HIPAA Compliance & Security:
How Notehouse Safeguards Your Data with Industry Leading Protection


Founded by a seasoned public interest lawyer with over 15 years of experience advocating for marginalized communities, Notehouse is a HIPAA-compliant case management platform where privacy and security are our top priorities. As of September 3rd, 2024, Notehouse proudly meets all HIPAA compliance standards, ensuring your data is protected with the highest level of security, giving you peace of mind.



The Benefits of Choosing Notehouse for Secure Case Management

Notehouse isn't just compliant—it's designed to be the most user-friendly HIPAA-compliant case management and CRM platform available today. Our commitment to security doesn't come at the cost of usability. Instead, we combine top-tier data protection with an intuitive interface, making it easy for you to manage cases while keeping sensitive information safe.

Learn more about HIPAA and its application to Notehouse’s case management features below and discover why Notehouse is the leading choice for organizations that prioritize both security and ease of use.

Ready to secure your data with a HIPAA-compliant solution? Get started with Notehouse today and experience the difference in data protection.



HIPAA, a Federal Law signed by President Clinton in 1996, stands for the Health Insurance Portability and Accountability Act. Contrary to common belief, the "P" in HIPAA stands for "Portability" rather than "Privacy." This legislation was designed to protect and manage health insurance coverage for individuals and promote data privacy and security.

Upon signing HIPAA, Clinton stated, “With this bill, we take a long step toward the kind of health care reform our nation needs. It seals the cracks that swallow as many as 25 million Americans who can’t get insurance or fear they’ll lose it.” The initial five main goals of HIPAA, as highlighted in Clinton’s remarks, include:

  1. Making it easier for the self-employed to purchase insurance,
  2. Preventing fraud and abuse by healthcare providers,
  3. Simplifying administrative burdens within the healthcare system,
  4. Allowing for new medical savings, and
  5. Improving access to long-term care.

Interestingly, privacy was initially only a secondary consideration under HIPAA, with a focus on administrative simplification. It wasn’t until three years later that the U.S. Department of Health and Human Services proposed the HIPAA Privacy Rule to establish national standards for protecting health information.

You can access the full text of HIPAA, including the added Privacy Rule, via the Department of Health and Human Services.


Finalized in 2000, the HIPAA Privacy Rule “establishes national standards to protect individuals' medical records and other individually identifiable health information.” The Rule mandates that anything considered "Protected Health Information" (PHI) has specific safeguards to ensure its protection.

Section 160.103 of the act defines PHI as any information related to:

  1. An individual’s past, present, or future physical or mental health condition
  2. The past, present, or future health care provided to an individual
  3. The past, present, or future payment for the provision of health care to an individual

Additionally, Section 164.514(b)(2) outlines 18 identifiers that must be removed to de-identify information, ensuring it is not considered PHI under HIPAA. These identifiers include, but are not limited to, the individual's location, date, account number, and contact information.

For a more accessible version of the rule, without legal jargon, refer to the Department of Health and Human Services' resources, found here.


HIPAA primarily applies to "covered entities," defined in Section 160.102 as health plans, health care clearinghouses, or "a health care provider who transmits any health information in electronic form in connection with a transaction covered by this section of HIPAA."

HIPAA also applies to "business associates," as defined in Section 160.103. Business associates are individuals or companies that perform services or functions on behalf of covered entities involving PHI access. This includes consultants, accountants, billing companies, and software services like Notehouse.

At Notehouse, we cannot determine if your entity handles PHI or is subject to HIPAA regulations. However, we recognize that covered entities may wish to use Notehouse with PHI. Since security has always been our top priority, we achieved HIPAA compliance in 2024—and we are incredibly proud of this accomplishment!

Please note that while Notehouse can be used in a HIPAA-compliant manner, it is your organization’s responsibility to implement HIPAA standards when using Notehouse.


Under Section 164.306(a), covered entities and business associates must do the following to ensure HIPAA compliance:

  • "Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits."

  • "Protect against any reasonably anticipated threats or hazards to the security or integrity of such information."

  • "Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the law."


