic acquired Simplenote in 2013. Automattic is most known for its contributions to WordPress.

Simplenote sers can easily share, post, store, and search to-do lists, instructions, and notes in a collaborative environment or online. Tags further ensure quick and simple searching.

Simplenote is available for iOS, Android, Mac, Windows, Linux, and from a browser. Notes automatically sync on all devices.

While Simplenote is free, a premium subscription includes automatic backup and notes merging as well as the removal of ads.

Simplenote and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, Simplenote is a business associate of a healthcare organization if a note includes any electronic PHI (ePHI), like a name or an email address.

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

There is no mention of HIPAA or a BAA on the Simplenote website.

Simplenote and cybersecurity

Simplenote’s website does not include much information and is as streamlined as the product.

A Privacy Policy update stresses that Simplenote is covered by Automattic. Unfortunately, Automattic’s Privacy Policy states that the company collects data and may share information with other companies including

  • Subsidiaries and independent contractors
  • Third-party vendors
  • Legal and regulatory requirements

Moreover, the Simplenote developers caution users not to store sensitive information because its storage is not encrypted.

RELATED: Encryption at rest: what you need to know

At the same time, they also note that the product uses encryption for data in transit.

Is Simplenote HIPAA compliant?

The BAA is a key component of HIPAA compliance and Simplenote does not appear to have a BAA. Moreover, cybersecurity is lacking and Simplenote states that users should not store sensitive information.

If a breach or HIPAA violation occurs and any PHI is visible, the covered entity is liable.

RELATED: Your cybersecurity strategy is probably lacking


Simplenote is not HIPAA compliant.

Try Paubox Email Suite for FREE today.