For healthcare practitioners, using a note-taking app helps record important information about a patient or treatment plan, especially in a fast-paced environment like a hospital or private clinic. But as with all healthcare communication methods, security and HIPAA compliance are paramount.
What steps should a healthcare provider take to ensure they utilize a HIPAA compliant note-taking app?
HIPAA and note taking
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Title II is most associated with the act and establishes PHI and ePHI (electronic PHI) privacy and security standards. The Privacy Rule sets the guidelines for using and disclosing patients' data. And the Security Rule sets the necessary administrative, technical, and physical safeguards to safeguard PHI/ePHI.
The idea is to restrict access to PHI and monitor how it is communicated. Covered entities and their business associates must be HIPAA compliant to protect patients' rights and privacy. Doctors' notes contain sensitive patient information, so it's vital to protect their confidentiality by protecting the notes themselves.
While plenty of note-taking apps are available on the market, not all meet HIPAA requirements, such as encryption, offline backup, and access controls.
This also means the assurance that the information is protected through a signed business associate agreement (BAA).
Which note-taking apps will sign a BAA?
A business associate is a person or entity that performs certain functions or activities that involve PHI. A note-taking app would fall into this category, so the vendor must sign a BAA.
Here are three note-taking apps we've looked at in the past that do not appear to offer a BAA and, therefore, may not be HIPAA compliant:
- Simplenote: a free note-taking app that uses markdown language for text formatting
- Evernote: an app designed for note taking, organizing, creating task lists, and archiving; Evernote states that it is not HIPAA compliant
- Notion: note-taking and project management software for personal and/or collaborative work
And here are three note-taking apps that will sign a BAA:
- Mentalyc: An AI scribe and note-taking software for psychotherapists that converts audio recordings into notes
- OneNote: A note-taking software designed for free-form information and multi-user collaboration; as a Microsoft Office 365 product, Microsoft's BAA covers OneNote and OneDrive (for storage)
- Google Keep: A note-taking service part of Google Docs Editors suite offered by Google across multiple devices; Google Drive is covered by Google's BAA
The HIPAA compliant note-taking app checklist
Maintaining patient privacy and complying with HIPAA regulations are critical aspects of note management. By following these steps, you can ensure your notes remain secure.
- Get a signed BAA with the company of the note-taking app you plan to employ.
- Ensure you and the business associate utilize several cybersecurity tools. Employ defensive (i.e., perimeter) and offensive strategies to block breaches.
- Limit access to authorized staff only. And for staff with access, ensure they understand the responsibilities, regulations, policies, and procedures.
- When necessary to communicate notes, guarantee that transmission methods (e.g., HIPAA compliant email) are safe.
- Obtain written consent from patients on utilized methods of use and disclosure.
- Train staff in compliance and security so they can properly utilize note-taking apps.
- Develop a breach notification plan for possible inadvertent or deliberate breaches while note-taking.
And as always, stay on top of changes to HIPAA and other state/federal regulations.
Technology use that is smart, safe, and HIPAA compliant
Nowadays, healthcare providers embrace new technologies that leverage data and digital tools to deliver better health outcomes. Note-taking apps are just one example.
One thing that cannot be forgotten while healthcare access to digital technologies grows is the HIPAA Act. Penalties for breaches can be significant, ranging from $100 to $50,000 per violation. For example, the 2015 Anthem, Inc. breach cost $16 million in HIPAA violations and $115 million from a class-action lawsuit.
But the costs don't stop there. A deliberate or accidental breach could lead to ransom payments, downtime, and angry payments. Especially if any confidential notes are discovered.
Avoiding a breach means avoiding such costs to properly treat patients. Patient trust is vital to patient care, so it is important to always safeguard their identities. This includes all notes, whether in electronic or physical form.