    But what do these provisions mean? And how can someone "prove" HIPAA compliance?

    Contrary to popular belief, HIPAA is not a one-size-fits-all approach; instead, it allows for flexibility in achieving compliance based on an entity's size, capabilities, and the nature of its operations.

    Section 164.306(b) of HIPAA specifically codifies a "flexibility of approach," allowing covered entities and business associates to choose which security measures, often referred to as safeguards, that reasonably and appropriately implement the specified standards. Factors such as the entity's size, complexity, technical infrastructure, and the cost of security measures play a critical role in determining which exact safeguards are necessary for compliance (45 CFR § 164.306(b)(2)).

    Additionally, covered entities and business associates often establish Business Associate Agreements (BAAs) to define their roles in ensuring HIPAA compliance and outline each party’s responsibilities for protecting PHI.


    Wait, does that mean I need a BAA in place?

    Yes and no. HIPAA allows for a “flexibility of approach,” so let’s break down what that actually means.

    Section 164.502(e)(1) states that a covered entity may disclose PHI to a business associate or allow the business associate to handle PHI on its behalf if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. (Emphasis added.)

    In plain language, this means that if a covered entity involves a business associate in handling PHI, then the covered entity must obtain “satisfactory assurances” of PHI protection.


    So what does 'satisfactory assurances' mean?

    Here’s where BAAs come in. Section 164.502(e)(2) clarifies that these “satisfactory assurances” must be documented “through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e).”

    This requirement has led to the formal concept of a Business Associate Agreement. However, the law technically allows for a written contract, another written agreement, or any “arrangement…that meets the applicable requirements” as outlined."





    What Safeguards Does Notehouse Employ to Ensure Your HIPAA Compliance?

    We’re glad you asked! Below, you’ll find the HIPAA safeguards currently utilized by Notehouse. If you have questions about any of these measures, need a Business Associate Agreement (BAA) signed, or have other HIPAA-related inquiries, please reach out to us at HIPAA@getnotehouse.com.



    • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data. [45 CFR 164.310(d)(2)(iii)]

    • Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell. [45 CFR 164.312(a)(2)(iv), 45 CFR 164.312(e)(1), 45 CFR 164.312(e)(2)(i), 45 CFR 164.312(e)(2)(ii)]

    • Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data. [45 CFR 164.310(d)(2)(ii), 45 CFR 164.316(b)(2)(i)]

    • Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also. 45 CFR 164.312(a)(2)(iv), 45 CFR 164.312(e)(2)(i)]

    • Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, etc. [45 CFR 164.312(e)(2)(i), 45 CFR 164.312(b)(2)(i)]

    • Log sensitive data access, including modification and disposal. [45 CFR 164.312(b)]

    • Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. [45 CFR 164.308(a)(7)(ii)(E), 45 CFR 164.310(d)(2)(iii)]

    • Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to ensure proper data access. [45 CFR 164.308(a)(3)(ii)(A), 45 CFR 164.312(a)(1)]

    • Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are in line with best practices. [45 CFR 164.310(d)(2)(iv), 45 CFR 164.310(d)(2)(i)]

    • Encrypt data on removable media. [45 CFR 164.310(d)(1)]

    • Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices. [45 CFR 164.310(d)(2)(iii)]

    • Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when necessary. [45 CFR 164.308(a)(1)(ii)(B), 45 CFR 164.306(a)(1), 45 CFR 164.308(a)(5)(ii)(A)]

    • Configure automatic session locking on enterprise assets after a defined period of inactivity. [45 CFR 164.312(a)(2)(iii)]

    • Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and non-user accounts. [45 CFR 164.312(a)(2)(i)]

    • Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change. [45 CFR 164.308(a)(4)(ii)(B), 45 CFR 164.312(a)(2)(i)]

    • Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination or role change. [45 CFR 164.308(a)(3)(ii)(C)]

    • Require MFA for remote network access. [45 CFR 164.310(d)(2)(iii)]

    • Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third party. [45 CFR 164.308(a)(3)(ii)(A), 45 CFR 164.310(a)(1)]

    • Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. [45 CFR 164.310(d)(2)(i)]

    • Define and maintain role-based access control, through determining and documenting the access rights necessary for each role. [45 CFR 164.308(a)(3)(ii)(B), 45 CFR 164.308(a)(4)(ii)(B), 45 CFR 164.308(a)(4)(ii)(C)]

    • Establish and maintain a documented vulnerability management process for enterprise assets. Review and update. [45 CFR 164.308(a)(1)(ii)(A), 45 CFR 164.308(a)(1)(ii)(B)]

    • Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, updates. [45 CFR 164.308(a)(1)(ii)(A), 45 CFR 164.308(a)(1)(ii)(B)]

    • Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. [45 CFR 164.310(d)(1)]

    • Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. [45 CFR 164.312(a)(2)(iv), 45 CFR 164.312(e)(1), 45 CFR 164.312(e)(2)(i), 45 CFR 164.312(e)(2)(ii)]

    • Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both external and internal scans where appropriate. [45 CFR 164.312(a)(2)(iv), 45 CFR 164.312(e)(2)(i), 45 CFR 164.312(e)(2)(ii)]

    • Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the enterprise's risk management framework. [45 CFR 164.312(a)(2)(i), 45 CFR 164.312(e)(2)(i), 45 CFR 164.312(e)(2)(ii)]

    • Establish and maintain an audit log management process that defines the enterprise’s logging requirements. [45 CFR 164.312(b), 45 CFR 164.312(c)(1), 45 CFR 164.312(c)(2)]

    • Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews of both internal and external logs. [45 CFR 164.308(a)(1)(ii)(D), 45 CFR 164.312(b)]

    • Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. [45 CFR 164.312(b)]

    • Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. [45 CFR 164.312(b)]

    • Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of approved software. [45 CFR 164.312(a)(2)(i)]

    • Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce about security threats, policies, and procedures. [45 CFR 164.308(a)(7)(i)(A), 45 CFR 164.308(a)(5)(ii)(A)]

    • Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. [45 CFR 164.308(a)(5)(ii)(C), 45 CFR 164.308(a)(5)(ii)(D)]

    • Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes best practices for maintaining the confidentiality, integrity, and availability of sensitive information. [45 CFR 164.306(a)(4), 45 CFR 164.310(d)(2)(i)]

    • Train workforce members to be able to recognize a potential incident and be able to report such an incident. [45 CFR 164.308(a)(6)(ii)]

    • Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses. [45 CFR 164.306(a)(4)]

    • Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, and other relevant aspects. [45 CFR 164.312(b)]

    • Ensure service provider contracts include security requirements. Example requirements may include minimum security program standards. [45 CFR 164.308(a)(4)(ii)(A), 45 CFR 164.308(b)(1), 45 CFR 164.308(b)(2), 45 CFR 164.308(b)(3), 45 CFR 164.314(a)(2)]

    • Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on risk. [45 CFR 164.308(b)(8)]

    • Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business-critical vulnerabilities. [45 CFR 164.308(a)(4)(ii)(A), 45 CFR 164.308(b)(1), 45 CFR 164.308(b)(2), 45 CFR 164.308(b)(3)]

    • Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a structured framework. [45 CFR 164.308(a)(8)]

    • Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries. [45 CFR 164.308(a)(5)(i), 45 CFR 164.308(a)(5)(ii)(A)]

    • Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the remediation efforts. [45 CFR 164.308(a)(1)(ii)(B), 45 CFR 164.308(a)(5)






    Please be aware that while Notehouse is capable of operating in a HIPAA-compliant manner, it is your organization’s responsibility to implement HIPAA standards in your use of the platform. For instance, if your organization is a covered entity (as opposed to a business associate like Notehouse), you may be required to activate Notehouse’s Multi-Factor Authentication (MFA) process to meet the necessary compliance standards.

    Disclaimer: The information provided here is not intended as legal advice. We strongly recommend consulting with a legal professional to ensure compliance with HIPAA requirements.




    Still have questions? Contact Glorp@getnotehouse.com and a human member of our team will get back to you right away!




    hipaa