Rocketbook and HIPAA Compliance

Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.

Recommend for your HIPAA risk management needs?: No. There are preferable alternatives in terms of both risk management and feature/functionality needs. Given the availability of these preferable alternatives, we do not advise that the limitations in terms of functionality and the burden of requisite policies and procedures needed to manage usage appropriately from a risk management perspective are warranted.

Relevant Product Characteristics

This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.

What Is This Product?

The Rocketbook System is the combination of a notebook and a free mobile app. It allows you to write notes in your notebook with a pen and then, using image capture technology, the Rocketbook app captures and sends your notes to pre-configured cloud services. Currently the cloud services Rocketbook supports are Box, Dropbox, Google Drive, Evernote, iCloud, OneNote, Slack, and email.

One of the most intriguing features of the Rocketbook System is the ability to convert handwritten notes into text, and to render your handwritten notes searchable. Of course this is appealing functionality for healthcare providers who want to, for example, write notes by hand during a session and then have them easily converted to text to be transferred into an electronic record/practice management system. Unfortunately this functionality relies on Rocketbook’s Handwriting Recognition OCR (Optical Character Recognition) which relies on Rocketbook’s servers, which Rocketbook a third-party handling information on the users behalf. If any of the information handled by Rocketbook is PHI, it creates a Business Associate Relationship with Rocketbook and necessitates a Business Associate Agreement be in place. Rocketbook will not execute a BAA and it is thus necessary to not use the Rocketbook System with the OCR setting enabled — thereby significantly diminishes the utility of the product.

The good news is that the Rocketbook System can be used to capture basic handwritten notes — including those containing PHI — and transfer them as a PDF or JPEG to a cloud service system (such as GSuite with a BAA in place) and meet your HIPAA compliance needs, provided the OCR setting is not enabled. As always, the main question is: “where is my information?” If the OCR setting is disabled then all of the information is contained locally on your device(s) — meaning it does not go to Rocketbook’s servers — and then you determine the cloud service you send the information to. Provided you only connect it to cloud services with which you have a BAA in place and you employ physical and technical device security measures, you can use the Rocketbook System in a manner that meets your HIPAA compliance process needs. While this can be managed, it does not provide any different functionality in meaningful terms beyond just photographing handwritten notes and then sending or saving them to an appropriate location… and carries the same sort of device security — technical, physical, behavioral — measure requirements be in place. A better alternative in terms of functionality is to employ a scanning app that includes the OCR feature without utilizing cloud services to perform those OCR functions, such as Scanner Pro, and performs them locally — meaning there is not a Business Associate Relationship in place.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.