Back to Blog

Why Your Note-Taking App Probably Isn't HIPAA Compliant

You see a client. You open Apple Notes on your MacBook. You type quick observations from the session — mood, scores you discussed, what you plan to address next week. You'll write the formal note later.

That shortcut just put PHI in a system without a Business Associate Agreement, without guaranteed encryption at rest, and without audit logging. If that device is lost, stolen, or hacked, you have a potential HIPAA breach.

This isn't hypothetical. It's one of the most common compliance gaps in solo and small therapy practices.

Why consumer apps aren't HIPAA compliant

HIPAA requires that any vendor handling your clients' protected health information sign a Business Associate Agreement (BAA). The BAA legally obligates them to protect PHI according to HIPAA standards and to notify you in case of a breach.

Here's the problem: most consumer note-taking and productivity apps don't offer BAAs.

Apple Notes. Apple does not sign BAAs for iCloud services. Apple Notes synced to iCloud means your client's PHI is stored on Apple's servers without a HIPAA-compliant agreement in place. Even if the data is encrypted in transit and at rest (which it is for iCloud), the lack of a BAA means the legal compliance framework isn't there.

Google Docs / Google Keep (personal). Google offers BAAs for Google Workspace (the paid business product), but not for free personal Google accounts. If you're using a @gmail.com account to store notes containing PHI, there's no BAA in place.

Notion. Notion introduced HIPAA compliance and BAAs in their Enterprise plan, but only for Enterprise customers. The free, Plus, and Business plans do not include HIPAA compliance or BAAs. If you're using a personal or standard Notion account, it's not HIPAA compliant for PHI.

Evernote. Evernote does not sign BAAs and explicitly states in their terms that their service is not HIPAA compliant. Full stop.

Microsoft OneNote (personal). Like Google, Microsoft offers BAAs for Microsoft 365 business accounts, not for personal accounts. OneNote through a personal Outlook.com account is not HIPAA compliant.

"But it's encrypted..."

Encryption is necessary but not sufficient for HIPAA compliance. A service can encrypt your data and still not be HIPAA compliant because:

No BAA means no legal obligation to protect PHI according to HIPAA standards. No audit logging means no record of who accessed what and when. No breach notification obligation means they don't have to tell you if your data is compromised. No administrative safeguards means no documented security practices aligned with HIPAA requirements.

Encryption is one piece of the Security Rule. Compliance requires the whole framework.

"But it's on my device..."

Even if you're using a note app that only stores data locally on your device (no cloud sync), HIPAA still requires technical safeguards for ePHI stored on that device: encryption at rest, access controls, and a plan for device loss or theft.

If your laptop is stolen and the notes app containing PHI isn't behind a separate password and encryption layer, that's a breach. If you haven't documented that you use the app for PHI and assessed the risks, your risk assessment is incomplete.

Local-only storage reduces some risks but doesn't eliminate the compliance requirements.

What to use instead

Your EHR's note system. SimplePractice, TherapyNotes, and most EHRs have built-in note functionality with BAAs in place. If you're already paying for an EHR, use its note system for all clinical documentation.

Google Workspace with a BAA. If you need a general-purpose document system, Google Workspace (business plan) with a signed BAA covers Google Docs, Drive, and Gmail. Use it with a dedicated business account, not your personal Gmail.

Microsoft 365 with a BAA. Same principle — the business version of Microsoft 365 with a signed BAA covers Word, OneDrive, Outlook, and Teams.

A dedicated clinical tool. For assessments, outcome tracking, and structured clinical notes, purpose-built tools handle compliance natively. Theracharts, for example, includes AES-256-GCM encryption at rest, mandatory 2FA, full audit logging, and BAAs with all infrastructure providers. When you write a session note in Theracharts, the compliance framework is already in place.

The "quick notes" problem

The most common scenario isn't a therapist deliberately storing their entire chart in Apple Notes. It's the quick jot: a brief observation between sessions, a reminder about something to follow up on, a score to look up later.

These quick notes are still PHI if they contain any information that could identify a client combined with health information. "John — PHQ-9 jumped to 18, discuss medication" is PHI. It contains a name, a clinical score, and a health-related note.

The fix: use your EHR or clinical platform for all clinical notes, even quick ones. If you need a scratch pad, use one that doesn't contain identifying information. "Client 7 — check score trend" is meaningfully less risky than using names, scores, or clinical details.

The bottom line

The apps you use every day for personal productivity — Notes, Notion, Evernote, personal Google Docs — are excellent tools. They just weren't built for healthcare. Using them for therapy documentation creates a compliance gap that's easy to avoid by keeping all clinical content in systems with BAAs.

Your EHR handles most of this. For clinical outcome tracking, assessment administration, and AI-assisted session notes, a dedicated clinical intelligence tool like Theracharts adds the layer that EHRs typically lack — with HIPAA compliance built in from the foundation.

Related Articles

HIPAA Compliance for Solo Therapists: What You Actually Need to Do The GAD-7: Tracking Anxiety in Therapy How to Use AI in Therapy Documentation (Without Losing the Human Touch)