by Kapua Iao
Article filed in

Is Ulysses HIPAA compliant?

by Kapua Iao

Ulysses logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to correctly create notations for proper patient care while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.

Today, we will determine if Ulysses is HIPAA compliant or not.

About Ulysses

Ulysses is a writing app for Apple products (Mac, iPad, iPhone) with a distraction-free interface, several viewing modes, and numerous features. However, it does not support collaboration.

It utilizes markdown language for text formatting and includes a built-in proofreader and editing assistant. Export options include DOCX, HTML, PDF, EPUB, and plain text file types; notes can also publish directly to WordPress or Medium.

Files save in an easily accessible and editable library. Moreover, filters (i.e., tags) streamline simple searches between different notes within the app.

Ulysses is subscription-based with plan payments offered per month, six months, or year. A subscription lets users use and sync both the desktop and mobile versions as well as sync to iCloud.

Ulysses and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, Ulysses is a business associate of a healthcare organization if a note includes any electronic PHI (ePHI), like a name or an email address.

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

There is no mention of HIPAA or a BAA on the Ulysses website.

Ulysses and cybersecurity

The Ulysses website does not include much information about cybersecurity. Its Privacy Policy does state Ulysses collects information solely to improve services. Such information includes:

  • Basic subscriber data
  • Purchase statistics
  • Usage data (optional)
  • Diagnostic data (optional)
  • Email newsletter subscription (optional)

Users store personal content (including any notes) directly on their personal devices or the iCloud if enabled.

It is also possible for a user to store content on a personal Dropbox, or integrate with their WordPress or Medium accounts. Ulysses does not have access to these separate accounts and would not be responsible if a problem develops.

Is Ulysses HIPAA compliant?

The BAA is a key component of HIPAA compliance and Ulysses does not appear to sign a BAA. And while Ulysses is not an official Apple product, we would also like to note that Apple will also not sign a BAA with healthcare organizations.

If a breach or HIPAA violation occurs and any PHI is breached, the covered entity is liable.

Conclusion

Ulysses is not HIPAA compliant.

Try Paubox Email Suite for FREE today.