Goodnotes is one of the most popular digital note-taking apps for iPad and macOS users. Its intuitive handwriting tools, PDF annotation features, and iCloud synchronization make it a favorite among students, educators, and professionals. However, when it comes to healthcare documentation or storing protected health information (PHI), many users wonder: Is Goodnotes HIPAA compliant? This article examines Goodnotes’ security posture, its limitations under the Health Insurance Portability and Accountability Act (HIPAA), and the potential risks of using it for patient data.
1. Goodnotes Does Not Provide a Business Associate Agreement (BAA)
Under HIPAA, any cloud or software service that stores, transmits, or processes PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). This legal contract ensures that the vendor adheres to HIPAA’s Privacy and Security Rules.
As of 2025, Goodnotes does not sign BAAs and does not advertise HIPAA compliance on its website or privacy policy (Goodnotes Privacy Policy). This means that healthcare professionals and therapists using Goodnotes to store or share patient data would not meet HIPAA’s legal requirements. Without a BAA, any PHI entered into the app could lead to a compliance violation.
2. Cloud Synchronization Poses Compliance Risks
Goodnotes syncs notes across devices using iCloud or third-party cloud services. While Apple’s infrastructure provides strong encryption and security, HIPAA compliance requires more than technical safeguards. Cloud synchronization introduces risks such as unauthorized access, device theft, or accidental sharing.
Even if Goodnotes encrypts your notes in transit and at rest, HIPAA demands documented administrative and contractual safeguards — including BAAs and breach-notification processes — which Goodnotes does not currently offer. Therefore, any PHI synced through iCloud or shared via Goodnotes remains non-compliant.
3. Lack of Administrative and Audit Controls
HIPAA requires covered entities to maintain detailed audit logs showing who accessed, modified, or deleted PHI. Goodnotes is designed as a personal note-taking tool and does not provide user audit trails, access monitoring, or version history tracking suitable for compliance audits.
Without these controls, there is no way to detect unauthorized access or to document data handling in case of an investigation. In regulated environments, this absence alone makes Goodnotes unsuitable for storing PHI.
4. Device-Level Vulnerabilities
Because Goodnotes data is stored locally on user devices, the security of PHI depends heavily on each user’s device settings. Lost or stolen iPads, weak passcodes, or unencrypted backups could all expose sensitive health data.
While Apple provides full-disk encryption and biometric security, HIPAA compliance requires documented security policies, user training, and risk assessments. Unless your organization enforces strict device-level encryption and access controls, storing PHI in Goodnotes violates HIPAA’s technical safeguard requirements.
5. Sharing and Exporting Files Increases Exposure
Goodnotes allows users to export notes as PDFs or images and share them via email, AirDrop, or third-party cloud drives. If these exports include patient identifiers or clinical notes, they may unintentionally transmit PHI outside a secure environment.
HIPAA mandates that PHI transmissions occur only through secure, encrypted channels with proper authorization. Sending patient notes from Goodnotes through personal email or cloud storage (such as Dropbox or Google Drive without BAAs) could constitute a reportable breach.
6. No Centralized User Management for Teams
Goodnotes lacks enterprise-grade controls for multi-user environments. HIPAA requires administrators to manage access rights, enforce password policies, and terminate access promptly when users leave an organization. Goodnotes was not designed for healthcare team compliance workflows and therefore cannot enforce role-based access control (RBAC) or centralized audit policies.
7. Legal and Financial Risks of Using Non-Compliant Tools
Using Goodnotes for PHI storage or clinical documentation without a BAA exposes healthcare providers to significant penalties. HIPAA violations can lead to fines ranging from $100 to $50,000 per incident, depending on the level of negligence, with maximum annual penalties exceeding $1.5 million.
Even if no breach occurs, simply storing PHI in a non-compliant system can be deemed a violation. Regulators may require proof of compliance documentation — including vendor BAAs, access logs, and encryption policies — none of which Goodnotes provides.
8. HIPAA-Compliant Alternatives to Goodnotes
If your practice requires digital note-taking or document annotation, consider these HIPAA-compliant alternatives that sign BAAs and offer proper administrative controls:
- Microsoft OneNote (Enterprise) — Available through Microsoft 365 Enterprise plans with a signed BAA.
- Google Workspace (Enterprise) — HIPAA compliant with full audit logs and access management.
- Box for Healthcare — Designed specifically for PHI file management and secure document sharing.
- TheraNest or SimplePractice — Clinical documentation platforms built for behavioral health compliance.
- VaultBook — A fully offline, encrypted knowledge management system for professionals who prefer zero cloud risk.
9. Best Practices if You Still Use Goodnotes
If you choose to use Goodnotes for non-PHI data (such as lecture notes or workflow templates), follow these safety practices:
- Avoid recording any client names, diagnoses, or identifiable information.
- Disable iCloud synchronization for sensitive notebooks.
- Use a strong device passcode and enable full-disk encryption.
- Regularly back up data to secure, encrypted storage under your control.
- Never email or upload Goodnotes files containing PHI to non-compliant services.
Conclusion
Goodnotes excels as a handwriting and productivity tool — but it is not HIPAA compliant and should never be used to store, transmit, or manage PHI. The absence of a Business Associate Agreement, lack of audit trails, and dependence on consumer cloud storage make it unsuitable for healthcare use.
Healthcare professionals must prioritize tools that meet HIPAA’s administrative, technical, and contractual safeguards. Using Goodnotes for PHI, even inadvertently, can lead to severe regulatory and legal consequences.
For clinicians and researchers seeking a secure, local, and privacy-first alternative, consider VaultBook — an encrypted, offline knowledge management system designed to protect sensitive data without relying on third-party servers.
