Evernote is not HIPAA compliant (towards the bottom of the FAQ).

You might find this site helpful, as they do a basic screening of multiple cloud providers to see if they can be HIPAA compliant. It may be worth considering doing a consultation with a company that specializes in setting up health care providers with compliant cloud services, both in terms of the contact and best practices in using them. There's a lot of stuff with HIPAA that you can get away with (until you can't).
posted by Candleman at 3:07 AM on August 18, 2018 [3 favorites]

Upon reflection that you may not be in the US, you'll obviously have to make sure your solution is compliant with the applicable laws. It's not going to be a 1:1 mapping, but if something is not HIPAA compliant, it's probably not going to line up with Australian or European privacy laws either.
posted by Candleman at 3:35 AM on August 18, 2018

This is really more of a political issue than a technological one. From a technological perspective, I would be extremely confident that nobody but me would be able to access stuff I've stored as attachments or notes inside a KeePass database, for example, even if copies of that database were made available to crackers with NSA-level skills and published on the Web and linked from Twitter. But I wouldn't dream of actually doing that with live patient data for a health care business unless somebody with deep experience in dealing with all the applicable regulations had advised me that it was legally safe to do so.

The law is usually an ass when it comes to dealing with IT security, and it would not surprise me in the least to learn that I could be heavily fined for choosing an unapproved solution that I know perfectly well is more secure against technical attacks than any of the approved ones.

Your best path forward here, it seems to me, is to have documentation that you could produce in court if the worst comes to the worst, showing that you have obtained your advice about regulation-compliant options from an appropriately certified professional, not from random pseudonymous Internet forum users.
posted by flabdablet at 4:07 AM on August 18, 2018 [1 favorite]

I can't speak to the legalities, so maybe this answer isn't relevant, but what I'd do from a technical perspective is just make plain flat text files and store them in an encrypted folder (Windows 10 Pro can do this natively but I don't like it because the password is just your user account password and there's no way to set a dedicated one) and then store it on whatever cloud hosting service you like. As long as you pick a decent encryption program and a strong, unique password, your files should be as resistant to attack as anything can be.

What I do in practice is literally what flabdablet describes above—I use the notes field in my Keepass password archive to store bits of sensitive information that aren't exactly passwords but which I don't want just floating around loose. Then I store my password archive on Dropbox. Keepass is open source, uses industry-standard encryption practices, is regularly updated, and I've yet to hear of any Keepass-specific vulnerabilities. I trust them as much as I trust anyone. I don't trust Dropbox at all but I do trust that my password archive will withstand attack from anything less than a state-level actor.

But to be honest, in your case I'd be looking for a solution that specifically bills itself as HIPAA compliant (or whatever your local equivalent is).
posted by Anticipation Of A New Lover's Arrival, The at 4:23 AM on August 18, 2018

I can't speak to the legalities...store it on whatever cloud hosting service you like.

Well, none of us can (speak to the legalities) because OP doesn’t provide a jurisdiction. This plan would be in breach of the Privacy Act (AIUI) where I am.
posted by pompomtom at 5:15 AM on August 18, 2018 [1 favorite]

If you're talking about any sort of cloud storage, you'll likely need a BAA with the provider- there was a question about this a week ago.
posted by noloveforned at 5:19 AM on August 18, 2018 [1 favorite]

You really shouldn't be doing this even on paper without getting legal or compliance advice. People so far have been talking about the IT security aspects and the possibility of a breach, which would indeed be a major issue, but there's another possible area of serious regulatory exposure here, which is that, if the documentation you're maintaining meets the definition of a medical record, you could also be violating release of information requirements.

In many jurisdictions, patients have a legal right to have their own records released to them on request (in the US, this is also codified by HIPAA). Hospitals and other provider organizations generally have a big infrastructure devoted to complying with these requests. Every time a patient requests the medical records from your organization associated with an encounter, if this documentation you're maintaining meets the legal definition of a medical record, you could be violating their rights, because they requested all of their records, but the records you were keeping were illegally withheld from them.

This actually has the most potential to cause you problems in a "potential incident", because that's one of the times a patient is most likely to request their records (e.g., as evidence for a malpractice suit).
posted by strangely stunted trees at 6:12 AM on August 18, 2018 [10 favorites]

MD here. I hve not yet found a good way to do this digitally, and I agree with others that HIPAA may not be your sole concern.

I am largely paperless as well, but for this particular issue, I keep a small notebook with patient identifiers and tasks to follow up on. I have been doing this since I was a med student, and it is the only solution I feel comfortable with, even though the rest of my life has been pretty paperless since college. The notebook is either on my person or in a locked room/cabinet at all times, in compliance with my institution's requirements as well as HIPAA. When tasks are completed, the info is crossed out.

Best of luck. I'll be looking into the suggestions here with interest.
posted by aquamvidam at 7:54 AM on August 19, 2018

This thread is closed to new comments.